60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2704	2632	file.exe	30
PID 2632 wrote to memory of 2704	2632	file.exe	30
PID 2632 wrote to memory of 2704	2632	file.exe	30
PID 2704 wrote to memory of 2552	2704	vbc.exe	32
PID 2704 wrote to memory of 2552	2704	vbc.exe	32
PID 2704 wrote to memory of 2552	2704	vbc.exe	32
PID 2632 wrote to memory of 2280	2632	file.exe	33
PID 2632 wrote to memory of 2280	2632	file.exe	33
PID 2632 wrote to memory of 2280	2632	file.exe	33
PID 2280 wrote to memory of 1720	2280	vbc.exe	35
PID 2280 wrote to memory of 1720	2280	vbc.exe	35
PID 2280 wrote to memory of 1720	2280	vbc.exe	35
PID 2632 wrote to memory of 2980	2632	file.exe	91
PID 2632 wrote to memory of 2980	2632	file.exe	91
PID 2632 wrote to memory of 2980	2632	file.exe	91
PID 2980 wrote to memory of 2312	2980	vbc.exe	38
PID 2980 wrote to memory of 2312	2980	vbc.exe	38
PID 2980 wrote to memory of 2312	2980	vbc.exe	38
PID 2632 wrote to memory of 2904	2632	file.exe	39
PID 2632 wrote to memory of 2904	2632	file.exe	39
PID 2632 wrote to memory of 2904	2632	file.exe	39
PID 2904 wrote to memory of 852	2904	vbc.exe	41
PID 2904 wrote to memory of 852	2904	vbc.exe	41
PID 2904 wrote to memory of 852	2904	vbc.exe	41
PID 2632 wrote to memory of 864	2632	file.exe	42
PID 2632 wrote to memory of 864	2632	file.exe	42
PID 2632 wrote to memory of 864	2632	file.exe	42
PID 864 wrote to memory of 1744	864	vbc.exe	44
PID 864 wrote to memory of 1744	864	vbc.exe	44
PID 864 wrote to memory of 1744	864	vbc.exe	44
PID 2632 wrote to memory of 1144	2632	file.exe	45
PID 2632 wrote to memory of 1144	2632	file.exe	45
PID 2632 wrote to memory of 1144	2632	file.exe	45
PID 1144 wrote to memory of 2576	1144	vbc.exe	47
PID 1144 wrote to memory of 2576	1144	vbc.exe	47
PID 1144 wrote to memory of 2576	1144	vbc.exe	47
PID 2632 wrote to memory of 3044	2632	file.exe	48
PID 2632 wrote to memory of 3044	2632	file.exe	48
PID 2632 wrote to memory of 3044	2632	file.exe	48
PID 3044 wrote to memory of 992	3044	vbc.exe	50
PID 3044 wrote to memory of 992	3044	vbc.exe	50
PID 3044 wrote to memory of 992	3044	vbc.exe	50
PID 2632 wrote to memory of 1648	2632	file.exe	51
PID 2632 wrote to memory of 1648	2632	file.exe	51
PID 2632 wrote to memory of 1648	2632	file.exe	51
PID 1648 wrote to memory of 1860	1648	vbc.exe	53
PID 1648 wrote to memory of 1860	1648	vbc.exe	53
PID 1648 wrote to memory of 1860	1648	vbc.exe	53
PID 2632 wrote to memory of 3040	2632	file.exe	54
PID 2632 wrote to memory of 3040	2632	file.exe	54
PID 2632 wrote to memory of 3040	2632	file.exe	54
PID 3040 wrote to memory of 2176	3040	vbc.exe	56
PID 3040 wrote to memory of 2176	3040	vbc.exe	56
PID 3040 wrote to memory of 2176	3040	vbc.exe	56
PID 2632 wrote to memory of 2496	2632	file.exe	57
PID 2632 wrote to memory of 2496	2632	file.exe	57
PID 2632 wrote to memory of 2496	2632	file.exe	57
PID 2496 wrote to memory of 2068	2496	vbc.exe	59
PID 2496 wrote to memory of 2068	2496	vbc.exe	59
PID 2496 wrote to memory of 2068	2496	vbc.exe	59
PID 2632 wrote to memory of 1552	2632	file.exe	60
PID 2632 wrote to memory of 1552	2632	file.exe	60
PID 2632 wrote to memory of 1552	2632	file.exe	60
PID 1552 wrote to memory of 1660	1552	vbc.exe	62

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fhpv6hqb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D13.tmp"
    3⤵
    PID:2552
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvcs4gmi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D51.tmp"
    3⤵
    PID:1720
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\efdvmlvy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D91.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D90.tmp"
    3⤵
    PID:2312
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zd2sjoim.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DCE.tmp"
    3⤵
    PID:852
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rqasfpzq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E0D.tmp"
    3⤵
    PID:1744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myxdydbu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E4B.tmp"
    3⤵
    PID:2576
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ciucf03d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E89.tmp"
    3⤵
    PID:992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3wll8pi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8ED7.tmp"
    3⤵
    PID:1860
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zf59foeu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F16.tmp"
    3⤵
    PID:2176
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y4oyh-6o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F54.tmp"
    3⤵
    PID:2068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdztpbvz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FA2.tmp"
    3⤵
    PID:1660
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwucpf9p.cmdline"
  2⤵
  PID:1980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FE1.tmp"
    3⤵
    PID:3036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fva_sr5o.cmdline"
  2⤵
  PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9030.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc902F.tmp"
    3⤵
    PID:840
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8i4qw1l4.cmdline"
  2⤵
  PID:1764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES907E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc907D.tmp"
    3⤵
    PID:1484
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nliswgwx.cmdline"
  2⤵
  PID:1820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90BB.tmp"
    3⤵
    PID:2128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gk_djgkw.cmdline"
  2⤵
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90F9.tmp"
    3⤵
    PID:2724
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3hh9gpy5.cmdline"
  2⤵
  PID:1568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9187.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9186.tmp"
    3⤵
    PID:2276
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l36bsaes.cmdline"
  2⤵
  PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91C4.tmp"
    3⤵
    PID:2708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1nhjrsmk.cmdline"
  2⤵
  PID:2536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9204.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9203.tmp"
    3⤵
    PID:1676
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plpz7t12.cmdline"
  2⤵
  PID:1460
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9242.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9241.tmp"
    3⤵
    PID:2140
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5toflz1c.cmdline"
  2⤵
  PID:2376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9280.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927F.tmp"
    3⤵
    PID:1716
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\us-iqqtc.cmdline"
  2⤵
  PID:1228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92BE.tmp"
    3⤵
    PID:1964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\buxmqjcp.cmdline"
  2⤵
  PID:2256
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES930D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc930C.tmp"
    3⤵
    PID:1744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewbcfzer.cmdline"
  2⤵
  PID:604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES935B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc935A.tmp"
    3⤵
    PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14252317416012630171446416726732624826-819021233-1993052153-19218961761313338636"
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D14.tmp

Filesize
5KB

MD5
db5ee1e1bb1d11529dfe0d6fb819bbf6

SHA1
a63e0060902f736dcf9fb21b6e22c86622049881

SHA256
71709ecba2e98681bc2a9662f4f24b8db0d1ad546806f5b447dc0327a17c440f

SHA512
de88a0256eba90adec99fa2098f51aa9617fe118690ee51dc6d2936c426c947010447837b221a41977a261015cdc1089cf2b0a08213f0736ea7509aacc38fc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D52.tmp

Filesize
5KB

MD5
e06475cc4aef413b4e9bd7f7bb922717

SHA1
43e26bc76ddc016b89d56f98e05366e70bbf14de

SHA256
a9166ff9f9d634bb0c562567c79bd7430de640943eaa82dfc9f4e3dc1ae56433

SHA512
f2e14b5ddf73495d5d1b8618deb390f355278e7abbf2e0704cf2a018af443d1b9463e12d0746f3acf4524bc2b4dab86a0ebd30624c0cc10460a09bfb11152934

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D91.tmp

Filesize
5KB

MD5
76e6df58a35148a4406e104462de5269

SHA1
8bdba9cf8b768521c83f7112dff9fc86c0f04446

SHA256
3d4ebf54e4af70b698fb8333ef26753fe171b33c1c7789a76234f4eb7af6ce74

SHA512
f9d112647cafbfb2573fc964afb1d872ad798c749abcdc783e1ffde94be84d95fe46edb901e962603f5c576a64cd5034f613a59aa59780acfe354c2a52012b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DCF.tmp

Filesize
5KB

MD5
34e5d5860a2afb6f1dc76c2d9ee8035d

SHA1
bf68d30fd1aa5a2b958c171f86cb0a5431fd15dd

SHA256
3e611235044c0f85abfa5c59d047dc1bd1f8b14739ed04a5487a2c9f672f9758

SHA512
532dfa2273f235ec4256397a9208030a4003791db99616ac1dfc9c19d6b62f5654ce8a4fe3e825bf387489b774e5b9188420d4ff92bac3f2e523967fa876e66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E1D.tmp

Filesize
5KB

MD5
37af9a43ceaa45d0910f71c06898f487

SHA1
c927ac9bb0ccc86a7d71d1fbdd1297996f2ced4f

SHA256
b3dc63267139ba9619f3212d9b8ceac863d46786d32cb0d4bdb5ed1e252432cf

SHA512
4c422d8ab4ec8c9eed1fa1cab240a3aaec5400cff03b09023b305f2d4022093368102afda5116ea6fb3c71221b13772184af6e48f52575b2d9413be35974aa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E4C.tmp

Filesize
5KB

MD5
3e64e06cc093b93f1a0774fffc986ac4

SHA1
d5eb41ebd3afc150700cf7050bc0f331306dc683

SHA256
6accf0b4c0d88089ac5717d1d3c8ac3c830a90608e6fa0d5b27f4c11835e1e7f

SHA512
7dc17e8cd1b57e50d5516eef4f466ae232ccc4cbba3871a03b75807af5b8cf3efaecf587936b30cd9704b2bd7e5bd9daf47fcb1b7315daf356fe7cc024078f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E9A.tmp

Filesize
5KB

MD5
3679f7ba5d167a325681ca77934279ec

SHA1
91115fa4f8fa210d0d2caac12feb46f8b40cee58

SHA256
470a99b6ffbdb4484553ae875593d461701f4bfb4e651c4ac255f08bff761c6a

SHA512
7d6728be67c4319b9458f031117229b9eae2fb0ba02778baa172e8b24dbfe554e1e633777bf084d46e40590c8cfb6573251e63ce8502d6b309aa919a6aee1a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8ED8.tmp

Filesize
5KB

MD5
f787277a7d18f880c1e53cae31e9eccc

SHA1
7fd62bfd9e4da3e271b16b77d33cc40601e2bac1

SHA256
537b1ea55647440c63abe891bea0c53165ea3917322c578fd8a40930fb7980cc

SHA512
23f824854abf77e72d39b25cc8455367f24696e61fd0310be3b45e3a1d667d02d73e8b131801e96d67d5cc97fe55b1c2df58455f5770b518ff268360b17e5f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F17.tmp

Filesize
5KB

MD5
bfdfc803933f424a82a112fcfffb3f62

SHA1
5df879458a304e8e1b614cd7a07d60709c13f51c

SHA256
aedc2d344aaf80c0d928ba3da997252feb9340346dbc38b5aad2a1249f228e40

SHA512
aedd95ecc10c472d84e287041d441b23d565aaa254e8f9d62f08aeec9d4633e44365e221eacc9f6218ef3837423d0575a890415faf5b4559fd4b727e2707d5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F55.tmp

Filesize
5KB

MD5
96e6af0ca59a96044758ee3441ebd08d

SHA1
925e21c6dafc112832f47a1ae3428b5a1c2e1013

SHA256
db25a4bc8d0297709340b5f9101c43979546e2ab414ff87875986bbb3d960270

SHA512
d6fa59dd01373fe2138f7d36930bcd8196122063031f8caabaca2bd98e52450cd6ada3182f849770fa2b4789e17d2cc605ebd6a4419d0cb6bc64f9f1d1754130

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FA3.tmp

Filesize
5KB

MD5
a79592124e668bbd45c459b157e0d79d

SHA1
b04d84caf2cf7d39be03bcd32476f5390536b963

SHA256
d2af7f5038c577b1f225dce96d38b105727377cb7cc86f25608cfd4a5bf576e1

SHA512
3b42f01a42bcc5345da9f6700244916f7ec9e9ce8e70ce0eb9237e36d434f2b4d75a208d0339208a0624b8e1c3c89276cf224d1aa5fe54eefe3fafe4f92e42b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FE2.tmp

Filesize
5KB

MD5
99950f7e91963733c8e65db112ffe75f

SHA1
2d12d920201d84a0875c6fc81a4020ff70837cd2

SHA256
88b242f41efc67e3794b966bdac7e7495d5b955af7469340e4be4a2297528cdb

SHA512
766abaffd84e5dbdf1b79a0e53adb4cb09c153e499a5f5299ad07fbd56f652088a1d0270ce764c118ac9120232af566b6b2c496109428de640e0baeeacbb1138

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciucf03d.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciucf03d.cmdline

Filesize
264B

MD5
469d8aa2f432a63c3df500b9a59a0125

SHA1
fbb4c73179578bfb19cad543a4bbd90b90f21eca

SHA256
3ade2fa54ef469dbcce9ecc410fada9a0a9fc2b3a1d0bfa0c70341db3c9bd23c

SHA512
fdfd123962ec4cd3f6e3b63a835b76924059d04740e33c319638d91207359b2848d2bae10514d3d88d7b9248fa63809461f28b5498c75dda27bdc2e080b1fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\efdvmlvy.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\efdvmlvy.cmdline

Filesize
256B

MD5
df8a3889bd252eb663efde92b01f8fda

SHA1
22d9a22bc59fdb19a031b030f0f712bac10c8f32

SHA256
1ec90a8d075cfeb5fbe91bd2ea1239a90daf120f6688e2db9645ba06e9bc32b2

SHA512
13125d0939533f46ed2f609dc19c43da119d990285538cb2a9810a3e9f6307af54d3c59f7f36da616adf3c97ec7b2162910ef4796d16233bc92268b60fcb056e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhpv6hqb.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhpv6hqb.cmdline

Filesize
256B

MD5
4189f0c8fb5be3622b39623d549ac248

SHA1
a2d770c7ab79fa57796cb90ddf654a4bf394ab42

SHA256
3222b09f3ed1cebfb61a74e277e8c0a45b4f973e7e1fbdf3fb3b3519190dd56c

SHA512
d88ca8458ba9b0af42d65243bb892b1b5d3448a8552eced6e1806dc4651bbada3045483cc26ba21083528e7147421e0ed1a59dcc9236b06d7baf1d6d38e840e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fva_sr5o.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\fva_sr5o.cmdline

Filesize
268B

MD5
453124f27a67da5708fa20c543550411

SHA1
295986cf97b21d2b284fbd346bf59865910963e6

SHA256
2f1331361af4b4cbc80a2dc39810a09d4d59b56f1c71e744724a4430fab24305

SHA512
0583c0d5c11c532332e13722ba4660ade4f079a9f2adcacb9a2cbc424eb29c78f67fab44b41a5bc10fcdf5744fcd21f3c41f0dea9bb6074736212d20e81bd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3wll8pi.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3wll8pi.cmdline

Filesize
270B

MD5
8ae04437d57ccae744843c1870a3fe59

SHA1
3370f62ceeab8c03efa954f8025eeeb6e79d8acb

SHA256
88c1d1530a0a20a69fa3fc4ef305b43d16c8275dbe4028ea2e06b52225b7ce89

SHA512
7738c860d284fe7d29ca981d9cee3c29f36b936401863dc1848079054ff57f04fe4f5835fbbf132c9cf436ff44b6a644f47a32bc0a70df9436ac3534015e1ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwucpf9p.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwucpf9p.cmdline

Filesize
274B

MD5
2902c304965b80bfc67d497312adb769

SHA1
351333eca55a017b32cf7f35c6134ac2b9d2db47

SHA256
363accd882e0a2033ea681850a30f9d27768aa677cc09a5f1781c74612148cbc

SHA512
0128658328424d5a24ec211c1bd94e01ac92d48f09bbedaef10a47f200f5f0bc7172d5f86a2b456735333c38b296c49c2b00a1b84b2d3bba96410c2d9efbcc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxdydbu.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxdydbu.cmdline

Filesize
270B

MD5
fa76c4322b20e73ad71701db46fdf75d

SHA1
de4ecd60b9cb889a43d8670834ae39bf7af2c51e

SHA256
c8daefaba2cfc885e8e43c6e527101206ce16fcf353f3eb50fa5a079a288fd2e

SHA512
f9a8ebaae5f6fa821ff15aa691bee3849b448b271cb7f7b1136bfcc38c27859ab6489d29aeb95ec7881021ae4133cb924a4bb93260f3ee6184faa30a4108d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdztpbvz.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdztpbvz.cmdline

Filesize
268B

MD5
2a2db625abcfcba4ad66bf9391614d34

SHA1
07ae8908fc4a8c4efd55df115cf647919cd7357c

SHA256
2738afedc4212e52b97fd80757470bf0322411b6dba9f376c37dff3e62094d52

SHA512
3c4c7aa2d370817b3e236729d89220c2688be9314423f40c4471cda3c9ee5ca4afd5acf00b93a50e79bc06533ee3ec40ae44929424d8acc52d9b7edd80b8ef46

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqasfpzq.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqasfpzq.cmdline

Filesize
264B

MD5
8cd6177fabd553d8712c5d121ec1e4f4

SHA1
2501cdea29413e98c7f0fd0b3e592a90994f0d0a

SHA256
0480d03ce5155276b9374d032f7d4aff035087b0fa30d29cd3ba007910c869d3

SHA512
4026a300ddbfa12140e77ff685f3f53a4507ce7e3e5921857ad7c6755b80c60f61ac0b0a7c4d09d5ebf4459d5c94463460d0d96ab1135e686e9dd7411ab4e389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvcs4gmi.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvcs4gmi.cmdline

Filesize
227B

MD5
b21f7e92a5591382ef0155b77c1e4337

SHA1
a0ab764b14de867b2f7ef38673dd42f6b74ce622

SHA256
374838b4663fa3643785349a78d3eae06dc2f9c25c46b68e6f5aa562cc643c36

SHA512
99b14b77d5316526074231fc26b1686ed5516984871baf5f6685147de3e471b607039068aa3d68e320f994825d1124ffc1a2189396853eced2138b93b8f0b648

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D13.tmp

Filesize
5KB

MD5
97f90d31bbdf02bec54371d2950f2f20

SHA1
3bb06b81f2c9b550dfe755e7613b4f3e22669c63

SHA256
191f3fdee3d4f346c91e06ddc67d88fcb3fc1ab7e1be25b0526e72bf6e0ef02c

SHA512
9611d249994dc1a639e6fd81769c446d7587c2a6253dedf43ded6357b5d4ee9db9c47e519b4382f1de97a47b6008ce5a62c11ea7ce615ef1abbcfd600d1733ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D51.tmp

Filesize
5KB

MD5
452354b8f76e583a97d073c24d9837b7

SHA1
f37484c4f1198d89bbbeb310e112899061c8ed4f

SHA256
c022c752232c34d61d8682fe90f26fe91f63c0bc9cb62fee79a84ee8a254b61b

SHA512
2dff7560f9bf5fed2bdf559de3e0cae1e2c21b8a59daf9d401358a95577381a305759994ff7a55bc5293c9714de4708d859d8f71f48c26633c62c215ce5f3421

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D90.tmp

Filesize
5KB

MD5
71324862c7b45fd4c5010e3214c49178

SHA1
17c413579c5216b0aed9363311f96c62d237bf8d

SHA256
3b151877a52c4aa3faebc48ac7e4d2bb793bee3b6146ecbf89fa5af8e1014b96

SHA512
f06bc547080a07fb20840dbe0942633364f032f4e86d5297a5f748f4310b98076eb65037b8530c66f167dcbdd0cf663301a7e912903ca8a4f545decf3fbfeca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8DCE.tmp

Filesize
5KB

MD5
f91ad2c08406e8f7f5ebbeb063394fd7

SHA1
3a82be393abaa68b4c61ffd1ffe4b679623d6858

SHA256
b51cd8defd668ca7060e4e64b296b8683263c9fa183433fc0f01b6de082ccb50

SHA512
45e28009c8fc7690e83aa101e18b9bc0a1392890d3d8f80bb87ccb9e615fd10ff8baa0c2c38df1779abf51c7946d80b02b0c34aa2484859b6e863bbe2eacd7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8E0D.tmp

Filesize
5KB

MD5
5c60372f12c186ea089c0f15cfff6ed0

SHA1
432262da0f1c00bd92f1e2e1f7a98f9cf7af48c9

SHA256
d41713ad01e7c19e02da71a61a245908820944efe7c60369f09aea7922b6e37f

SHA512
fec79d0928d966bb57e3a0b530383dbfcae19c6bfb2fe9b7ba42985e1888359b406f6508d95e8186bc9650f9a4c6a8a402ba8e93f49bbade6963fc70b00de7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8E4B.tmp

Filesize
5KB

MD5
a17632fd23476ad93e2e8d480d4301b2

SHA1
a6cf184939b46b6b3ab119db7bb2b704a94b93a1

SHA256
309300f575636b15ce9455a8ce828f74991b1e07566d33f1b7a36ae816f93b78

SHA512
a6ef810516815d0d74cb4f733b9df6d38602edd6aecb44440ee2b4d6b5a3beed15b2cc92f395bb6a359dee02ae8ee60bcb924cca71584f062403e55640047d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8E89.tmp

Filesize
5KB

MD5
ce3585e20a1a21bec81eeb286be8e21e

SHA1
b22e1621540487dbf33c6ff16224f684846a381b

SHA256
cdcb2fe63e17bad15a24fa4df897650ea0383c6c774570dc1688430d67b3b573

SHA512
4dcb91ff578d191c63643895ff60f1eaecb7db147f3f468dada100cb4cfda76119b074adfc365003be862414708f8f806f39936da8aa7261f27605404d98c475

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8ED7.tmp

Filesize
5KB

MD5
730c7ec54491d81264c7c47a773b2ab8

SHA1
d979ecadf7e80953aa0c229ff77c453897102053

SHA256
71150a843be31e9ac6735e9066f949b54bb0826a951ee6e11f8906a73dc02d44

SHA512
fab4abaa2c0bacaea2f534739e953bb248579f91aa47ea0f5eac896202921df1815356d70316a00d862820afd13d5511f40d0061391d36be836c797257a76318

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F16.tmp

Filesize
5KB

MD5
43ba9fb6d7febe860455dbdccbb73006

SHA1
910740f113336290128eb5cd6c8778c89a52fe78

SHA256
efee7902eb2ebddcf1b81b575f2ca31e9caf397f4a7fba0f8c63c9440bff1234

SHA512
848a0bfa57c9d774942c3034de7cc1b1431c00e456d5e45a62abaf5b274627031a19aecc68f071bc2a9f831092f6c9880cd0c4513f82ae0d7d09a81b409ad137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F54.tmp

Filesize
5KB

MD5
4a3a362989568541b75e7132990505ee

SHA1
d8d831e5f2f2cd0d51feee6a9ee4f8f01553786b

SHA256
05897a89ed88299ebd4045aa4ff8064752631d80c4bfb694f664824468535e92

SHA512
0f047bf6c5664b8f881833b42f67a842b2aac2462f4016f94977bf015c6f8d11830a8b4bd2f1e744bcea4989214930886adcb0919ad629f5af49f40b82ad6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FA2.tmp

Filesize
5KB

MD5
f0a0424632f58d31e6f42da83f47823e

SHA1
e89db83ec2b32588516365096b63fe099c63525e

SHA256
32d96d9257cb4225b2422b39e03c55504f9ca1a6100e2e21a75c36401570d29a

SHA512
9c40fec000879415cda632fed10b547da42e0ab341a24af25d65ba69c025c894c41804620611f5a8d929631c382aa6eca8d6320ac74c995aefbd1312c0c6cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FE1.tmp

Filesize
5KB

MD5
cccd12658d666441d1d80906a7127028

SHA1
665cb475bd1748fadf1f607fe9550e2ec4c89c4c

SHA256
53f112f5d6421aacc71ff8acc478317a302feb37f34695c051f6ec40fdd52e8b

SHA512
8f528de3df02d8a4a2f9493a11f9c929d469ac2ec74aad744f8b4b37671eda2df5e900aafba506a514bd22616b115f10a57435305da31cccade243dca706551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc902F.tmp

Filesize
5KB

MD5
47bc25715f9e5592cbdaf196b000a7f3

SHA1
16846bb61f999895bcb3f0b10e9470621472e1b0

SHA256
2c46701b1c8ddf5cbd126824ab61f8e7acdc7e850b87b773f9998ea0c79c6c11

SHA512
c48b9396b7edc0d8807f8dbae6f1ce255536886b23fcc7c5aaadc9d1e5a33e9b0f060b90680a29645ba5c5f27abfc3dfd746e17bc8511805b6b0628da8a774f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4oyh-6o.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4oyh-6o.cmdline

Filesize
274B

MD5
88ed646725d65d0828bc8bd966550cf8

SHA1
e52b068ca1fbc9f63401577266036c800b02ab5f

SHA256
baf58c16e1b75945eb2100c0975602f660a5a34206dbcbf27c38278fb059634b

SHA512
60047555fdae79dc87b961f4121986d8c90ada575d46299c1cc9581897795d3429b02c2b8e2275321508664f4f4ca53ac8d75fd311efbc6258d05128a8aed898

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd2sjoim.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd2sjoim.cmdline

Filesize
227B

MD5
ab8f5f68ee732b493c13ef658f03eb94

SHA1
9dff8785f03823607c9ae31475495e4f94fab2aa

SHA256
1023820359289dc1cd595d543701867992dd69a5f07d04cb8d61e4bf5ed18eeb

SHA512
fa8fa892e9bf19bffa62e8aa520c40e8bf6810cf955071799be32decbbf36fbf4839892ce224f7cf151527f2d7be5634ec9f43b36ee9eb2be6ec60bc0a746605

Download Submit
C:\Users\Admin\AppData\Local\Temp\zf59foeu.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\zf59foeu.cmdline

Filesize
268B

MD5
95c14f0e3480b281177eb11881c8f29d

SHA1
258c7233cbcccc6c6799aca24545df5180c0675d

SHA256
ce2ccac4185b93917c349c0c6ea2a1bf2d4b1dc12fef64ee52db0543ea4f37c1

SHA512
471bbf62684fcde1b242ee42a8e8e82e0cb3f81d9ed58514ea3c5ee305b2998509a13d0733835828bbc1b8e6f15ae1ee5e4005c6509ff7ddfeabedb08e781801

Download Submit
memory/2632-0-0x000007FEF51EE000-0x000007FEF51EF000-memory.dmp

Filesize
4KB

Download
memory/2632-2-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-1-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-3-0x000007FEF4F30000-0x000007FEF58CD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-305-0x000007FEF8A10000-0x000007FEF9081000-memory.dmp

Filesize
6.4MB

Download
memory/2632-306-0x000007FEF8370000-0x000007FEF877F000-memory.dmp

Filesize
4.1MB

Download
memory/2632-307-0x000007FEF7B00000-0x000007FEF8364000-memory.dmp

Filesize
8.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads