60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3896	1216	file.exe	97
PID 1216 wrote to memory of 3896	1216	file.exe	97
PID 3896 wrote to memory of 2760	3896	vbc.exe	131
PID 3896 wrote to memory of 2760	3896	vbc.exe	131
PID 1216 wrote to memory of 3760	1216	file.exe	100
PID 1216 wrote to memory of 3760	1216	file.exe	100
PID 3760 wrote to memory of 1428	3760	vbc.exe	134
PID 3760 wrote to memory of 1428	3760	vbc.exe	134
PID 1216 wrote to memory of 1688	1216	file.exe	103
PID 1216 wrote to memory of 1688	1216	file.exe	103
PID 1688 wrote to memory of 5064	1688	vbc.exe	105
PID 1688 wrote to memory of 5064	1688	vbc.exe	105
PID 1216 wrote to memory of 764	1216	file.exe	106
PID 1216 wrote to memory of 764	1216	file.exe	106
PID 764 wrote to memory of 3256	764	vbc.exe	108
PID 764 wrote to memory of 3256	764	vbc.exe	108
PID 1216 wrote to memory of 2824	1216	file.exe	109
PID 1216 wrote to memory of 2824	1216	file.exe	109
PID 2824 wrote to memory of 1460	2824	vbc.exe	111
PID 2824 wrote to memory of 1460	2824	vbc.exe	111
PID 1216 wrote to memory of 4324	1216	file.exe	112
PID 1216 wrote to memory of 4324	1216	file.exe	112
PID 4324 wrote to memory of 1344	4324	vbc.exe	114
PID 4324 wrote to memory of 1344	4324	vbc.exe	114
PID 1216 wrote to memory of 2836	1216	file.exe	115
PID 1216 wrote to memory of 2836	1216	file.exe	115
PID 2836 wrote to memory of 1572	2836	vbc.exe	117
PID 2836 wrote to memory of 1572	2836	vbc.exe	117
PID 1216 wrote to memory of 456	1216	file.exe	118
PID 1216 wrote to memory of 456	1216	file.exe	118
PID 456 wrote to memory of 32	456	vbc.exe	120
PID 456 wrote to memory of 32	456	vbc.exe	120
PID 1216 wrote to memory of 2244	1216	file.exe	121
PID 1216 wrote to memory of 2244	1216	file.exe	121
PID 2244 wrote to memory of 2388	2244	vbc.exe	158
PID 2244 wrote to memory of 2388	2244	vbc.exe	158
PID 1216 wrote to memory of 1064	1216	file.exe	124
PID 1216 wrote to memory of 1064	1216	file.exe	124
PID 1064 wrote to memory of 5016	1064	vbc.exe	126
PID 1064 wrote to memory of 5016	1064	vbc.exe	126
PID 1216 wrote to memory of 2120	1216	file.exe	127
PID 1216 wrote to memory of 2120	1216	file.exe	127
PID 2120 wrote to memory of 2436	2120	vbc.exe	129
PID 2120 wrote to memory of 2436	2120	vbc.exe	129
PID 1216 wrote to memory of 1768	1216	file.exe	130
PID 1216 wrote to memory of 1768	1216	file.exe	130
PID 1768 wrote to memory of 3744	1768	vbc.exe	132
PID 1768 wrote to memory of 3744	1768	vbc.exe	132
PID 1216 wrote to memory of 1152	1216	file.exe	133
PID 1216 wrote to memory of 1152	1216	file.exe	133
PID 1152 wrote to memory of 532	1152	vbc.exe	135
PID 1152 wrote to memory of 532	1152	vbc.exe	135
PID 1216 wrote to memory of 3316	1216	file.exe	136
PID 1216 wrote to memory of 3316	1216	file.exe	136
PID 3316 wrote to memory of 4736	3316	vbc.exe	138
PID 3316 wrote to memory of 4736	3316	vbc.exe	138
PID 1216 wrote to memory of 1784	1216	file.exe	139
PID 1216 wrote to memory of 1784	1216	file.exe	139
PID 1784 wrote to memory of 4820	1784	vbc.exe	141
PID 1784 wrote to memory of 4820	1784	vbc.exe	141
PID 1216 wrote to memory of 1808	1216	file.exe	142
PID 1216 wrote to memory of 1808	1216	file.exe	142
PID 1808 wrote to memory of 3740	1808	vbc.exe	144
PID 1808 wrote to memory of 3740	1808	vbc.exe	144

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuwz3r4f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB514E934267D442DB42BA8A11D4A203C.TMP"
    3⤵
    PID:2760
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-zf82zmd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc235B167D891144FB9D6E9F2BF49D49FB.TMP"
    3⤵
    PID:1428
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cp1wc_rv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF79E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F8C2D7A446467EBA63218ADD864ADB.TMP"
    3⤵
    PID:5064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ina9t_-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF80C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E61EFE87C9A4EF3B885CE6F85D1F0D1.TMP"
    3⤵
    PID:3256
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\my6_ff0u.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF86A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE6F980E53640529241F0CDEEC8A63D.TMP"
    3⤵
    PID:1460
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4f_699o_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4D9CA8F357A45ECB381D6C2F96D5FF.TMP"
    3⤵
    PID:1344
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxqas1lt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEF43E768853496CB19048BFD73AA50.TMP"
    3⤵
    PID:1572
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8e9p0kq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD763327B913745EF875A301F509FF96.TMP"
    3⤵
    PID:32
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j8hw0f9z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EB1E8A653AD4575A6256596EF4F384.TMP"
    3⤵
    PID:2388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fkeqouqf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFACB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53B3AF7A30AD45099AE3D2F2C16DB184.TMP"
    3⤵
    PID:5016
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkxa_dv-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB8CDBD654B94736A65A72405AD92FE.TMP"
    3⤵
    PID:2436
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4giqngow.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1971D693A7D3423C9288F76A8474D39D.TMP"
    3⤵
    PID:3744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpx98rdd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35574412DD7F40FB8693B962A98E8DCB.TMP"
    3⤵
    PID:532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ngiwvkn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc113A4BB626A4FE09854739C628FE0E8.TMP"
    3⤵
    PID:4736
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ni2frfxj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc263A815282D74FEE92D3913B7F662B.TMP"
    3⤵
    PID:4820
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgmfponz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BA44C6CDEC4A38A1E4EDB26725D57.TMP"
    3⤵
    PID:3740
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wd2ecmfn.cmdline"
  2⤵
  PID:4040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86040CA9BFCE4ADE9691482274A699F.TMP"
    3⤵
    PID:4364
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9u-dztwu.cmdline"
  2⤵
  PID:3712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1E83847AB234179AC29142B8C7BEDD0.TMP"
    3⤵
    PID:1604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ro2stl7t.cmdline"
  2⤵
  PID:4696
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4337D78C76F4089A0CC30A2671D1A7.TMP"
    3⤵
    PID:436
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\am-dsray.cmdline"
  2⤵
  PID:4284
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE258ACC744DB4A74AFC3F249874648F.TMP"
    3⤵
    PID:4524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xttac2iw.cmdline"
  2⤵
  PID:2644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc103F4B28A2F848C8AB59E57DFA1E6878.TMP"
    3⤵
    PID:2132
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q2wdd5pi.cmdline"
  2⤵
  PID:2900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D8B2815F64D47EE8DD03D91DF2E6684.TMP"
    3⤵
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\-zf82zmd.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\-zf82zmd.cmdline

Filesize
227B

MD5
a8fa1571b79cc2e3b299bfe904a91230

SHA1
9ad7cee2a3aeefe7548b6667e57ea016b70cd850

SHA256
59c1fee8115465b1ab2282cd48cb60380b63e85d8137c527991811ed74fcd6e1

SHA512
53fa3fbbef03704b8fb49bebbc5019df95405cb59665c315ced22a745eae6a8a5c4e1b8ed2607cc0ccdaf4973a73daada77679d6ea7e472157c44d671682a8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f_699o_.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f_699o_.cmdline

Filesize
270B

MD5
6db2dc24577822a3678b5eed061eb1fc

SHA1
14cf6247adb0b4069e73e537a17a2039f7e16500

SHA256
fcaf3262286309cd0fad30420e6e679988d94723d43ef93e6d91db16f4a089d1

SHA512
313fef61e6f10a1bfdd1689006890e78c9db416dfa8b2179b4370014ff9185531ba0dfd14b93ce43e5172f1474e6ad8149193073eca2df810fa147c72a2627d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4giqngow.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\4giqngow.cmdline

Filesize
274B

MD5
e72dc97a241c66cb71e2ac4e7e011c7a

SHA1
dd0ff9d523cb78426fdbfe7e21720efc2f9e13ff

SHA256
ac6462a6cb3da1cda54648f8f31e157f8af8c451a15ce908b941b5d9e0b31dbd

SHA512
4aaab90d824dc2bdde85660a08893707db57f9a5dfac5cb9343c504b52a3f9e44d286c4b3cff2d5b0701ab7793cf1aaf0646c6a7e82450925b800856a7e672e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ngiwvkn.cmdline

Filesize
274B

MD5
49921b1516dc2e3974eacccccb3cb683

SHA1
62bd0776f1996d4513d746af5c9614c6b12bf3aa

SHA256
0bbf6213c5decc872b7f48bd44f6581b24cf6738e7f31e1118b5fae83bffc983

SHA512
a18462b17346787534e7f25b2604a9fcf583d0b95179d31f8af10cb64d9db89e6a386ad41bb1c6ed3f1cec517c4bbd031a4b987f3a6f8968c3c456ace251a5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ina9t_-.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ina9t_-.cmdline

Filesize
227B

MD5
41d31ed470f4daebd427b9e019f2caf4

SHA1
95f19bf6d85d1f170d829a834d06790797921a00

SHA256
afea5beba537070ec378a8e07369d3f1792fc458702521c6d74a55559ee4b2af

SHA512
987ba5f7a7d956c81fe2eda36212331ae2f3b8fd93f69e9d574f0c6b9d20c160056b3b31154b2653f3934561c45cbf91f5e3131d6303e714620ee51eea61df79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5BA.tmp

Filesize
5KB

MD5
90951eccc696926bd267720bc7b03b0a

SHA1
9355761c58dc1be757a02f814d6833da7f493842

SHA256
cb78c438baaeef0ce4dde78cf504080c6bb7771efe632b8d56b45f5170894a0f

SHA512
27903d85ca144ff984898a120dafecdcf44718b82fc8e2e09ace45e124ea6cd867305d595c2be89a9c6a143c961e70d9a25c30bbf2aee48bb17a3781f06050a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF6C4.tmp

Filesize
5KB

MD5
a2062947906264d098032a951cbacd8f

SHA1
b028a581f99220aaac615836f59746fbb5106158

SHA256
9cfd9a8cacf49822cdfcf12a6475be00ae3f527e194bfdd8da847a5b2ec77397

SHA512
b52e0b1051a9292c1d06da2eb6652f7b01fb337be1d1223b8674b9c2b0d0608364e20a7a4067f34f3139765601dec6c2678ea567efecaa04ea3cbb3df41862b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF79E.tmp

Filesize
5KB

MD5
73e54736fab5f640807ab385cbead197

SHA1
e2d2a962daf99526faab95670b173adc0f4ab882

SHA256
07f79ac8912fab131a164657186b6f2318e98dc6f4988c852a174b42cf4c1856

SHA512
b3da20825becc1521c490462283ea211c3a697d74e5cacac6db155b2df19d86e98fc7b8615ef85413aa3c146c6b8ea930950d9c21b5ed72677a946dcbbfa861c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF80C.tmp

Filesize
5KB

MD5
a4908ada2782ad4d049b7cbf23373943

SHA1
310fa6b9dcc6772eff457e53b43a655184856568

SHA256
0108f09cfa3b45753a48e4b9028ac68bb763cf0cd7cad38f25f3efd9a2f865c5

SHA512
12574fedfe5a0a5fc5b173234f70aa3993910796493e8a1c73608f7ad73ef17e2e90bf20ddac35fe5bf9eea5273226f66077033fc220d8676ab015ad1c0c1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF86A.tmp

Filesize
5KB

MD5
6c46ee55ec8c64247d8e6e92c3f52932

SHA1
1f88c02d112d193ad250e6c81a92077d0ec2a04d

SHA256
cd61bfec31b4806c8da5cf299e46d610b594fd439c6c1ec844566496943510a3

SHA512
b1770deb15ce64aba57364114916664b339c08f281fab0b54f7ccf3400d465f3f328baee19f071b0b9e87e81106495baf9da4688087ece4ea3754e4e4a11e812

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp

Filesize
5KB

MD5
d6d072d8df3d1e46422813575ecfbc54

SHA1
432f0a56687bdf347a81f5e6b8b68a07db754586

SHA256
a1b31746a6e48d86381550d4b2e8c81dc7b27463518df2b815161745cdc9339a

SHA512
5329076e235cd51709324e00ff8aeb9b7c32bc720ce00f8973ac26dba4aff80117ed75f058e32421e5d98df220072dc3b23cde7bfe95936c4a0cafdb821285c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA00.tmp

Filesize
5KB

MD5
1d612b6ac3e82eabbd799c74c5fa60a8

SHA1
a06de01ad17d7cc2319051748b42ea5112342ca4

SHA256
de21a901107f76fac605f09ddd99905d820f382d0cd7bfc797115a579883c7be

SHA512
0feffd89983722433a7812af07db08b2a57021360d38e6aa56c27c28910b32c983ca7dd57a537389dcd76deb3221c7d5855cbdc44edd46b479aaec91e9bbe1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA6D.tmp

Filesize
5KB

MD5
10639515f907aa5ae47d9dc4dc300133

SHA1
ba1d0f085c963eef8e225db4e8a14e821772c5e6

SHA256
fba3018f1203a55295aca7fe3313262a0ef8396a377e0d0c9aa47ee4da8b50ff

SHA512
48ca8e7693175059342b85944aeb550fa92880529c068e568ee02ba5677a4da4ce8f65519183589a99d43ff6b04695cf6aad21303f8688a0fbc82777bdedf554

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFACB.tmp

Filesize
5KB

MD5
72ec2cd2a80b84f6b88bc888eeaed21d

SHA1
d7eea31d70edb8b85f9113900611fb3348e1b441

SHA256
ecc0ad9712546dd0bdecb85a2992646b3644c5b868bb66fd667c6c1ea37bbc31

SHA512
9144dd973c3b82dcb812ed5409de64ffccd2247b48730af94b5c068c3c2be86430129bf2e90e54b995297cd72a3d745a645bfc558eca356aa682c15a36f8f869

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB29.tmp

Filesize
5KB

MD5
bf1c953e74cdcb9462b3f47b6f945f23

SHA1
113b19abd4219c77da9b46e548c6ecd42a5f6517

SHA256
481925e17ebef366e3a347a7e5d7d4cf240c1828db7094c4faa431d8eb16a5da

SHA512
e654431e857e2c7eb7df4e286d406bbbf9e1e8f6e9187a845cd9f752771e555cbb450319fa9a491171b7e0f22f6a29617a04dbd72233991fb0fc5b3e4395c9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBA6.tmp

Filesize
5KB

MD5
2a5580cac11bb28eb92a6eef44cd74c4

SHA1
3883be02b27fe09995980f3ed378b0c1af05215f

SHA256
ba0f6a3610109761d1cace2964a08458e4a2276f488dca803426e634a476a6c6

SHA512
68703925f975f3b9eb9e66ce5d126e943bcd7c2e3c8d6975fd1cb1e41722d8d25f54c29fc5c5604a3571f1ba3b1386d173a894bd99f8ce527c0dd8dad6e17a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC32.tmp

Filesize
5KB

MD5
9ead38b4370fce6ab37a5ecbffe3db1c

SHA1
b4287caa5d37dc1b1a44e36f75a7d29d1466628f

SHA256
a0ab9f4fc4b4b92d33ebfbf1e53dabcc03ecd45b7fdada946e04aef989e17835

SHA512
6209e63b24d360a421c3c99c76cd7cceb0c169dd08c7783265c949e10bf921a72c3214fc35c24d10938c76ae6e70c144068d679a00ea03362ab938a83db7e6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e9p0kq.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e9p0kq.cmdline

Filesize
270B

MD5
6fae6553e80d9f51f1466d7eb549bdd9

SHA1
96cd6d13d429f76dfdcedf94a8180583cfb6f150

SHA256
eb731a898f552de1e454faf432dee33d7aff1bf3b433965f53048aa1545f1916

SHA512
3ee8a7074995397ef5f8a9a72e9c221d925f4add6b03f93b9c32d1c006d8a3392e5dbdb8a50795e0655ba5e1e557949b8d26db2d391d4380686e6f2e7e2d00de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cp1wc_rv.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cp1wc_rv.cmdline

Filesize
256B

MD5
2d832f3b3b1a82878ea0b6a42ff8dba4

SHA1
44c40a76b53c1169924cd7c40d52dfb02fc3dadb

SHA256
d914db83d443cfae7cc3e23595eca194269721d20f8b54df56fa15f78fa5b32f

SHA512
676039825a5341e48e8c6dec4d43907c2ffef0873b148ff1d1313c4a62ce68348b3a367ff2ecbcee6658b32cccd7866d457c9da19242db1aa153ed0f4c0f7821

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkeqouqf.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkeqouqf.cmdline

Filesize
274B

MD5
ab087cb344e239096b3c626825e2adae

SHA1
8e3e4c2f8d7837cc916de764d2b44e93922c8260

SHA256
619bf9db1dfc7700b2348ac090ba288fb26f13e5e621de7b9df535a7e97b18e0

SHA512
ffca2c6a51cc29f6e1d13f9307519cc93ee674a62577c063ab7e666ef26016489e169159b1a699464819e00a01ff6f57843a6b5a725839aa37d25848d604f604

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxqas1lt.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxqas1lt.cmdline

Filesize
264B

MD5
4280ac04748584f849a950f1fd07a322

SHA1
3ab19377e64b55c7569d364af6cf816d36d8c585

SHA256
561896d206c6bffb02aeb6f2c000b04bb33cab264311db3cf6f23d2e152b698e

SHA512
4cb00ab494cc882afc8b6726252b784637daaf08b6357192fe137d0284ccc2eb8652a51b86cb9eab0504916ea7765d40004a4780479dedc8d8bbe34b4f9c60f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8hw0f9z.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8hw0f9z.cmdline

Filesize
268B

MD5
490d73cba02fbd14ec38824488e7c547

SHA1
0365c9a5c6963d196cdeefca4386130d622fee12

SHA256
66dedb6351beaa82bc31bf4f29b7b21ee93254ee1fc96935640a9eaeac3c97b1

SHA512
1583e02dc7515c7ffca414ea7cb56c049fa08f53d7f603b4f3372699713cab0be5c44304d8d24f391f841cb9e15b9ac6d121eb653b0ddf3a78e53b002a392878

Download Submit
C:\Users\Admin\AppData\Local\Temp\my6_ff0u.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\my6_ff0u.cmdline

Filesize
264B

MD5
ab618e8f92873d721343d646aada6c56

SHA1
eb5c95abcc45b02a3503f785c8c9b68ba96b3799

SHA256
2355b079d1193075e920d0700424ed5906871b630079d2614f5fbf089c894853

SHA512
a1cf698889d7a06179de42e5752e2a7026d6ed10fd948bcac7caef940aebf81bc372797c316a6e3fe4b7ec4413e4e62d6687f653547dfc6942da2d9fd0b02fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkxa_dv-.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkxa_dv-.cmdline

Filesize
268B

MD5
fb977ceb696674c45eb6738cbb740243

SHA1
a96b573de1173117a9fd6116a93d0bf01563edfe

SHA256
c1abb47e40f8c5367a79310facfebed7737bd49439ac017c13e3a99d6436bd68

SHA512
6f0b6cc528726fd41b5267f13b6c41792f9f3f2b24472dfe32c7eb9b532d19babc79d67461327ea429493359dad8a4f35197b3f2463922dea7d27f3a008efba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1971D693A7D3423C9288F76A8474D39D.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc235B167D891144FB9D6E9F2BF49D49FB.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35574412DD7F40FB8693B962A98E8DCB.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E61EFE87C9A4EF3B885CE6F85D1F0D1.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc53B3AF7A30AD45099AE3D2F2C16DB184.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6EB1E8A653AD4575A6256596EF4F384.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB514E934267D442DB42BA8A11D4A203C.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB8CDBD654B94736A65A72405AD92FE.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBEF43E768853496CB19048BFD73AA50.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD763327B913745EF875A301F509FF96.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE6F980E53640529241F0CDEEC8A63D.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2F8C2D7A446467EBA63218ADD864ADB.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpx98rdd.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpx98rdd.cmdline

Filesize
268B

MD5
2e33d2efe8bac3a8645c02ab67863382

SHA1
38a09f66e1691de17b4d31607fba0f8781231f69

SHA256
7120f4ab37612a68902e4f994f434e9666efa1241b976f492d7edcf197377b72

SHA512
920b67c2574c46b3c41114c487f4ee2ecc48cafa301502c0eb7e3b37ce8b0fd7372dc8def5ed8ccdfae65bab0d3cc9c86972aca8989f147b5e39c906bf2d495d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuwz3r4f.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuwz3r4f.cmdline

Filesize
256B

MD5
20d100dcfdef23acf99a77d6378d9de6

SHA1
9981dcd17ee16c9c47697d997ca62d771873f6ca

SHA256
26cbc69b3bd766d9ede5a558a0f40284cef49fed64ffbe946201c1fd07690c7a

SHA512
f7e2548708c5c8b7d8148034b54625791088d64e1817ab54591dd854697133b6f3c6ee48ed920e49ed4136e94e36f6f343c17a2c59d00b2c32bd038e6591aace

Download Submit
memory/1216-7-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/1216-6-0x00007FFB442A5000-0x00007FFB442A6000-memory.dmp

Filesize
4KB

Download
memory/1216-0-0x00007FFB442A5000-0x00007FFB442A6000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/1216-4-0x000000001BBC0000-0x000000001BC22000-memory.dmp

Filesize
392KB

Download
memory/1216-3-0x000000001B020000-0x000000001B0C6000-memory.dmp

Filesize
664KB

Download
memory/1216-10-0x000000001CD90000-0x000000001CE2C000-memory.dmp

Filesize
624KB

Download
memory/1216-2-0x000000001B680000-0x000000001BB4E000-memory.dmp

Filesize
4.8MB

Download
memory/1216-1-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/3760-41-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/3760-43-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/3896-26-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download
memory/3896-17-0x00007FFB43FF0000-0x00007FFB44991000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads