60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2580	2704	file.exe	31
PID 2704 wrote to memory of 2580	2704	file.exe	31
PID 2704 wrote to memory of 2580	2704	file.exe	31
PID 2580 wrote to memory of 2068	2580	vbc.exe	33
PID 2580 wrote to memory of 2068	2580	vbc.exe	33
PID 2580 wrote to memory of 2068	2580	vbc.exe	33
PID 2704 wrote to memory of 328	2704	file.exe	34
PID 2704 wrote to memory of 328	2704	file.exe	34
PID 2704 wrote to memory of 328	2704	file.exe	34
PID 328 wrote to memory of 484	328	vbc.exe	36
PID 328 wrote to memory of 484	328	vbc.exe	36
PID 328 wrote to memory of 484	328	vbc.exe	36
PID 2704 wrote to memory of 2636	2704	file.exe	37
PID 2704 wrote to memory of 2636	2704	file.exe	37
PID 2704 wrote to memory of 2636	2704	file.exe	37
PID 2636 wrote to memory of 2224	2636	vbc.exe	39
PID 2636 wrote to memory of 2224	2636	vbc.exe	39
PID 2636 wrote to memory of 2224	2636	vbc.exe	39
PID 2704 wrote to memory of 2448	2704	file.exe	40
PID 2704 wrote to memory of 2448	2704	file.exe	40
PID 2704 wrote to memory of 2448	2704	file.exe	40
PID 2448 wrote to memory of 832	2448	vbc.exe	42
PID 2448 wrote to memory of 832	2448	vbc.exe	42
PID 2448 wrote to memory of 832	2448	vbc.exe	42
PID 2704 wrote to memory of 1744	2704	file.exe	43
PID 2704 wrote to memory of 1744	2704	file.exe	43
PID 2704 wrote to memory of 1744	2704	file.exe	43
PID 1744 wrote to memory of 1376	1744	vbc.exe	45
PID 1744 wrote to memory of 1376	1744	vbc.exe	45
PID 1744 wrote to memory of 1376	1744	vbc.exe	45
PID 2704 wrote to memory of 2352	2704	file.exe	46
PID 2704 wrote to memory of 2352	2704	file.exe	46
PID 2704 wrote to memory of 2352	2704	file.exe	46
PID 2352 wrote to memory of 1908	2352	vbc.exe	48
PID 2352 wrote to memory of 1908	2352	vbc.exe	48
PID 2352 wrote to memory of 1908	2352	vbc.exe	48
PID 2704 wrote to memory of 2248	2704	file.exe	49
PID 2704 wrote to memory of 2248	2704	file.exe	49
PID 2704 wrote to memory of 2248	2704	file.exe	49
PID 2248 wrote to memory of 2064	2248	vbc.exe	51
PID 2248 wrote to memory of 2064	2248	vbc.exe	51
PID 2248 wrote to memory of 2064	2248	vbc.exe	51
PID 2704 wrote to memory of 2916	2704	file.exe	52
PID 2704 wrote to memory of 2916	2704	file.exe	52
PID 2704 wrote to memory of 2916	2704	file.exe	52
PID 2916 wrote to memory of 1948	2916	vbc.exe	54
PID 2916 wrote to memory of 1948	2916	vbc.exe	54
PID 2916 wrote to memory of 1948	2916	vbc.exe	54
PID 2704 wrote to memory of 1520	2704	file.exe	55
PID 2704 wrote to memory of 1520	2704	file.exe	55
PID 2704 wrote to memory of 1520	2704	file.exe	55
PID 1520 wrote to memory of 1080	1520	vbc.exe	57
PID 1520 wrote to memory of 1080	1520	vbc.exe	57
PID 1520 wrote to memory of 1080	1520	vbc.exe	57
PID 2704 wrote to memory of 928	2704	file.exe	58
PID 2704 wrote to memory of 928	2704	file.exe	58
PID 2704 wrote to memory of 928	2704	file.exe	58
PID 928 wrote to memory of 1652	928	vbc.exe	60
PID 928 wrote to memory of 1652	928	vbc.exe	60
PID 928 wrote to memory of 1652	928	vbc.exe	60
PID 2704 wrote to memory of 2468	2704	file.exe	61
PID 2704 wrote to memory of 2468	2704	file.exe	61
PID 2704 wrote to memory of 2468	2704	file.exe	61
PID 2468 wrote to memory of 1708	2468	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yn7doh_i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES563C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc563B.tmp"
    3⤵
    PID:2068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o0lp0qsl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc566A.tmp"
    3⤵
    PID:484
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pf0pcfh6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5698.tmp"
    3⤵
    PID:2224
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\elfvqqw2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56C7.tmp"
    3⤵
    PID:832
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bc8ibwkp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56F6.tmp"
    3⤵
    PID:1376
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-dmwecj7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5726.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5725.tmp"
    3⤵
    PID:1908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnxzrlhz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5755.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5754.tmp"
    3⤵
    PID:2064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh61grt3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5793.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5792.tmp"
    3⤵
    PID:1948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hf5sgzwa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57C1.tmp"
    3⤵
    PID:1080
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkd0jte_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57F0.tmp"
    3⤵
    PID:1652
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oupbbrgt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5820.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc581F.tmp"
    3⤵
    PID:1708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k-eqrz5v.cmdline"
  2⤵
  PID:2020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES584E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc584D.tmp"
    3⤵
    PID:2300
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y3kzlyka.cmdline"
  2⤵
  PID:2096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES587D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc587C.tmp"
    3⤵
    PID:2252
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ra6_m5rz.cmdline"
  2⤵
  PID:976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58AB.tmp"
    3⤵
    PID:2824
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x8qgi25q.cmdline"
  2⤵
  PID:2760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58DA.tmp"
    3⤵
    PID:2896
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oftlbqpa.cmdline"
  2⤵
  PID:1104
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp"
    3⤵
    PID:1928
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\te47yq2a.cmdline"
  2⤵
  PID:2724
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5929.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5928.tmp"
    3⤵
    PID:2560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8wq7kg--.cmdline"
  2⤵
  PID:1160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5977.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5976.tmp"
    3⤵
    PID:556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3pdi41jr.cmdline"
  2⤵
  PID:1776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59A5.tmp"
    3⤵
    PID:328
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\llq_bxmo.cmdline"
  2⤵
  PID:2940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59C4.tmp"
    3⤵
    PID:1284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qxeimrww.cmdline"
  2⤵
  PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59F3.tmp"
    3⤵
    PID:1316
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x__sxx5l.cmdline"
  2⤵
  PID:1840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A21.tmp"
    3⤵
    PID:588
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luvpurwd.cmdline"
  2⤵
  PID:2004
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A50.tmp"
    3⤵
    PID:1740
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyjoihjj.cmdline"
  2⤵
  PID:380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A7F.tmp"
    3⤵
    PID:332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ito8zdez.cmdline"
  2⤵
  PID:1636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AAE.tmp"
    3⤵
    PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\-dmwecj7.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\-dmwecj7.cmdline

Filesize
270B

MD5
d000c98b2850d8828175c27d9fee3359

SHA1
6d627ac2f3848d23503f6db5023bdcf2d5b528a2

SHA256
db1473d9493125c2a4fa47a3532f574f82f7820a0af2e5088922eb8020bf9218

SHA512
95d2a7d0202b5549362e0ebb411a55ab8d132a5756092fb6e5c081a1c083e8f35016efe2beca0f53b856cfdc96e7a2bb950ad588833d3a4e8cddf9078116dcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES563C.tmp

Filesize
5KB

MD5
4732b6c83d0a8e8d0712f5deec07e4e9

SHA1
b5dec3e6d76de98038bb2a6c3ab1eb99305c876a

SHA256
d8589494cbb6688e06580f143142fa0277e9335a1bbe06774f0f526b090cfd25

SHA512
8fd7111f94f65ec1abda61eac3f00d60a7d74dbef97914c5579cac0e9748196dbd246246706e045b285519892a8e31add0c84a1f30d172d6f54b983557b214aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES566B.tmp

Filesize
5KB

MD5
f1666ab2ab3cf21468993607cc75a329

SHA1
13a30adf71c47e5643a55c099019990f608b12f0

SHA256
22e301b89c5279c2c54f819e04af6e0cfe7be54e910a93ccd5bae1edb11073e7

SHA512
1f0766c4eec1d4789902226386f3150c63a0460eeea5f3dbca982b7a62d1231d06a8789fdd7e0ec5cfb8f6eb915185bed712054845012e5fe0ab5f9070488b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5699.tmp

Filesize
5KB

MD5
f6d3866d9ec2a80c1abbfceafc1c3b80

SHA1
10bb9df904af4585316335efbffee3fb22a2d039

SHA256
6cfd1dd5031d4a86efe42f6d32bf85cf6ae2cddc2c789e7e4e971729638716dc

SHA512
c6f023eedc6abf176bc729792c11b755f9e51ac96f8e794eb1b33003b06e13c5d8b0f8b5c698e87f8cef3fc071deac4aae2aa8b23b92802b7af7316ab9222048

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56C8.tmp

Filesize
5KB

MD5
61ee8f812d5ccdb822d2f41e53652d86

SHA1
539d45eaf062786244cd1a7178e90cb149d99e0d

SHA256
28381df2013a1974fbfcec0cd8c86ca4bc6186aab05a159a7dde90cefcc4e942

SHA512
1aae38fd897507bbc19d7b2fb818d872f11a21cc05ccd7cf9f6fa52d50de064054e0a3981ad0bffe4fb3d7be286c11e78b07959dab4d4ccf71657445bd7b8d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56F7.tmp

Filesize
5KB

MD5
83bcdd24d068892914e575115c26706b

SHA1
843a7b793bb5071b1a719b947848557308c5183b

SHA256
6e7c5a74d5bbfa1a42c043eab60e677914e5af305b7bbbc402237dfb07d64d10

SHA512
a0436795559b23fab4aeada13b94b3e95dd0c6099aeb004174bfb3ef128ccafe34c9efb2780ac2932debc2208ec2f6ae6412dea95c68b6229f3de32ec8023b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5726.tmp

Filesize
5KB

MD5
4d6b880116f80d9c6a3ee9415ce0affc

SHA1
d70d734c434e4b4f21e143610b4524d9afda26f9

SHA256
262c7ee0fb9b851ed81dee84524e312faab6e702f8c421b1f4f6dcd9321a4edc

SHA512
0c6026155445587d452ac0f98d1479c672449b5e03c09138d6318627167234bcf9831f819979bfed25b7bacb0b9a8eaebf9d680a4cef54882fe28a3761b56c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5755.tmp

Filesize
5KB

MD5
621345eebfb06d2b2b32eb8b468e66b6

SHA1
f24c6e3b26ea6f675fc491da3f5b15a02d1938b2

SHA256
c751e1ca74128bfba8055300baeca19862c53f6fe05e4f647decf02d79ad17d6

SHA512
509580f850c1d4ea543e838a9dfdd9ae896d5e509cfe8fe6f26b9109c2f4db402f1f70ba5690dff55ea66ddb7487a3c7e2465e1da204e7d4bf5a435349975dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5793.tmp

Filesize
5KB

MD5
76a0e42b2bbd2c768ce21ecbc508e9d2

SHA1
7e9df1cba80980ae05a128a26bb0d639910d8dbb

SHA256
2b07827451f18954f1082e14e1c52045bdd2565e5ed270bd611c159afe14832e

SHA512
7192bbfba1225043facfc14548f68a0cecd15d41835f8a5fae0db7383e2c16dd14afff5ab2470dcd75b300c31939000dc9ddbe16398856edbe77a666241bb480

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57C2.tmp

Filesize
5KB

MD5
0a2beca1c04d75d7891848ebb618df02

SHA1
56ccaa1e679159f843ca66ea276ab319b20bacf5

SHA256
46b24429f585ce3fb599c621f87becb11a896aaa8b5b0c741fcfd51a63e99921

SHA512
f1179a71bc719187c4b75906a54bfe87279dc66bfc119541df235e08cf0e0b5dd2885d8a0856a3ed3ead5ee628e2b04c2b6bd7214977db03a901a46f4c920c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57F1.tmp

Filesize
5KB

MD5
3ddbe425dfd8b07bc1423ddeb1d671e1

SHA1
134926d5d9e71c89fd809e1c8ccc074772446483

SHA256
89bd6a129dc0a83f1bec9ec333993a5c076f7a7f4e9f6644d04be4df04870301

SHA512
cc2b467d130c62fc89f683d49464fe07a50b36da20f8ac083b98f4835db6d39eb3476ad0bad042872e85f3f007a0c7a293ef4530d3b8096cfa9d1ba138a68528

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5820.tmp

Filesize
5KB

MD5
3492ba59e4a6ec59d1a6918f56837723

SHA1
4f933f582d05da7e2b19a38761ee100c617c9277

SHA256
8bb860f6800f73034f3a0d99b22061b3afe2e528396eef547bbd55abbcac47e3

SHA512
855dd616f56d0c7e2cc5e97d4a3017f8798e003766056eb0aeb958f6d2721a339e3c5f58a237a9302ca0a3502aacc4a6a070dc34f2a8d23ff4a735a05b29223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES584E.tmp

Filesize
5KB

MD5
40581d6914fd0cd79eda1670682dd0b2

SHA1
3da24a35848ccd545ed512e9128ceb7b0691e2c0

SHA256
da6c245e34139c80e5ed990dd0560b9e405af987ba2a907c071e845dd32bfe0e

SHA512
43f6f6d7f8388b22318d6235899076ab0dbcc2f820265a4630a26833f0c0aeb9b3eded279b06c6d0dddad455449e4f68083c9cdef821f4fa77bb75fc81742ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc8ibwkp.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc8ibwkp.cmdline

Filesize
264B

MD5
21ab17c0f43e6eb54c610d1e1469bc6b

SHA1
96668ac64151591fab24ab6eddca29444cc8995e

SHA256
ca3ed5b386dabb0340d607fab563d98d1b635dd77ace137b59eaeceee1c36819

SHA512
4c869a3cab84f317ad9cecc44f1ff8264adb65a4621e10d79e15ed8d96a7a6c49c51c2ab620cb06a9dbbb33db7592490d66b86c747dc1b8f935ca589b2627254

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkd0jte_.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkd0jte_.cmdline

Filesize
274B

MD5
2c708b0e59accb3b54722c75a99ef311

SHA1
59c456699470242413df80d882fb4166793384a0

SHA256
9b5176e53db7725f9a3b9d9284539ae509a6cb0b95f678b36b3d472f62c65f5d

SHA512
1fe21c4429e2564cfd8658b8e1f54d12ec12fa142900db7792a50df7257d75af213f643561afdf9b421a552421053f0306224e39667df3d253423dd4cc596771

Download Submit
C:\Users\Admin\AppData\Local\Temp\elfvqqw2.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\elfvqqw2.cmdline

Filesize
227B

MD5
6cdde3b2394821fee74b335ebd6b1431

SHA1
4456900ac232e6cb9c9f57094340a5f67f01549c

SHA256
c000fb0908248fa63bffbe3e60f5d5645d51b6500d99c943dc88a4e2914bd840

SHA512
50dcf9c2f09733a24ba36fcbd4f5767d0567fe096d49c19aa87780b80bfe8dc0dc43aff72736c2f34e087449c025eae7149c0a8db9ce11484472d0e86d005cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf5sgzwa.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf5sgzwa.cmdline

Filesize
268B

MD5
fc7268317a348600e7e08f7a5a921b6c

SHA1
b3ba34d2f3a6f2492ac008439883033b2e19be23

SHA256
88f3600b21c9743f6639f0a20fc866238576bfa8f83c3c0450de8cd1b15a1d64

SHA512
ce5f2b6d031c03a484e429cf9a91058f503cdff9897328151e75b91940e85b81e691f3d22f58eb77981693cca76aea1ccb1c3046be17ecd7622ed0400ab88152

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-eqrz5v.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-eqrz5v.cmdline

Filesize
268B

MD5
d5483b9bcf24a41eb5bf3960ef39638d

SHA1
971cd8cb00d690a07c13c1685aea3f6d82f0f569

SHA256
609d539a94df8359a56bf91a59bdda2d20fc7fe5581f6a0fd436c7758c398893

SHA512
e32a3a0816dca9b6b77c32b5136381398539ddd7c495f0be18c0c9b6e7c9adaaca949b36c8ebec5ba48f6777b6a995e68e516b41d6f1ac5d8212f546ea01d243

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0lp0qsl.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0lp0qsl.cmdline

Filesize
227B

MD5
c68a537c5721ab7214deb3f891b198bb

SHA1
d5e34a06828c06ee9c5eca7079eb75aca23bed07

SHA256
cc53acccedc192399ffe3e3203a1d0e877d4424bb21ae3105cab77720f0d1821

SHA512
4e55f16a288810985d14f0b30d4fd609b4304935ccf6fdc2b3343b537bbe216df147508e1872bce5cf70c06117a394a01b83c64859ebbae0fca367d8da0242ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\oupbbrgt.0.vb

Filesize
357B

MD5
e2b96f657f6d09adb99b01943a361365

SHA1
ef800166e35461279bee1eccc1642709a3ad7238

SHA256
544a8f226c18c0b56ba3828564eeb3656b909473b2a4629e47f9ccf0a82a72cc

SHA512
a698708eda34f2ea32d7b5106126bfb0c2ce7638ac6c4e96f8bccba38c8914aa2d97742373110bf77b743f48542e6767d9664c1a292ec7e1b1796c88f67d0c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oupbbrgt.cmdline

Filesize
218B

MD5
19d7220a6120a9e0b0c70a1b0cd5038c

SHA1
4c3958914e2c0a39a3859618e6e36515e60ff258

SHA256
53934624e7354226f71009d12f7574b7b4e4db9bc40264ec24efe78e8b77e125

SHA512
426bbe371681ba09b117e19fd2f239ee1fdb746f57176e9da075e8b61ed25c13572ae4f8218401d311610d435fd10e243382403342257a6791bd28217fc34c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pf0pcfh6.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pf0pcfh6.cmdline

Filesize
256B

MD5
122124f979b5f12e479777ee5782cd28

SHA1
3fc4f09104180935eed7b2281c9f9cd5eda75bb1

SHA256
bec3b389d8f8478f4815df03d99a7dee5b15fbe7fc535d903208547e4d797858

SHA512
029280af1de9e0afba1537534ffa2e5be116af71003e87d8162baa3e61193538da22cf63f955b3a30fd121ac54c898c10dd271416191086523e71af269472595

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc563B.tmp

Filesize
5KB

MD5
97f90d31bbdf02bec54371d2950f2f20

SHA1
3bb06b81f2c9b550dfe755e7613b4f3e22669c63

SHA256
191f3fdee3d4f346c91e06ddc67d88fcb3fc1ab7e1be25b0526e72bf6e0ef02c

SHA512
9611d249994dc1a639e6fd81769c446d7587c2a6253dedf43ded6357b5d4ee9db9c47e519b4382f1de97a47b6008ce5a62c11ea7ce615ef1abbcfd600d1733ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc566A.tmp

Filesize
5KB

MD5
452354b8f76e583a97d073c24d9837b7

SHA1
f37484c4f1198d89bbbeb310e112899061c8ed4f

SHA256
c022c752232c34d61d8682fe90f26fe91f63c0bc9cb62fee79a84ee8a254b61b

SHA512
2dff7560f9bf5fed2bdf559de3e0cae1e2c21b8a59daf9d401358a95577381a305759994ff7a55bc5293c9714de4708d859d8f71f48c26633c62c215ce5f3421

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5698.tmp

Filesize
5KB

MD5
71324862c7b45fd4c5010e3214c49178

SHA1
17c413579c5216b0aed9363311f96c62d237bf8d

SHA256
3b151877a52c4aa3faebc48ac7e4d2bb793bee3b6146ecbf89fa5af8e1014b96

SHA512
f06bc547080a07fb20840dbe0942633364f032f4e86d5297a5f748f4310b98076eb65037b8530c66f167dcbdd0cf663301a7e912903ca8a4f545decf3fbfeca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56C7.tmp

Filesize
5KB

MD5
f91ad2c08406e8f7f5ebbeb063394fd7

SHA1
3a82be393abaa68b4c61ffd1ffe4b679623d6858

SHA256
b51cd8defd668ca7060e4e64b296b8683263c9fa183433fc0f01b6de082ccb50

SHA512
45e28009c8fc7690e83aa101e18b9bc0a1392890d3d8f80bb87ccb9e615fd10ff8baa0c2c38df1779abf51c7946d80b02b0c34aa2484859b6e863bbe2eacd7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56F6.tmp

Filesize
5KB

MD5
5c60372f12c186ea089c0f15cfff6ed0

SHA1
432262da0f1c00bd92f1e2e1f7a98f9cf7af48c9

SHA256
d41713ad01e7c19e02da71a61a245908820944efe7c60369f09aea7922b6e37f

SHA512
fec79d0928d966bb57e3a0b530383dbfcae19c6bfb2fe9b7ba42985e1888359b406f6508d95e8186bc9650f9a4c6a8a402ba8e93f49bbade6963fc70b00de7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5725.tmp

Filesize
5KB

MD5
a17632fd23476ad93e2e8d480d4301b2

SHA1
a6cf184939b46b6b3ab119db7bb2b704a94b93a1

SHA256
309300f575636b15ce9455a8ce828f74991b1e07566d33f1b7a36ae816f93b78

SHA512
a6ef810516815d0d74cb4f733b9df6d38602edd6aecb44440ee2b4d6b5a3beed15b2cc92f395bb6a359dee02ae8ee60bcb924cca71584f062403e55640047d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5754.tmp

Filesize
5KB

MD5
ce3585e20a1a21bec81eeb286be8e21e

SHA1
b22e1621540487dbf33c6ff16224f684846a381b

SHA256
cdcb2fe63e17bad15a24fa4df897650ea0383c6c774570dc1688430d67b3b573

SHA512
4dcb91ff578d191c63643895ff60f1eaecb7db147f3f468dada100cb4cfda76119b074adfc365003be862414708f8f806f39936da8aa7261f27605404d98c475

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5792.tmp

Filesize
5KB

MD5
730c7ec54491d81264c7c47a773b2ab8

SHA1
d979ecadf7e80953aa0c229ff77c453897102053

SHA256
71150a843be31e9ac6735e9066f949b54bb0826a951ee6e11f8906a73dc02d44

SHA512
fab4abaa2c0bacaea2f534739e953bb248579f91aa47ea0f5eac896202921df1815356d70316a00d862820afd13d5511f40d0061391d36be836c797257a76318

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57C1.tmp

Filesize
5KB

MD5
43ba9fb6d7febe860455dbdccbb73006

SHA1
910740f113336290128eb5cd6c8778c89a52fe78

SHA256
efee7902eb2ebddcf1b81b575f2ca31e9caf397f4a7fba0f8c63c9440bff1234

SHA512
848a0bfa57c9d774942c3034de7cc1b1431c00e456d5e45a62abaf5b274627031a19aecc68f071bc2a9f831092f6c9880cd0c4513f82ae0d7d09a81b409ad137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57F0.tmp

Filesize
5KB

MD5
4a3a362989568541b75e7132990505ee

SHA1
d8d831e5f2f2cd0d51feee6a9ee4f8f01553786b

SHA256
05897a89ed88299ebd4045aa4ff8064752631d80c4bfb694f664824468535e92

SHA512
0f047bf6c5664b8f881833b42f67a842b2aac2462f4016f94977bf015c6f8d11830a8b4bd2f1e744bcea4989214930886adcb0919ad629f5af49f40b82ad6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc581F.tmp

Filesize
4KB

MD5
8e1b2846a3c7523226ce289e2da47be3

SHA1
2bb1d368b04dbd80f382123129e945743315cd14

SHA256
441dca3fc476c3ae184f4008b79b7b7cb1917744ef0fdccf10cc37762a5bd8de

SHA512
4644be2a3bd97543d9ab589f21ee7b53d7e9e2dba2358a7088080c74817ad586bae9eead99c49efa5e30e889a07e85931ecb9564a42b1fb6b1aa2e87ae54137c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc584D.tmp

Filesize
5KB

MD5
f0a0424632f58d31e6f42da83f47823e

SHA1
e89db83ec2b32588516365096b63fe099c63525e

SHA256
32d96d9257cb4225b2422b39e03c55504f9ca1a6100e2e21a75c36401570d29a

SHA512
9c40fec000879415cda632fed10b547da42e0ab341a24af25d65ba69c025c894c41804620611f5a8d929631c382aa6eca8d6320ac74c995aefbd1312c0c6cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc587C.tmp

Filesize
5KB

MD5
cccd12658d666441d1d80906a7127028

SHA1
665cb475bd1748fadf1f607fe9550e2ec4c89c4c

SHA256
53f112f5d6421aacc71ff8acc478317a302feb37f34695c051f6ec40fdd52e8b

SHA512
8f528de3df02d8a4a2f9493a11f9c929d469ac2ec74aad744f8b4b37671eda2df5e900aafba506a514bd22616b115f10a57435305da31cccade243dca706551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnxzrlhz.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnxzrlhz.cmdline

Filesize
264B

MD5
7b6459eda55aa85295780ebceb0ecd20

SHA1
773b8c7cdc559c64df986f807b8e2faf55bc37df

SHA256
d3e084e89284b6f2113a719c7c7b4a517a4f4d2f9d8deee9fabc494f24038c86

SHA512
c511593311da3b62f4e4294ea21ae68ca618eb69a3e3eb31dedc3d11264c41dcc71884f3affe6d39a7bf77d3bba374b0ac5057fb15e21ec7845362ac88c8fc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh61grt3.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh61grt3.cmdline

Filesize
270B

MD5
3bf87509ac886d8262b97477e320e792

SHA1
88e231abf8e2a97ffd0dffbbd2bfad054eb5b335

SHA256
8d8957db835e285d7d97cc8cbfbac1d405faeb5d64c0d348906d087b573b9bdf

SHA512
629bf92b671dbe0b6912a9bce23f3f501da4210c7251c12ac188949e12b872a380af310ed8c26f467f00e5643d6e049d274068b700d3156038eff36e72b2047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3kzlyka.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3kzlyka.cmdline

Filesize
274B

MD5
c510af538bb74655f384342769f0fe13

SHA1
c4602d8f715d5850efcc9eb2a5bd349f1b417a79

SHA256
3a214d32c8397019b262d5fdbbc3d9ceba42135550565585e2822702e041d5af

SHA512
977960d7019c28534a04e49ff0717eccc7ca378f8229665346cb75094afdd1c90ce5de52fa3608944ddf070afe7b596852c8fe055abffa74fda4d888ce8f7815

Download Submit
C:\Users\Admin\AppData\Local\Temp\yn7doh_i.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\yn7doh_i.cmdline

Filesize
256B

MD5
994d669fe629b5630753a5c2450ee338

SHA1
bbcbd29455fa1a7326bc41eac1eed23d7e0dfa5b

SHA256
4ae19b039e611cf1bad31a054b598019c22eecb07dfcaa4186f3d4c60f83f03a

SHA512
aa7a49754ceec6de23fe035be237ba0c2958daba26f97efcda9dcc19caf41eb2d64535d882e63a841dafa4c54b9a760cf5fe9c2f0a00b78fbc05c506649a9a37

Download Submit
memory/2704-4-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp

Filesize
4KB

Download
memory/2704-3-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-2-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-1-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-0-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp

Filesize
4KB

Download
memory/2704-316-0x000007FEF9650000-0x000007FEF9CC1000-memory.dmp

Filesize
6.4MB

Download
memory/2704-317-0x000007FEF91C0000-0x000007FEF95CF000-memory.dmp

Filesize
4.1MB

Download
memory/2704-318-0x000007FEF88D0000-0x000007FEF9134000-memory.dmp

Filesize
8.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads