60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2264	4284	file.exe	93
PID 4284 wrote to memory of 2264	4284	file.exe	93
PID 2264 wrote to memory of 4696	2264	vbc.exe	95
PID 2264 wrote to memory of 4696	2264	vbc.exe	95
PID 4284 wrote to memory of 1388	4284	file.exe	96
PID 4284 wrote to memory of 1388	4284	file.exe	96
PID 1388 wrote to memory of 3012	1388	vbc.exe	98
PID 1388 wrote to memory of 3012	1388	vbc.exe	98
PID 4284 wrote to memory of 1000	4284	file.exe	99
PID 4284 wrote to memory of 1000	4284	file.exe	99
PID 1000 wrote to memory of 1752	1000	vbc.exe	101
PID 1000 wrote to memory of 1752	1000	vbc.exe	101
PID 4284 wrote to memory of 3920	4284	file.exe	102
PID 4284 wrote to memory of 3920	4284	file.exe	102
PID 3920 wrote to memory of 1444	3920	vbc.exe	104
PID 3920 wrote to memory of 1444	3920	vbc.exe	104
PID 4284 wrote to memory of 1712	4284	file.exe	105
PID 4284 wrote to memory of 1712	4284	file.exe	105
PID 1712 wrote to memory of 4464	1712	vbc.exe	107
PID 1712 wrote to memory of 4464	1712	vbc.exe	107
PID 4284 wrote to memory of 2320	4284	file.exe	140
PID 4284 wrote to memory of 2320	4284	file.exe	140
PID 2320 wrote to memory of 708	2320	vbc.exe	110
PID 2320 wrote to memory of 708	2320	vbc.exe	110
PID 4284 wrote to memory of 1268	4284	file.exe	111
PID 4284 wrote to memory of 1268	4284	file.exe	111
PID 1268 wrote to memory of 3176	1268	vbc.exe	113
PID 1268 wrote to memory of 3176	1268	vbc.exe	113
PID 4284 wrote to memory of 4084	4284	file.exe	114
PID 4284 wrote to memory of 4084	4284	file.exe	114
PID 4084 wrote to memory of 2248	4084	vbc.exe	116
PID 4084 wrote to memory of 2248	4084	vbc.exe	116
PID 4284 wrote to memory of 3964	4284	file.exe	117
PID 4284 wrote to memory of 3964	4284	file.exe	117
PID 3964 wrote to memory of 3512	3964	vbc.exe	119
PID 3964 wrote to memory of 3512	3964	vbc.exe	119
PID 4284 wrote to memory of 4152	4284	file.exe	120
PID 4284 wrote to memory of 4152	4284	file.exe	120
PID 4152 wrote to memory of 3532	4152	vbc.exe	122
PID 4152 wrote to memory of 3532	4152	vbc.exe	122
PID 4284 wrote to memory of 4784	4284	file.exe	123
PID 4284 wrote to memory of 4784	4284	file.exe	123
PID 4784 wrote to memory of 3276	4784	vbc.exe	125
PID 4784 wrote to memory of 3276	4784	vbc.exe	125
PID 4284 wrote to memory of 1828	4284	file.exe	126
PID 4284 wrote to memory of 1828	4284	file.exe	126
PID 1828 wrote to memory of 408	1828	vbc.exe	128
PID 1828 wrote to memory of 408	1828	vbc.exe	128
PID 4284 wrote to memory of 448	4284	file.exe	129
PID 4284 wrote to memory of 448	4284	file.exe	129
PID 448 wrote to memory of 3396	448	vbc.exe	131
PID 448 wrote to memory of 3396	448	vbc.exe	131
PID 4284 wrote to memory of 1680	4284	file.exe	132
PID 4284 wrote to memory of 1680	4284	file.exe	132
PID 1680 wrote to memory of 4132	1680	vbc.exe	134
PID 1680 wrote to memory of 4132	1680	vbc.exe	134
PID 4284 wrote to memory of 436	4284	file.exe	135
PID 4284 wrote to memory of 436	4284	file.exe	135
PID 436 wrote to memory of 1524	436	vbc.exe	137
PID 436 wrote to memory of 1524	436	vbc.exe	137
PID 4284 wrote to memory of 1152	4284	file.exe	138
PID 4284 wrote to memory of 1152	4284	file.exe	138
PID 1152 wrote to memory of 2320	1152	vbc.exe	140
PID 1152 wrote to memory of 2320	1152	vbc.exe	140

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfszjftc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD95CA4768F1A4ACA8A57A0B09A55B347.TMP"
    3⤵
    PID:4696
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7tmdkhu1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91AB19C01C14D6CB15EDDA5F15DDDAD.TMP"
    3⤵
    PID:3012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rr5vmw6l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3CF1C3F7B814290B57F18945335890.TMP"
    3⤵
    PID:1752
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfbrghnm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DBCF8BAA6764395B650C2440D5E888.TMP"
    3⤵
    PID:1444
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\keh5xusg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB11C331D97548EBBAE66AA90DDD945.TMP"
    3⤵
    PID:4464
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uyydxrwt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc531ABAA458E43459D9C47D1125B423.TMP"
    3⤵
    PID:708
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\icuhge4r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA70C57B2155C4526BDE6A3FBB3B4F4D7.TMP"
    3⤵
    PID:3176
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fiewvxoc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5672C411C8174A2E8E43BFEABAFAA262.TMP"
    3⤵
    PID:2248
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uryp2gmr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB05A0C482B74F7892E94F27A773865.TMP"
    3⤵
    PID:3512
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bcwigmnp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72FBDC71F0AB49F4A48F9B78D48ACFA2.TMP"
    3⤵
    PID:3532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pqe-dyrd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc595709B4A6B2472BA2D7B81B543CCBAE.TMP"
    3⤵
    PID:3276
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uunkwixj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES213F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC733C5AC4D543AE939D645B6E4F5E9A.TMP"
    3⤵
    PID:408
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\icdu1cr8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES218D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE418F9961644F6CA52BC6B9CF27BCB7.TMP"
    3⤵
    PID:3396
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mi-hsoxj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C44A5BACA174744A4F2959616EF74.TMP"
    3⤵
    PID:4132
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jy4sx2d8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2258.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc816DDDCA86CE4C03BFD5944A29974EB9.TMP"
    3⤵
    PID:1524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\32nqz2xb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80E964D37394420DBE73B6D7B628B7F.TMP"
    3⤵
    PID:2320
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_mfelts.cmdline"
  2⤵
  PID:3384
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2333.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE323CBECA5E84FB4BA16483B91FC283.TMP"
    3⤵
    PID:4200
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3h1vtxd.cmdline"
  2⤵
  PID:3940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2390.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD371E833A5CE422390E695AACB6CA8DD.TMP"
    3⤵
    PID:1200
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kynx_r2h.cmdline"
  2⤵
  PID:3040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEED1F74A9E2A45E6A1A864B5B178764.TMP"
    3⤵
    PID:4264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbzjtt2a.cmdline"
  2⤵
  PID:1016
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES244C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A08B79048DE41D3AA34B2AC473FF668.TMP"
    3⤵
    PID:536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4itdndl8.cmdline"
  2⤵
  PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES249A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFCEECFCEF8D4FA0A04A6D57EE12F0AF.TMP"
    3⤵
    PID:4976
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-dkiosx.cmdline"
  2⤵
  PID:388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2507.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD57D00219BF64022A8FBA4B498668E43.TMP"
    3⤵
    PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7tmdkhu1.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7tmdkhu1.cmdline

Filesize
227B

MD5
05bfc0604aedf08ae05f6fd60dc96b44

SHA1
96bc04064ca2bbb979fb7180266770b4f63d1df0

SHA256
2ceb1d95e39de874d65afb6ba0a6b62232c10fef840db104bf3c79a05c3c51de

SHA512
eec2eafc973554003244344bb909e2c36b7a892ed3280bd125a687815394804361ce902ceb7a7f9bffeef90956f5b539cae6e230449c41874d508422b990be5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BD0.tmp

Filesize
5KB

MD5
79834e7db77cf9b3aef5cb0ba85b8471

SHA1
fdf93c2754defd54df5915b45ba26dbfc6bdc87c

SHA256
22d6d5a07b916464411683eabebae01388ca9239b0f2883b2d058eef7623e7f1

SHA512
487f0a874faa5b7aac5bf648c9cacafe798e5e8916d62f6f73fc0983af2ac57e27c1326bb785cfbc56416f36bf82b2c797db244eca4e3ecf21046ea63cd9a7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C7C.tmp

Filesize
5KB

MD5
e3f8ec9ed35255f4e7150f360b4facbb

SHA1
41f327e98b35bd0aafc24358285cd64d7e623839

SHA256
c0ce83879e28deb124b0acbf5ba2ae2d7ed5b79b49321e7e392f390eb813698e

SHA512
f8a61fa8b0175ce357ffeac4353a917b472e68f4f4f01a4dfb533fd7adc6e5ff1249cfc02777cdea41e7d9b398816bc305c309a020d0fc6281faa1e922fe8102

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D76.tmp

Filesize
5KB

MD5
3ee9ea035f37cd8e948dee96b467d83b

SHA1
2d35e182794bed3377823e0d1e2aa300e35fc1da

SHA256
1960a878ddd6c3927296ec209227ac18533be95f745ed3fcb33bf8b947989c4b

SHA512
c77ef39f6f0fa055d149071b2ae6a9338c583b730fd0f8291a0f0c387638a4294cf6046e04e1d40113520fdf4e4a38cee9fc91ff14c78854f9a4f2debdec98b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E22.tmp

Filesize
5KB

MD5
09ec6f4d3afdd769c31f8303d9737353

SHA1
09dcd0810acdbbe871f71eee9b796916a0c26fc4

SHA256
3e8c7bcc23453ac6d473d7134c7642aa10effb3bd428e71807d8c85f0c53137c

SHA512
be5575983d172b0c128d78efc19ab9ee5897b0c4d658ef6fd60df85a2e32ae4cbda5ab32e09679a924bfa1d0c40e981da283b4e40427143180cd75f6191ea80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E8F.tmp

Filesize
5KB

MD5
51ced81e0b41e3ef29214c3b9902b4ad

SHA1
b61f1b3c6f900b7b157fd591b5c5e70cd8945d6c

SHA256
1e21cdac2f1f46a9aae18588f535bbf77f084f06d2919f0835e9f49bf2ef4e17

SHA512
4e8f461f6eb95e0b2346d7c30711ea3837d4d74c7c8073a5edfbf02c36ddf98d203135662d97a3c9b4a88751bd0bca4a68852fd0910ab2ddf98f5dcd56e41836

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1EFD.tmp

Filesize
5KB

MD5
720c551f2167842ac858ccf1b9cccf51

SHA1
51c2d7235c17c075cc047cab752733c5d4421691

SHA256
f71e95c61cbe65b597fbc8702c08b4d76184c48f3bffcc27de0d83ccacf7374e

SHA512
07916d6cc132c5abc43ae4b54b523c05329139d54eaa6aaa52f3d9670c8a2548d0b6c12e0bb46c8a45c530064951546942177481d3e6a1cb98b468daf9cb590f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F6A.tmp

Filesize
5KB

MD5
e41d151e1e8e2a06ed06fe3b9b337796

SHA1
06d20cd5e710678f4626a52dd91e558774ddbe7d

SHA256
9592cf9f18ce1e782fdac5fb236a8e27732b4bd8d04c1f634efc77ff84151a22

SHA512
7ba1325b44d3abc58fa003b201259fb16fbeb330d4c7f91501d3f08ef4db5f1687586033f16c2b00d4bac36a5bbdbcc24b0d9b8e048975f09f9acd5d9b92b321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FE7.tmp

Filesize
5KB

MD5
befcd302d4a845182a4e472775c00855

SHA1
9a9015bfcd26e6bc226d09d3591a87e4734b5a6e

SHA256
863025c565d68bd4a2de9b271045dc1ce9f5cf245138de3a4ebb2ceec53baf4b

SHA512
8a7850e04996784a7214fc26e4a26cf1ae7b761139f0af94bb2168350e0ae024a62e5de07fbe962002d84aa6ae75e3117951b97cd57df3138c9a919a5d2f5468

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2035.tmp

Filesize
5KB

MD5
28f7576eb27afdd49789369c96cb3aa6

SHA1
bf888120e8c64d8ef7229ff90e5e513e284c7608

SHA256
7af4332e233a4f8248542c907fed78498ecd44e3b0870f52f6c219d2c4e5cd1f

SHA512
977646502bea58e269ff6faa0dc3d1d0a354b7d949db9c1efbb79423b63272c5ce124f81aac38ccd812c23241247218095badae7a1c9abf76f6dd694b599db82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20A2.tmp

Filesize
5KB

MD5
a7c3219be82892b28c57bacd6fdcadef

SHA1
2d0cfbd0b37c819146c96b6c43ce44e8ff333986

SHA256
eca261e116d8a0d431f2241e7d39f44341bac2f0540204ff715cf26def6e1e04

SHA512
36b9fbcb252635dd0d56ceaa0e2d5b5841c1ee811af411cf22f3ba0c9d15b64633bab4ddddca8350998f484db24cde261bd43a35a7a14a420a2161fffa9b85be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20E1.tmp

Filesize
5KB

MD5
a89092c51da453d497ea8a885fda64f0

SHA1
d7120d4cc5bf2bb9dfe5c08d383a7e0665a0a1b6

SHA256
abe9deb76aea6d1fbad27c202695371be7e3cc602d121135cf32f4428ab13fcc

SHA512
b5f5a1d5038b9c804cbf08f546703901ca6f6ebf1e74e0895d68727a7b56ac974e8f622c6e3797959a54e8f19324ad9b225758bfd4d35bce92ef3c3d0ad3dfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES213F.tmp

Filesize
5KB

MD5
311aca7e57ed4c9fe77eb33c5f285ee8

SHA1
ee6257bd50e9b73aa6315c596a4cfd15218cb7d6

SHA256
03acd0425de9c11daab086659c8d6abc109f3e36d748e7e7858de95d6489e307

SHA512
4877b5843454fd64e8e97e8fc2296ee70e07c985ff5e2f7ef7d998756bf2840969cc3b00c13ed94b8075dab0d9c51e224aa644fa6d22bccad973635473a78c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcwigmnp.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcwigmnp.cmdline

Filesize
274B

MD5
73902a770883421eb91f7bb541dcd7cd

SHA1
61bf5a6662b82d0617653075e161887b6921e5eb

SHA256
2eeaccc1560e2f43628688327fa3775aadcd0e6236db3b59302188229f2d01e2

SHA512
ae28422ff8344467d6bbe1645581757c77d873c738b6c43abb6e4b78e1958ca379405d84f6b1c719ae9dac943ae52e8f7804ccae5777c1081b52704d179d9455

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiewvxoc.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiewvxoc.cmdline

Filesize
270B

MD5
0170013f08f2d32287ae10cc0b314a3e

SHA1
4c3b7a1d11b2b7d23dab6af1d17cbd39eeb115f6

SHA256
6e93aac97d8ca5ff8d37a45e3fc7eb041e13b1918769f3a762ee55fde9268b84

SHA512
e91ffce6537cd99ba967d32338ec09eadbcba0dabc8f4db595af75dc3b683d005492870ae4b8bb74b8d17bdc26d430ca0acaf4e39c8bfead4e66345b2b547723

Download Submit
C:\Users\Admin\AppData\Local\Temp\icdu1cr8.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\icdu1cr8.cmdline

Filesize
268B

MD5
a558157833aa629d1869aa55197083f0

SHA1
8478148d1d03cb9d32b09b4f71bb59f40b963987

SHA256
1d93fe11a5ea050b2450400b072dfc811760891749bd24f6bd60d07f54dcb95e

SHA512
f9f8016d0faf12b6812f5e3af50ed975b77a0a444c4e4e1130a4677abb59fb2b3672755106342bd4039f30c8af7746bde2885bc4556deace787f240f33f78137

Download Submit
C:\Users\Admin\AppData\Local\Temp\icuhge4r.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\icuhge4r.cmdline

Filesize
264B

MD5
130a515ee57b304a38eb1bc47a39122a

SHA1
dc3952ad6e4cc594e9d85df6ad8fb1ffac00603c

SHA256
22fa1105a619d1de509520c82853ff28b1f8142c59ddc22aeaf695ed9d2ae0ed

SHA512
03025e2480a39326d97e5a121c4c95c09d50bb9910bd35d1563999eb9da284378f001908b86653a811418ff4aabd6ff4b2e9f77acbae91ec9de7d08cc8b69bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\keh5xusg.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\keh5xusg.cmdline

Filesize
264B

MD5
c4e53ada3702d105aea2ea08129e3d5b

SHA1
cda79f78da69f917771da556ce7aa0753b44a0b8

SHA256
53144cf8edf397547ecc6843dad64521a6a38e23ef5aa2f873698ff96ed32e0f

SHA512
c321197ac2f8cd527460ce8183c5a6abdc34e7ef906c733a400847aaeceeb451b550625d3e0766fe382bfd5b2cdb71cb5d3dc3eecb17890b1b7d482b437c4e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqe-dyrd.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqe-dyrd.cmdline

Filesize
268B

MD5
db10b86bbf18bee5d963f9cbf8ef8283

SHA1
7d5ba345f52d04b2c91a297d8da8512d8fe44f86

SHA256
8abdb1f590caed79330081f717377c3e8bfd9c52c423f62b1f103aadd4d0df26

SHA512
088e609d5964debec4cd8712bbed9d921d1bb85d18f00473340d58fc34535e7f012ad1527063a8e357a291801bd8f583ab1a4e5cd1f796c0ca1d5b5db6f45892

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfbrghnm.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfbrghnm.cmdline

Filesize
227B

MD5
cddc2885b106bbae839131d6141e527d

SHA1
9f7f68e609ac0636bd78790300ecbd598dd3bde9

SHA256
300839657d5d2983aa325cb573512d4d2d407046de88afc0e6d59a826ce8053d

SHA512
6f79cac93efa386a8760af1ccecb30939e27e402c13518709b289e58c8fd9a915789f602fbd6fa182ce7d89282eae791ac86619b0be53027949b3c55176178cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rr5vmw6l.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rr5vmw6l.cmdline

Filesize
256B

MD5
6abf6edf34e457423db6760ed9ec8f0a

SHA1
f88a5972274ec3f3cf61b8ca6dac5d9e6aced7bb

SHA256
b64fa8a062cf1a7b7ce087f5efbda4499ffa706a55f7c01ab5957e528de9e8be

SHA512
d326316c56cee1f175d2c4fa62be5f5ab65f6f3346af4ff9582c679489bfab25e6dbca57addc6edeea34af6d81086c8162174c5df83a8caaff293deac0aae01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uryp2gmr.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\uryp2gmr.cmdline

Filesize
268B

MD5
f5fa2f2712b568ae03700dfb306ebcaa

SHA1
e1c7b296bd0bd4a6b6deb056f9c471d9ab135da4

SHA256
05489245204a32a45d676625b36dae9a1379c1fe82d18a7c0b4fe5ff4f1ba5d2

SHA512
a9d63920a6fe99b3efa26104aed910b941da42bd3dff3230b3208322e2d7d17ec70f68b90a687726c18968ed1a2ea79b1a74be4f2b82f34c29e12af5515f7193

Download Submit
C:\Users\Admin\AppData\Local\Temp\uunkwixj.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\uunkwixj.cmdline

Filesize
274B

MD5
85e7c38e9d72f94e95e75bafb8f3c9d1

SHA1
f39aad49292680b9edf152b10625e451bbbf2d56

SHA256
f67fd693a2dc64ea0f8d2c6178712c96d2af03a1510d600f77722cff11115d33

SHA512
c6ed63b8a13514e2eaece5098204a51665e371de4e805fbc7428739d8709bbc1776761faf782fa6a0d0823ed5efc4bcc73c78ffb37753aa34884d630c2e8c22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyydxrwt.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyydxrwt.cmdline

Filesize
270B

MD5
7a8638ef4f7796b8cf2e6609f199498a

SHA1
ab2751a19765aadc63a1d7f76da0d91ba02a32d8

SHA256
45b6b320289d8d55ed5c9c23bf63153a68229bc8c196f2cc8e3c035fbb51dbec

SHA512
b5c83458501f0ff9a980d2a07acaaea6c67ae937983d3b53dc0b0ee7e3c0ea90c041e0d570fa2797ff6f8e33ca84e700785705d41e5e44a76c4516a68039f3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4DBCF8BAA6764395B650C2440D5E888.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc531ABAA458E43459D9C47D1125B423.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5672C411C8174A2E8E43BFEABAFAA262.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc595709B4A6B2472BA2D7B81B543CCBAE.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc72FBDC71F0AB49F4A48F9B78D48ACFA2.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc91AB19C01C14D6CB15EDDA5F15DDDAD.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA70C57B2155C4526BDE6A3FBB3B4F4D7.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB05A0C482B74F7892E94F27A773865.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB11C331D97548EBBAE66AA90DDD945.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3CF1C3F7B814290B57F18945335890.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD95CA4768F1A4ACA8A57A0B09A55B347.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE418F9961644F6CA52BC6B9CF27BCB7.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC733C5AC4D543AE939D645B6E4F5E9A.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfszjftc.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfszjftc.cmdline

Filesize
256B

MD5
27a614607329ae368de0cb6fe91eac8d

SHA1
3919bb4c426283400f3660a1d3c036d047d4a9a7

SHA256
3e8c4930aa4aed94922936b8c95e04f0d3b10f8a2a3815daac66b89e12fea6c0

SHA512
a334f5e5f0258211dffc5cd951f074c8146305336be5426c500b4e5b7624583a98eb65e395c991a1ac4e7804e4028c260654d54368cb826e0a7976286f0b5648

Download Submit
memory/1388-42-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/1388-43-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/2264-26-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/2264-17-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/4284-10-0x000000001D140000-0x000000001D1DC000-memory.dmp

Filesize
624KB

Download
memory/4284-4-0x000000001BFE0000-0x000000001C042000-memory.dmp

Filesize
392KB

Download
memory/4284-3-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/4284-2-0x000000001BE70000-0x000000001BF16000-memory.dmp

Filesize
664KB

Download
memory/4284-1-0x000000001B9A0000-0x000000001BE6E000-memory.dmp

Filesize
4.8MB

Download
memory/4284-6-0x00007FFB44FF5000-0x00007FFB44FF6000-memory.dmp

Filesize
4KB

Download
memory/4284-7-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download
memory/4284-0-0x00007FFB44FF5000-0x00007FFB44FF6000-memory.dmp

Filesize
4KB

Download
memory/4284-5-0x00007FFB44D40000-0x00007FFB456E1000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads