60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2920	2104	file.exe	31
PID 2104 wrote to memory of 2920	2104	file.exe	31
PID 2104 wrote to memory of 2920	2104	file.exe	31
PID 2920 wrote to memory of 2856	2920	vbc.exe	33
PID 2920 wrote to memory of 2856	2920	vbc.exe	33
PID 2920 wrote to memory of 2856	2920	vbc.exe	33
PID 2104 wrote to memory of 2940	2104	file.exe	34
PID 2104 wrote to memory of 2940	2104	file.exe	34
PID 2104 wrote to memory of 2940	2104	file.exe	34
PID 2940 wrote to memory of 2592	2940	vbc.exe	36
PID 2940 wrote to memory of 2592	2940	vbc.exe	36
PID 2940 wrote to memory of 2592	2940	vbc.exe	36
PID 2104 wrote to memory of 2292	2104	file.exe	37
PID 2104 wrote to memory of 2292	2104	file.exe	37
PID 2104 wrote to memory of 2292	2104	file.exe	37
PID 2292 wrote to memory of 1944	2292	vbc.exe	39
PID 2292 wrote to memory of 1944	2292	vbc.exe	39
PID 2292 wrote to memory of 1944	2292	vbc.exe	39
PID 2104 wrote to memory of 1380	2104	file.exe	40
PID 2104 wrote to memory of 1380	2104	file.exe	40
PID 2104 wrote to memory of 1380	2104	file.exe	40
PID 1380 wrote to memory of 304	1380	vbc.exe	42
PID 1380 wrote to memory of 304	1380	vbc.exe	42
PID 1380 wrote to memory of 304	1380	vbc.exe	42
PID 2104 wrote to memory of 1712	2104	file.exe	43
PID 2104 wrote to memory of 1712	2104	file.exe	43
PID 2104 wrote to memory of 1712	2104	file.exe	43
PID 1712 wrote to memory of 1660	1712	vbc.exe	45
PID 1712 wrote to memory of 1660	1712	vbc.exe	45
PID 1712 wrote to memory of 1660	1712	vbc.exe	45
PID 2104 wrote to memory of 1644	2104	file.exe	46
PID 2104 wrote to memory of 1644	2104	file.exe	46
PID 2104 wrote to memory of 1644	2104	file.exe	46
PID 1644 wrote to memory of 1420	1644	vbc.exe	48
PID 1644 wrote to memory of 1420	1644	vbc.exe	48
PID 1644 wrote to memory of 1420	1644	vbc.exe	48
PID 2104 wrote to memory of 2772	2104	file.exe	49
PID 2104 wrote to memory of 2772	2104	file.exe	49
PID 2104 wrote to memory of 2772	2104	file.exe	49
PID 2772 wrote to memory of 2464	2772	vbc.exe	51
PID 2772 wrote to memory of 2464	2772	vbc.exe	51
PID 2772 wrote to memory of 2464	2772	vbc.exe	51
PID 2104 wrote to memory of 1492	2104	file.exe	52
PID 2104 wrote to memory of 1492	2104	file.exe	52
PID 2104 wrote to memory of 1492	2104	file.exe	52
PID 1492 wrote to memory of 1948	1492	vbc.exe	54
PID 1492 wrote to memory of 1948	1492	vbc.exe	54
PID 1492 wrote to memory of 1948	1492	vbc.exe	54
PID 2104 wrote to memory of 1128	2104	file.exe	55
PID 2104 wrote to memory of 1128	2104	file.exe	55
PID 2104 wrote to memory of 1128	2104	file.exe	55
PID 1128 wrote to memory of 1536	1128	vbc.exe	57
PID 1128 wrote to memory of 1536	1128	vbc.exe	57
PID 1128 wrote to memory of 1536	1128	vbc.exe	57
PID 2104 wrote to memory of 1956	2104	file.exe	58
PID 2104 wrote to memory of 1956	2104	file.exe	58
PID 2104 wrote to memory of 1956	2104	file.exe	58
PID 1956 wrote to memory of 2128	1956	vbc.exe	60
PID 1956 wrote to memory of 2128	1956	vbc.exe	60
PID 1956 wrote to memory of 2128	1956	vbc.exe	60
PID 2104 wrote to memory of 1832	2104	file.exe	61
PID 2104 wrote to memory of 1832	2104	file.exe	61
PID 2104 wrote to memory of 1832	2104	file.exe	61
PID 1832 wrote to memory of 1524	1832	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncx_coma.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AD1.tmp"
    3⤵
    PID:2856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4d6mrgy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B4E.tmp"
    3⤵
    PID:2592
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymshh-_b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BBB.tmp"
    3⤵
    PID:1944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nbczcju8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C09.tmp"
    3⤵
    PID:304
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a3i_xqen.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C47.tmp"
    3⤵
    PID:1660
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mehedtcy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C95.tmp"
    3⤵
    PID:1420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yb48ncja.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CD4.tmp"
    3⤵
    PID:2464
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krlz0cig.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D22.tmp"
    3⤵
    PID:1948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r8iyezw0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp"
    3⤵
    PID:1536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ud74yck0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D9E.tmp"
    3⤵
    PID:2128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4h_f36vr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DEC.tmp"
    3⤵
    PID:1524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6mwy4yfe.cmdline"
  2⤵
  PID:2344
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E2B.tmp"
    3⤵
    PID:1784
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a5zlri7f.cmdline"
  2⤵
  PID:2372
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E69.tmp"
    3⤵
    PID:2324
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0wbhyu-9.cmdline"
  2⤵
  PID:1484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EB7.tmp"
    3⤵
    PID:1804
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xwjmkhyl.cmdline"
  2⤵
  PID:1588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F05.tmp"
    3⤵
    PID:2300
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i8_k744f.cmdline"
  2⤵
  PID:2312
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F44.tmp"
    3⤵
    PID:2168
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ru5kvfzc.cmdline"
  2⤵
  PID:2736
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FC0.tmp"
    3⤵
    PID:2888
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thcarmhc.cmdline"
  2⤵
  PID:2704
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2000.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FFF.tmp"
    3⤵
    PID:2968
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qx9ugsgp.cmdline"
  2⤵
  PID:2580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES203E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc203D.tmp"
    3⤵
    PID:2820
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fc0ngrkn.cmdline"
  2⤵
  PID:2748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES207D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc207C.tmp"
    3⤵
    PID:2060
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jqquf97b.cmdline"
  2⤵
  PID:1676
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20BA.tmp"
    3⤵
    PID:2332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g6gtj4em.cmdline"
  2⤵
  PID:304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20E9.tmp"
    3⤵
    PID:1356
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adna7n4i.cmdline"
  2⤵
  PID:1780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2128.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2127.tmp"
    3⤵
    PID:2644
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j9dv1_ba.cmdline"
  2⤵
  PID:2028
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2167.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2166.tmp"
    3⤵
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h_f36vr.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h_f36vr.cmdline

Filesize
268B

MD5
901b9632e5cb959d65c867c60bf5182b

SHA1
8e022bc2f31dc887341526429b0d5a8fb019ea30

SHA256
159431aaa81df57974ad72980843c24d1dd6b4b81535f559cc15fe3f13989663

SHA512
ffe8fca6f2754045b0ed4187ed77924dc9249ad146d8446bf1247b6bc8834e006c9dd7de709494b903f35a4379e4acf3d0eee652bf47cb0a1f70a63e1934eb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\6mwy4yfe.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\6mwy4yfe.cmdline

Filesize
274B

MD5
2198642dc55e2f32c56669820b3ff4da

SHA1
e5b1aab18747c9514cb5e45fd840c5ee4f6c87c2

SHA256
9f844e0dfd62bd9b180a356a77ed22be235ac26aee2108acabfb4c299ba11e0c

SHA512
48e4106604a6306ac7489b64d2df39b3d73ee9278a44fe6d6a11504ded88c2da032435e37cb121dfd3c41d59cf9563b02ac3ef1a3c6d62ed18a30eaa50dda858

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1AD2.tmp

Filesize
5KB

MD5
842afe8591395876e798b992010bdace

SHA1
6c9a6dc7ebc9a7dc3ad8f15f7b61e0e3dca8eada

SHA256
9ce903b8929b4a797f1825ba658ddff8f74fd01c5322a826e248b07ad3279ba7

SHA512
578576e5b6586e2625f03d2b756c3e9bdc2f4446bf75454b31c750abfc383ce41bbc688c292d44786f8cb4863f331f3b18c90bf289ea4129cb0b2b34413c2fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B4F.tmp

Filesize
5KB

MD5
7357721870bd94e90e71802b2c50f579

SHA1
f48382ddb8364182e90845aad72a491ca863c66f

SHA256
b51a19a695974bf5bb4cca8be6d7a18cd1d1a88d3808864a331a930d733b304d

SHA512
718c76d015d0b542fc5bd1c88688af6b46f4cdf12c4e13d773e2614006fc19fa99832e377cedc999289f63c2ea46390b751d8acb0d4bcbe0f3e15aa6f2cfabd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BBC.tmp

Filesize
5KB

MD5
8a4ed711ac9bce79fb380dbd0dd3e415

SHA1
665dcbc55b1aca714f893dbe0c09a787477716b2

SHA256
204055a8e9f194a188195d4359b2cef030f0b362038c23d70e43359217e508c6

SHA512
629365a47eae9d4f305bff38ffdf817fa4e76c442b62b1decfebf24495cebe7a014f3e8dcb079c937775d5b82fa23ab7ddd6f5e344de093a95e3f8d60bdcfcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C0A.tmp

Filesize
5KB

MD5
891b2ed0bcbaaf32b4119a0537449bdd

SHA1
fed6fbaf6413141d431d0d9b43c1c85a8876594b

SHA256
8bb2606e280143ddc0049893a35f2df8fb7fbc3d4bc922dc89dfa13337c06342

SHA512
9f1131a3bd0e4cabb9f82a49c361b13772738c8104eba5b08913cb8f42da5ab984ba6aef8db6b144e1faace2fc88c4c40ff307631e614f79b5f65a8892aa92e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp

Filesize
5KB

MD5
d129da777f0ca5f552febfa102a1e856

SHA1
1292f098395588c830dd0241a884c94a8e3adf36

SHA256
927381e3f8cd75b89e26dbac80bd61c0b3dbce0389c106b7d6d6d098e7030580

SHA512
dc9a58f2766afb0522eab6e251bf426d2954f3f4215b34817cee5c1079c53aed891223ee695eb3a04ca6ca7d60b7181f63809985af10744ecda87945f81ae0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp

Filesize
5KB

MD5
954104518795d6cce856d9cf9ddfb0fd

SHA1
7892484cbeeb67bce582ea7fc9136f0120d0d82e

SHA256
4225b538c614165fd28ac9b635dc2eb34e8bb4902fed83bab16fd6ecddff0b64

SHA512
70fb334daf731f49d6f6bdc862bbdc90db678ba81979fe4c49e67ddd94c6b53ee04cfaba7b524699f15ace704622bd205acd8ca747c63e8e7e309af1896cb551

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CD5.tmp

Filesize
5KB

MD5
f3be0c120a8c3362faeeb0690920853d

SHA1
049283e72436e87849be48243ad7271a380a5b4b

SHA256
32925d113a74d962d0661350d6561eda8e1f2d54092bdd085725d0d241b83a14

SHA512
cfe371cbfcaa5f95f4d8ab9da7be2f0deb7299cd8e00e8e56cfaaf6eab416c016a07b642fce88d91ebedab8a88da048bed39002fa0f18c70ed76d82dadf94a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D23.tmp

Filesize
5KB

MD5
4ae62e299201a1cb8ed2c4e125ff6f9f

SHA1
c7aabfc4478ab9c2c12b44b4335950cff323da0c

SHA256
b126068f7b57aa326f365ccc07f9b7799e8489ff7ecbcc2ba3a89db4f3f1558f

SHA512
e613472a1f771be51a33dce43276dc6c86b5e145a77e989bb333b69ab9eab170cb32a567671afd944ced8d21b345d201bd1b895c1cb9815e49b8901e5d173e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp

Filesize
5KB

MD5
4f0019155766569fb72dd292fba8e4e3

SHA1
bfca25a32fd1560184538c60ceb6890e9ae04759

SHA256
f12b7d845d36a3f8bf40ee30af99783e6e1c9e6a148cc27c5a36fab1f0c4c96a

SHA512
6f710b08eada2431f546f6b35f7d933faef98fd12d993710cc729782450655d8b0391b18f1457723abeeb29c8dafce2e8d4f9a0b79f94226327e655d2ac19bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D9F.tmp

Filesize
5KB

MD5
4f20141a323a9a8ef58456ce7904a1fb

SHA1
5345d3192820f56bbc206fc79acebd6c31f26fec

SHA256
88a3b8e59f06531cbf309923e6e16cd08ef088bbe96dfb0db6a52feab2b576ef

SHA512
94df05c838303c074e404fb08ad499b15d2e3c10dd534e9a48fbb7b5a851566ae5c76a009b60a66a33b616e9891d3a5854a9b1bf02b2cd7dc28ac6679ea606ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DED.tmp

Filesize
5KB

MD5
a93189344a43740fbf6ea905f294edc7

SHA1
b5ec7d04c168e3d5369c14f2d659528cac226d5e

SHA256
37339b8a7335b623f412844f3be76c259778f7bc47c3f581594e115c69310ec8

SHA512
877ba782ad02c9001c0b6917608d8a97169412be1e6573a9565f3dd125f634017038f0d6a0209622345e4b464270d5c2bb4a6bff530738d442e07a51adf3b9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E2C.tmp

Filesize
5KB

MD5
4f7e076373a1060ef09734d0f916d8d7

SHA1
cfb204968d23a0005b4946d7d7e8a0a6e435f017

SHA256
35d1475315a753b5f819e4766b1df6fc850067ef8edd3d9fcdf86cd01f26d1c2

SHA512
3f2960bc64bad8f9cc689fb9d64aff899cc8a92b9e05297f94773292108cc7ed8d7409b98f14a0a13f5647465296e79d04825c4d7030374ff9a2ccf574db768b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3i_xqen.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3i_xqen.cmdline

Filesize
264B

MD5
23eabdaf0376be24a674d5d2d75f7aa8

SHA1
f1f95b1f9f243b74720bd1761833923e0f2b852e

SHA256
171ef3d9bfe80e5c6748f02c2b60112dc97b6f0d2999b8a9032a9f45c6d40b07

SHA512
106e4809b53a00dc654d3df20e123f2180db67afdc77680d9d202b9aaa412ce5a0dcb24c7d041f531495519fc703c273c40fa843c006a4ef373aafacd3efe60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5zlri7f.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5zlri7f.cmdline

Filesize
268B

MD5
442a57a558362db59322b8ed79296483

SHA1
3ff211a3318682aa930cf0bc6cfb115c83def6a5

SHA256
2d5d65d72a41ed93d50c4c97198e908f04906b4caf831fc552de820143d73146

SHA512
27ece6b4fc9050eb71233e4b6ec7fd8c6e1298dfabaa91a7cb8dacab89a584bea0aa2d66b99b2c532f4c770bd8c3a8a91b09aeb2d6571b40dea86a3dbce7494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\krlz0cig.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\krlz0cig.cmdline

Filesize
270B

MD5
c7eeb34e667e439af261c28d732aa774

SHA1
648122676c4060f36fc241625e275113a4848d3e

SHA256
2b43f3a75c3cf0257fbfa42b5d7178faf29d273b1b039b836e05986c45bfbe83

SHA512
e96f4a14a54116b20573d7598977699544bd3b4d351d43e7e73d463f994c0814c413582f78e4a2cd85c6f149d1922258f6719ab2538f5d80da2ffa229c78eba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mehedtcy.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\mehedtcy.cmdline

Filesize
270B

MD5
67f8c172ba3b4b98384975c69a4536b4

SHA1
f188552ac73833f1c8a8dea9745a4b1166394292

SHA256
6bfede1332dd5d3a67c6a07250ed895f520ff58975f90677e5aabbb9b83fe755

SHA512
36f92fa3db8c4203564a5d0bae7e3d933d1119582f35193dbdd414541e9148f3ea015eb374d8dd6db42eaa34cef62ecd5698c605eceedad832df54c3cf0f4228

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbczcju8.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbczcju8.cmdline

Filesize
227B

MD5
db8d09ca9f250f7ff2901dc6a5ddcf86

SHA1
117648f2131bb9e820555455e309599a7ebc8428

SHA256
d64ba174a712edb7fc2b510df1046a9f993d17e3ed0c493ef5e0d2c359b0a6ad

SHA512
7c7bb174e7348cec583e810dca593885cd139062af2eb89b7c91d8cbf91a57caddcfbdabe3b497188a2305012da7fea5e77d122cf8f12d161d3dfa7d17fc6144

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncx_coma.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncx_coma.cmdline

Filesize
256B

MD5
8f582dba8152e0202e25c1325fa96b98

SHA1
93215831d7f6aa94bbf1db10b94f3b95572e2a8d

SHA256
2e5d7552d7ba18b2f3740e5682e939123449f89cabef47b03f69f1c5e54783e0

SHA512
7f6528c165d9d8b56bfa88f4d6dd6dd72d0995f29587bd4f56689d5530d5bb32b9b762ef95a999bfa6908b30d730e18fd38226d26bd3d595590fbaeb3c078817

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8iyezw0.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8iyezw0.cmdline

Filesize
268B

MD5
df0b0e74850a946f8561decfc787acd0

SHA1
e285f20d5005c5f64a2d9eebc9ba685ae0c68774

SHA256
6ed262039aec9e7f03baf239676c8bac6ff1128fd4755f218ee0cc4dfe560307

SHA512
c3f04163f99a9b0f617670bd2c0ff1f153c3950c224cbee89fa527ab90e1ebbeb21607ad41c7981ce8847353ec378ddd531849394184c37c0675c67713c6c232

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4d6mrgy.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4d6mrgy.cmdline

Filesize
227B

MD5
b8c1a2e098e425970f843d8c27cea589

SHA1
4436301c192d6190865abb373f6214b868e75731

SHA256
d92d282a468a9fbf442e44e967af2f13fb0a89918dc0f1c66ae6020f8b2ad220

SHA512
07db6b47ad52e6717283e0f63d0a0e626f9431420069a78352701effe21ee6a72b75337cdc4df0c86e51b61972d3dce439ace3b4ce02df0d930db7cacb0f8891

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud74yck0.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud74yck0.cmdline

Filesize
274B

MD5
d10ece72a59227c27a79d72d9fca2eee

SHA1
2549124fa30a2b6e1b7412da9a60a9be74229bac

SHA256
7c17482e06805cae88efbe90ecb9235f030b244960ba848ad268a070f2ed132f

SHA512
77c4b6be678892d85b28ac1217acb98caa39862e032f306187ce78ea53a9932c8923707eb1ce22ebb774cf5c41104d8d8767e375abeb344b7b209d02f5794aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1AD1.tmp

Filesize
5KB

MD5
97f90d31bbdf02bec54371d2950f2f20

SHA1
3bb06b81f2c9b550dfe755e7613b4f3e22669c63

SHA256
191f3fdee3d4f346c91e06ddc67d88fcb3fc1ab7e1be25b0526e72bf6e0ef02c

SHA512
9611d249994dc1a639e6fd81769c446d7587c2a6253dedf43ded6357b5d4ee9db9c47e519b4382f1de97a47b6008ce5a62c11ea7ce615ef1abbcfd600d1733ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1B4E.tmp

Filesize
5KB

MD5
452354b8f76e583a97d073c24d9837b7

SHA1
f37484c4f1198d89bbbeb310e112899061c8ed4f

SHA256
c022c752232c34d61d8682fe90f26fe91f63c0bc9cb62fee79a84ee8a254b61b

SHA512
2dff7560f9bf5fed2bdf559de3e0cae1e2c21b8a59daf9d401358a95577381a305759994ff7a55bc5293c9714de4708d859d8f71f48c26633c62c215ce5f3421

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1BBB.tmp

Filesize
5KB

MD5
71324862c7b45fd4c5010e3214c49178

SHA1
17c413579c5216b0aed9363311f96c62d237bf8d

SHA256
3b151877a52c4aa3faebc48ac7e4d2bb793bee3b6146ecbf89fa5af8e1014b96

SHA512
f06bc547080a07fb20840dbe0942633364f032f4e86d5297a5f748f4310b98076eb65037b8530c66f167dcbdd0cf663301a7e912903ca8a4f545decf3fbfeca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C09.tmp

Filesize
5KB

MD5
f91ad2c08406e8f7f5ebbeb063394fd7

SHA1
3a82be393abaa68b4c61ffd1ffe4b679623d6858

SHA256
b51cd8defd668ca7060e4e64b296b8683263c9fa183433fc0f01b6de082ccb50

SHA512
45e28009c8fc7690e83aa101e18b9bc0a1392890d3d8f80bb87ccb9e615fd10ff8baa0c2c38df1779abf51c7946d80b02b0c34aa2484859b6e863bbe2eacd7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C47.tmp

Filesize
5KB

MD5
5c60372f12c186ea089c0f15cfff6ed0

SHA1
432262da0f1c00bd92f1e2e1f7a98f9cf7af48c9

SHA256
d41713ad01e7c19e02da71a61a245908820944efe7c60369f09aea7922b6e37f

SHA512
fec79d0928d966bb57e3a0b530383dbfcae19c6bfb2fe9b7ba42985e1888359b406f6508d95e8186bc9650f9a4c6a8a402ba8e93f49bbade6963fc70b00de7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C95.tmp

Filesize
5KB

MD5
a17632fd23476ad93e2e8d480d4301b2

SHA1
a6cf184939b46b6b3ab119db7bb2b704a94b93a1

SHA256
309300f575636b15ce9455a8ce828f74991b1e07566d33f1b7a36ae816f93b78

SHA512
a6ef810516815d0d74cb4f733b9df6d38602edd6aecb44440ee2b4d6b5a3beed15b2cc92f395bb6a359dee02ae8ee60bcb924cca71584f062403e55640047d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1CD4.tmp

Filesize
5KB

MD5
ce3585e20a1a21bec81eeb286be8e21e

SHA1
b22e1621540487dbf33c6ff16224f684846a381b

SHA256
cdcb2fe63e17bad15a24fa4df897650ea0383c6c774570dc1688430d67b3b573

SHA512
4dcb91ff578d191c63643895ff60f1eaecb7db147f3f468dada100cb4cfda76119b074adfc365003be862414708f8f806f39936da8aa7261f27605404d98c475

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D22.tmp

Filesize
5KB

MD5
730c7ec54491d81264c7c47a773b2ab8

SHA1
d979ecadf7e80953aa0c229ff77c453897102053

SHA256
71150a843be31e9ac6735e9066f949b54bb0826a951ee6e11f8906a73dc02d44

SHA512
fab4abaa2c0bacaea2f534739e953bb248579f91aa47ea0f5eac896202921df1815356d70316a00d862820afd13d5511f40d0061391d36be836c797257a76318

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp

Filesize
5KB

MD5
43ba9fb6d7febe860455dbdccbb73006

SHA1
910740f113336290128eb5cd6c8778c89a52fe78

SHA256
efee7902eb2ebddcf1b81b575f2ca31e9caf397f4a7fba0f8c63c9440bff1234

SHA512
848a0bfa57c9d774942c3034de7cc1b1431c00e456d5e45a62abaf5b274627031a19aecc68f071bc2a9f831092f6c9880cd0c4513f82ae0d7d09a81b409ad137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D9E.tmp

Filesize
5KB

MD5
4a3a362989568541b75e7132990505ee

SHA1
d8d831e5f2f2cd0d51feee6a9ee4f8f01553786b

SHA256
05897a89ed88299ebd4045aa4ff8064752631d80c4bfb694f664824468535e92

SHA512
0f047bf6c5664b8f881833b42f67a842b2aac2462f4016f94977bf015c6f8d11830a8b4bd2f1e744bcea4989214930886adcb0919ad629f5af49f40b82ad6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1DEC.tmp

Filesize
5KB

MD5
f0a0424632f58d31e6f42da83f47823e

SHA1
e89db83ec2b32588516365096b63fe099c63525e

SHA256
32d96d9257cb4225b2422b39e03c55504f9ca1a6100e2e21a75c36401570d29a

SHA512
9c40fec000879415cda632fed10b547da42e0ab341a24af25d65ba69c025c894c41804620611f5a8d929631c382aa6eca8d6320ac74c995aefbd1312c0c6cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E2B.tmp

Filesize
5KB

MD5
cccd12658d666441d1d80906a7127028

SHA1
665cb475bd1748fadf1f607fe9550e2ec4c89c4c

SHA256
53f112f5d6421aacc71ff8acc478317a302feb37f34695c051f6ec40fdd52e8b

SHA512
8f528de3df02d8a4a2f9493a11f9c929d469ac2ec74aad744f8b4b37671eda2df5e900aafba506a514bd22616b115f10a57435305da31cccade243dca706551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E69.tmp

Filesize
5KB

MD5
47bc25715f9e5592cbdaf196b000a7f3

SHA1
16846bb61f999895bcb3f0b10e9470621472e1b0

SHA256
2c46701b1c8ddf5cbd126824ab61f8e7acdc7e850b87b773f9998ea0c79c6c11

SHA512
c48b9396b7edc0d8807f8dbae6f1ce255536886b23fcc7c5aaadc9d1e5a33e9b0f060b90680a29645ba5c5f27abfc3dfd746e17bc8511805b6b0628da8a774f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb48ncja.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb48ncja.cmdline

Filesize
264B

MD5
f4303e0b61734d5add8bb263a97ff270

SHA1
95d6375e7c94575198b3c4f0c004a081ca9a5d46

SHA256
1224f34d190def5b03e6b5cdec4a0f67821a4986122e3386bc68c482eda551af

SHA512
029e5933bf27b9cbfcd5b5bed6673f6c435cb3956b224cf232cab6339ee7e93b65ecf605a68ecf7c44101782f17842d9d5eef88f836f3c83c0902bcecb9f666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymshh-_b.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymshh-_b.cmdline

Filesize
256B

MD5
24b0ccf1ce390f443c73db4bd8a653a7

SHA1
cbd977a23effb529bac747dd68d5bc931bd08f56

SHA256
1ac1c63d94325c539036739a611df58623861b9113d3589e24d5806ecedb80b8

SHA512
778ae519757c369bfd43ff69adb8688eb9a0a38d2343a721320286236af8d8ea4ba7ff06d68a396e9532a638420d5021b1da3774edef5a39fa4156c214e737c0

Download Submit
memory/2104-4-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-3-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-1-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-0-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download
memory/2104-306-0x000007FEF88F0000-0x000007FEF8F61000-memory.dmp

Filesize
6.4MB

Download
memory/2104-307-0x000007FEF8330000-0x000007FEF873F000-memory.dmp

Filesize
4.1MB

Download
memory/2104-308-0x000007FEF7A50000-0x000007FEF82B4000-memory.dmp

Filesize
8.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads