60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
45s
max time network
56s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RAT\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2748	620	file.exe	31
PID 620 wrote to memory of 2748	620	file.exe	31
PID 620 wrote to memory of 2748	620	file.exe	31
PID 2748 wrote to memory of 2796	2748	vbc.exe	33
PID 2748 wrote to memory of 2796	2748	vbc.exe	33
PID 2748 wrote to memory of 2796	2748	vbc.exe	33
PID 620 wrote to memory of 2956	620	file.exe	34
PID 620 wrote to memory of 2956	620	file.exe	34
PID 620 wrote to memory of 2956	620	file.exe	34
PID 2956 wrote to memory of 2892	2956	vbc.exe	36
PID 2956 wrote to memory of 2892	2956	vbc.exe	36
PID 2956 wrote to memory of 2892	2956	vbc.exe	36
PID 620 wrote to memory of 2648	620	file.exe	37
PID 620 wrote to memory of 2648	620	file.exe	37
PID 620 wrote to memory of 2648	620	file.exe	37
PID 2648 wrote to memory of 2476	2648	vbc.exe	39
PID 2648 wrote to memory of 2476	2648	vbc.exe	39
PID 2648 wrote to memory of 2476	2648	vbc.exe	39
PID 620 wrote to memory of 1832	620	file.exe	40
PID 620 wrote to memory of 1832	620	file.exe	40
PID 620 wrote to memory of 1832	620	file.exe	40
PID 1832 wrote to memory of 1936	1832	vbc.exe	42
PID 1832 wrote to memory of 1936	1832	vbc.exe	42
PID 1832 wrote to memory of 1936	1832	vbc.exe	42
PID 620 wrote to memory of 2680	620	file.exe	43
PID 620 wrote to memory of 2680	620	file.exe	43
PID 620 wrote to memory of 2680	620	file.exe	43
PID 2680 wrote to memory of 536	2680	vbc.exe	45
PID 2680 wrote to memory of 536	2680	vbc.exe	45
PID 2680 wrote to memory of 536	2680	vbc.exe	45
PID 620 wrote to memory of 2948	620	file.exe	46
PID 620 wrote to memory of 2948	620	file.exe	46
PID 620 wrote to memory of 2948	620	file.exe	46
PID 2948 wrote to memory of 2020	2948	vbc.exe	48
PID 2948 wrote to memory of 2020	2948	vbc.exe	48
PID 2948 wrote to memory of 2020	2948	vbc.exe	48
PID 620 wrote to memory of 1280	620	file.exe	49
PID 620 wrote to memory of 1280	620	file.exe	49
PID 620 wrote to memory of 1280	620	file.exe	49
PID 1280 wrote to memory of 2436	1280	vbc.exe	51
PID 1280 wrote to memory of 2436	1280	vbc.exe	51
PID 1280 wrote to memory of 2436	1280	vbc.exe	51
PID 620 wrote to memory of 992	620	file.exe	52
PID 620 wrote to memory of 992	620	file.exe	52
PID 620 wrote to memory of 992	620	file.exe	52
PID 992 wrote to memory of 2076	992	vbc.exe	54
PID 992 wrote to memory of 2076	992	vbc.exe	54
PID 992 wrote to memory of 2076	992	vbc.exe	54
PID 620 wrote to memory of 1540	620	file.exe	55
PID 620 wrote to memory of 1540	620	file.exe	55
PID 620 wrote to memory of 1540	620	file.exe	55
PID 1540 wrote to memory of 2416	1540	vbc.exe	57
PID 1540 wrote to memory of 2416	1540	vbc.exe	57
PID 1540 wrote to memory of 2416	1540	vbc.exe	57
PID 620 wrote to memory of 1668	620	file.exe	58
PID 620 wrote to memory of 1668	620	file.exe	58
PID 620 wrote to memory of 1668	620	file.exe	58
PID 1668 wrote to memory of 1860	1668	vbc.exe	60
PID 1668 wrote to memory of 1860	1668	vbc.exe	60
PID 1668 wrote to memory of 1860	1668	vbc.exe	60
PID 620 wrote to memory of 600	620	file.exe	61
PID 620 wrote to memory of 600	620	file.exe	61
PID 620 wrote to memory of 600	620	file.exe	61
PID 600 wrote to memory of 712	600	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\RAT\file.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvgitfuc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp"
    3⤵
    PID:2796
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5nf2pp4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA4.tmp"
    3⤵
    PID:2892
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\45xgx5yk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC12.tmp"
    3⤵
    PID:2476
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w02urbll.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC60.tmp"
    3⤵
    PID:1936
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmqkzgcw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBD.tmp"
    3⤵
    PID:536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgbvspnp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0B.tmp"
    3⤵
    PID:2020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k1_ip2ds.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD69.tmp"
    3⤵
    PID:2436
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rxxtehy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD6.tmp"
    3⤵
    PID:2076
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5k9f1pkb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE34.tmp"
    3⤵
    PID:2416
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iw95-g93.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE82.tmp"
    3⤵
    PID:1860
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sckiuoe5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED0.tmp"
    3⤵
    PID:712
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ygtqodyu.cmdline"
  2⤵
  PID:112
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2D.tmp"
    3⤵
    PID:2036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xafrou4c.cmdline"
  2⤵
  PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7B.tmp"
    3⤵
    PID:3048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slwna5kb.cmdline"
  2⤵
  PID:1604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE8.tmp"
    3⤵
    PID:1804
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pkebdhaw.cmdline"
  2⤵
  PID:1400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1037.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1036.tmp"
    3⤵
    PID:2780
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1gopnrd.cmdline"
  2⤵
  PID:2088
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1085.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1084.tmp"
    3⤵
    PID:2824
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlvrdrj2.cmdline"
  2⤵
  PID:3012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10F2.tmp"
    3⤵
    PID:2964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n2v04taq.cmdline"
  2⤵
  PID:2756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1141.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1140.tmp"
    3⤵
    PID:2344
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zphjjvvn.cmdline"
  2⤵
  PID:2620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES117F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc117E.tmp"
    3⤵
    PID:2100
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-eqk96gd.cmdline"
  2⤵
  PID:836
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11CC.tmp"
    3⤵
    PID:2992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lba0vqcj.cmdline"
  2⤵
  PID:1936
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp"
    3⤵
    PID:2872
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vm2nnvao.cmdline"
  2⤵
  PID:1592
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES124A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1249.tmp"
    3⤵
    PID:2876
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vaobfgfp.cmdline"
  2⤵
  PID:320
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1298.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1297.tmp"
    3⤵
    PID:608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j15qg3r2.cmdline"
  2⤵
  PID:348
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12E5.tmp"
    3⤵
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rxxtehy.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rxxtehy.cmdline

Filesize
270B

MD5
1787a1a4ddc53332f442c2b2b5524290

SHA1
007c0974163157365f5ec981e894be5dfc545f15

SHA256
b2c1120911464b8a10f258880d7a09d952e25a586ac22bed9b60fa5091487fbb

SHA512
6b1e868464b74a9aaa542196b9d80461f84101d87120b4526f858991fa009a10343c4a4cf87149dd4c0a3eb38036ce5c8f29a1b702abb2aaf62cbd351b545c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\45xgx5yk.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\45xgx5yk.cmdline

Filesize
256B

MD5
227bc58af5353287b99c09c894673ffb

SHA1
0673ce414b2414dbd0679bc3a36bc7120ecef0c0

SHA256
9b37ef806d75e12b7f3153dd05d3974f2673a17bbe5c8721056d13fd6cf47cc6

SHA512
6f85106f99410a14ac26b3a43bada4b22922b313173f0ed0c3568ce8a247bbffef71a78b41abd13dd945c8a6f15032d67a514072951ba70c3694651cfce8234f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5k9f1pkb.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\5k9f1pkb.cmdline

Filesize
268B

MD5
295e3acb83a45a3d1f9f3d1ba0f4cc5a

SHA1
93f352bfb4daea32aeb844b1053fdebc235adc7e

SHA256
aa5315ab59adaf60a42ff57f5acc893f9da45b1356c9b11955fbae0be8aa0a2a

SHA512
6d5bdeaf61699c7e896d1d2a316d76f6848aba12331222abe450c82a3f4bfdba1dd2e091d3a712372734d1e5b79e12ff4efee6e936ca30b931a9402436c9e92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB19.tmp

Filesize
5KB

MD5
69ba9411629bd2eba46b616a53bb0f93

SHA1
64c2154c32acdf20d2a40bdde9ce5124ad86a5a8

SHA256
94f2d9e36815beba9d4243ed05a9da3cb805b800fa7555e5f91201eea777a76f

SHA512
1f0f69506afad001b4c63e36451da2c9768917acdca7879e698d62d7c2e842645ddf528a9b7dbd6757135f0ea0de3e0011a02d64883edd4c03e94dcb4127f5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB5.tmp

Filesize
5KB

MD5
131b04fa7e384eb8f2c0bbfeacfec77c

SHA1
98965c5cc284e745961cf85324467acd77d60b6f

SHA256
5d608dc549bdc1a84cc9992421e0750bd76f9e8cbcb808b2881be1c587664fc0

SHA512
c3f8ae01d0b1d02ec2e2110e3b6e2b713317ad320e2a423760cf919d153e6aa7d5daafd2c5d15161448af5f9f90ffe0d2d6948efac5dc5bbb664656ed47436f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC13.tmp

Filesize
5KB

MD5
062f0993c66e5ff3b1c914a190e71116

SHA1
709c3466dfd54f5590047e28564d5735dc340206

SHA256
ed920b02744350a3c06b5131b4fa5b14558bb799da35c4f2fc769745823eefa5

SHA512
4436935c0ada36cf9720efa267af8fb75ad6de3db84d703c8df033ac8745b2f5d04440e0a901d5f6a233ce882cf8355bd47302c2694a186ce4738da2b31a7566

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC61.tmp

Filesize
5KB

MD5
184d6cfddee2cf95b0e6a40ac107babf

SHA1
852a97d2bb48ce466541e1eb3dfcea6e25338f6e

SHA256
ebef58c05d1e2c81cd9eb4ea94ec911e8a6b18e7edd2c7b1957a83548a8ae1a6

SHA512
b128ff5650ad974828b72052de3607ae037a74c340f0418742504014bf623bb9e0e0fbe59edce4d48a59926e91875f232f7edd710c80b4083c05659d20c8022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBE.tmp

Filesize
5KB

MD5
abf8d59737749d2798abe692df94965e

SHA1
39dbc6e5cdfbcca04fcba39f946eeb9dce21e14a

SHA256
ee1ee20b442839462a17ae49cd4be79206e43f681a1d6c54a6cced0dedcb5a02

SHA512
c692d5a2cabcc5c527a3593a11a8fa740f20e9fb29cf303eec1993292d3b371421826130097c00cc53d6ec85007f2f4dc030d7a5a83bc552ce70b56322fe866e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0C.tmp

Filesize
5KB

MD5
8965f88163663256b58dd180f8331538

SHA1
d1ce881dea53295de8af2e437e08fd08873286a7

SHA256
0e8b19f2f3eff8b77f89c720e7bfd5b4844f399e57ea7c6136ea109c6c3383ca

SHA512
e91ff3675d3acafe7a32fe70f4c54904244032bff294be04e0f12ea5fa1e603346cde235323559626a75b277959d22c5b8cc2fc82fcf241499252422046e1de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD6A.tmp

Filesize
5KB

MD5
501081dfaf3d4c2e087c0e77e44bbb3d

SHA1
4460e3b4d67ad3ac9ba339f3b7c02f3a798de29c

SHA256
cdc106644f53faed6555d2981519e062dd1f4c227e0bfb7122fda421789f19db

SHA512
d996cd84a73fae7e67ab45d2023f513e877f6b0dd9bb4f31c92bfa01b2fcd51a0435b9f756c97dafee977d0b5ba3c98627cfeeffe2c6829656e6623e7245ef52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD7.tmp

Filesize
5KB

MD5
2b64acfee1ede6b544d692973a53daf2

SHA1
7cb15b9b958510ae89a991439ed4e13fa2e6810b

SHA256
e4a6b956af25cddf81897c066aade57e4980103435161c67aa77458f6303d7fb

SHA512
1581a3874649f726d348ab9895765f65b96b9566e0a8556dd8b3fc2486ee12c73679f2c6656872b3db44c9a4ca7df9ef798a2bfd3115df8bdb596c05cf76197d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE35.tmp

Filesize
5KB

MD5
bfc88438b475817bdff57c3379d79927

SHA1
f2a0921ec4bba1496b1c49e6f1934cd6295ca7c7

SHA256
463336182739142ed1427bccd63fec9087af604c7fe78875aa158a4f21bbc24a

SHA512
e2eae56526320ed871def8b81126101a11afedbbf02fac23e1502b4f1712d32fd9f6791c9d73b8fb690ef7c47a0951fd1ccb68b02b93e46ace50adcac8d5e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE83.tmp

Filesize
5KB

MD5
271be33b2ac75fbbd1af59bb61c14e68

SHA1
59325b6c769d996ba92124f11c7710db17087d00

SHA256
dfccab9be35c5fc2da534abd6ad3efd049fd5c9f820b204633fba9e1679b7a74

SHA512
70878084b5a85a04a558c2ba7fa764cf15178f2e8879ed138cfb596fa68acbd694a589cf43347ceb9d3fdeb0f572f6052c65d4b0d817f1b23ee1bc048832f2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED1.tmp

Filesize
5KB

MD5
6cb8ed914b258c399963cebfdb807441

SHA1
c886fc2564b5c75194d21e87c3b827d1da3d2e78

SHA256
2f8c51945b528b77ed35f49e2c95e0502b844bd608d4ff64c417a7eb057de3c1

SHA512
e3e97b575b3cc8e8411fd4ca3a7818bcb2ed7af18721d4ab697a763bab06df9b62aaf79b8754ba41c43938b8a79eb33129befcec7a6bcae620a018f9adf3f19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2E.tmp

Filesize
5KB

MD5
005ff984254dc77b0d2d61a971e553ba

SHA1
d355aed8753f90a20c93cc1ce9696154aaf320ec

SHA256
a73496f2050fc604212d796c07b60bb4b46afa43e1d65428ad4e404efd7f2489

SHA512
cc06b3d817dce5b14088712a37a7dd0666de1fc23a9ac68de71c303c7ae94a17cd42d1f925e668736c59cf25a1f767be0c2dc987aef5d52a31d731ad5a64cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmqkzgcw.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmqkzgcw.cmdline

Filesize
264B

MD5
c78677e5a8d8d27ce44513846d011a70

SHA1
d2724d1e028e8261d7da9eaa881a27e1242966c8

SHA256
9fb27493ff157347a5e49e02b57aee95aaffe60705836c69715c29da0703b34d

SHA512
a34b464a66a426c844c384a33a2e55ec6ed1f787527264227d95398b642e10c53340880debb524743e729d94646b73ccf858fb07496e91d323f82ae654d906f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgbvspnp.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgbvspnp.cmdline

Filesize
270B

MD5
71f1370a568cceb910289ce9fc197f95

SHA1
0343e8081d000cae6adc6e26e5b007fd0308f6ae

SHA256
aa9e093b56be69a7940ad37f5d24ee0eba9d10f826310ba200245b2e37b0d6a2

SHA512
04572b4fc421cc62b30a889c14a2e7b030890b6170fb29205ab26d80b11e9933fa7d11ca186691a8e79fab10cc43c858e560fcd66db71185284b7154c8de9c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw95-g93.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw95-g93.cmdline

Filesize
274B

MD5
d5cca7dc952cbf08a15fe32633d70db4

SHA1
3faa4502b3b46f0097fb6ab809723cc641fad914

SHA256
20bf460d53874d73471d2c1e5859970854e1de0b41b95ee4ad714bac0030bc4b

SHA512
f686d33d20a871e08acbd57a15d96f8e9d35665caee4f186c3d77c5557f86376553b7989b01649672b7842efed393a71b2733a0113e6dc70a13177b6128c6725

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1_ip2ds.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1_ip2ds.cmdline

Filesize
264B

MD5
4286556252441d5093af40de941e6330

SHA1
a9bd983c1ffbe16e201ccd4bd98606de27ea858b

SHA256
f056bd8de40fcfa31e5deb8887149d3b9e638d8991b2dba25379a242fb5d98da

SHA512
20ddb77a760fde1340e7b17d18e3a12d52b4e25a8a7b40b03ac1580c880ca79c35dfc454c4b990c6ddcb36fc07bc7323454c469144c806e231d2ea8487c343de

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5nf2pp4.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5nf2pp4.cmdline

Filesize
227B

MD5
6855b58e19fdec3d4c295835b92811f6

SHA1
2c3ecef0ee246e1f3bc9fa114d7ade069b503294

SHA256
468f62d0754ff9a418bf234b4232df32c2802151a9e3b13876382935985dbea2

SHA512
7a4b9b07286a17fecd2a0ec2d25dd9961c425a4f55eae93ddc4cda0dff813404dd565779f74cc267b76140f2a076ad54df9a501b6506b170e3ebc0ea716753f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvgitfuc.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvgitfuc.cmdline

Filesize
256B

MD5
68e5da19b53984b408c4bafbb9217c9a

SHA1
a9554306ab5dc574a2f886441968d25626875138

SHA256
cb4cc41599744723a3e1e47456d8504b694fe9a1e9b158d85d376ae47ea71897

SHA512
46c97c43e7c75d80479d812d1ca727f3b0562c14f55b47246150ab5423128d3ad1663b05db1ed63bf4df8e4bdda56120af69b79af4d7029afee8e6e8aecaa0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckiuoe5.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckiuoe5.cmdline

Filesize
268B

MD5
6016566c406a6284797703fc007f16e4

SHA1
88540f7736d6af155b6705d31c2ef5015deb6da1

SHA256
2443d7bc9d8ddff27fc00693447c5348fe502f95a6f9440b118f2a601cbe3389

SHA512
2271c0dfabc17142fd4705292ac77ffcc1101a1050b49554c706b19617d45d4505be6e4ef4c02a5d85a6899a4c5c4d9910991bc0df5e58075096c61a76deefd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp

Filesize
5KB

MD5
97f90d31bbdf02bec54371d2950f2f20

SHA1
3bb06b81f2c9b550dfe755e7613b4f3e22669c63

SHA256
191f3fdee3d4f346c91e06ddc67d88fcb3fc1ab7e1be25b0526e72bf6e0ef02c

SHA512
9611d249994dc1a639e6fd81769c446d7587c2a6253dedf43ded6357b5d4ee9db9c47e519b4382f1de97a47b6008ce5a62c11ea7ce615ef1abbcfd600d1733ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA4.tmp

Filesize
5KB

MD5
452354b8f76e583a97d073c24d9837b7

SHA1
f37484c4f1198d89bbbeb310e112899061c8ed4f

SHA256
c022c752232c34d61d8682fe90f26fe91f63c0bc9cb62fee79a84ee8a254b61b

SHA512
2dff7560f9bf5fed2bdf559de3e0cae1e2c21b8a59daf9d401358a95577381a305759994ff7a55bc5293c9714de4708d859d8f71f48c26633c62c215ce5f3421

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC12.tmp

Filesize
5KB

MD5
71324862c7b45fd4c5010e3214c49178

SHA1
17c413579c5216b0aed9363311f96c62d237bf8d

SHA256
3b151877a52c4aa3faebc48ac7e4d2bb793bee3b6146ecbf89fa5af8e1014b96

SHA512
f06bc547080a07fb20840dbe0942633364f032f4e86d5297a5f748f4310b98076eb65037b8530c66f167dcbdd0cf663301a7e912903ca8a4f545decf3fbfeca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC60.tmp

Filesize
5KB

MD5
f91ad2c08406e8f7f5ebbeb063394fd7

SHA1
3a82be393abaa68b4c61ffd1ffe4b679623d6858

SHA256
b51cd8defd668ca7060e4e64b296b8683263c9fa183433fc0f01b6de082ccb50

SHA512
45e28009c8fc7690e83aa101e18b9bc0a1392890d3d8f80bb87ccb9e615fd10ff8baa0c2c38df1779abf51c7946d80b02b0c34aa2484859b6e863bbe2eacd7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBD.tmp

Filesize
5KB

MD5
5c60372f12c186ea089c0f15cfff6ed0

SHA1
432262da0f1c00bd92f1e2e1f7a98f9cf7af48c9

SHA256
d41713ad01e7c19e02da71a61a245908820944efe7c60369f09aea7922b6e37f

SHA512
fec79d0928d966bb57e3a0b530383dbfcae19c6bfb2fe9b7ba42985e1888359b406f6508d95e8186bc9650f9a4c6a8a402ba8e93f49bbade6963fc70b00de7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD0B.tmp

Filesize
5KB

MD5
a17632fd23476ad93e2e8d480d4301b2

SHA1
a6cf184939b46b6b3ab119db7bb2b704a94b93a1

SHA256
309300f575636b15ce9455a8ce828f74991b1e07566d33f1b7a36ae816f93b78

SHA512
a6ef810516815d0d74cb4f733b9df6d38602edd6aecb44440ee2b4d6b5a3beed15b2cc92f395bb6a359dee02ae8ee60bcb924cca71584f062403e55640047d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD69.tmp

Filesize
5KB

MD5
ce3585e20a1a21bec81eeb286be8e21e

SHA1
b22e1621540487dbf33c6ff16224f684846a381b

SHA256
cdcb2fe63e17bad15a24fa4df897650ea0383c6c774570dc1688430d67b3b573

SHA512
4dcb91ff578d191c63643895ff60f1eaecb7db147f3f468dada100cb4cfda76119b074adfc365003be862414708f8f806f39936da8aa7261f27605404d98c475

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDD6.tmp

Filesize
5KB

MD5
730c7ec54491d81264c7c47a773b2ab8

SHA1
d979ecadf7e80953aa0c229ff77c453897102053

SHA256
71150a843be31e9ac6735e9066f949b54bb0826a951ee6e11f8906a73dc02d44

SHA512
fab4abaa2c0bacaea2f534739e953bb248579f91aa47ea0f5eac896202921df1815356d70316a00d862820afd13d5511f40d0061391d36be836c797257a76318

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE34.tmp

Filesize
5KB

MD5
43ba9fb6d7febe860455dbdccbb73006

SHA1
910740f113336290128eb5cd6c8778c89a52fe78

SHA256
efee7902eb2ebddcf1b81b575f2ca31e9caf397f4a7fba0f8c63c9440bff1234

SHA512
848a0bfa57c9d774942c3034de7cc1b1431c00e456d5e45a62abaf5b274627031a19aecc68f071bc2a9f831092f6c9880cd0c4513f82ae0d7d09a81b409ad137

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE82.tmp

Filesize
5KB

MD5
4a3a362989568541b75e7132990505ee

SHA1
d8d831e5f2f2cd0d51feee6a9ee4f8f01553786b

SHA256
05897a89ed88299ebd4045aa4ff8064752631d80c4bfb694f664824468535e92

SHA512
0f047bf6c5664b8f881833b42f67a842b2aac2462f4016f94977bf015c6f8d11830a8b4bd2f1e744bcea4989214930886adcb0919ad629f5af49f40b82ad6a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED0.tmp

Filesize
5KB

MD5
f0a0424632f58d31e6f42da83f47823e

SHA1
e89db83ec2b32588516365096b63fe099c63525e

SHA256
32d96d9257cb4225b2422b39e03c55504f9ca1a6100e2e21a75c36401570d29a

SHA512
9c40fec000879415cda632fed10b547da42e0ab341a24af25d65ba69c025c894c41804620611f5a8d929631c382aa6eca8d6320ac74c995aefbd1312c0c6cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2D.tmp

Filesize
5KB

MD5
cccd12658d666441d1d80906a7127028

SHA1
665cb475bd1748fadf1f607fe9550e2ec4c89c4c

SHA256
53f112f5d6421aacc71ff8acc478317a302feb37f34695c051f6ec40fdd52e8b

SHA512
8f528de3df02d8a4a2f9493a11f9c929d469ac2ec74aad744f8b4b37671eda2df5e900aafba506a514bd22616b115f10a57435305da31cccade243dca706551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF7B.tmp

Filesize
5KB

MD5
47bc25715f9e5592cbdaf196b000a7f3

SHA1
16846bb61f999895bcb3f0b10e9470621472e1b0

SHA256
2c46701b1c8ddf5cbd126824ab61f8e7acdc7e850b87b773f9998ea0c79c6c11

SHA512
c48b9396b7edc0d8807f8dbae6f1ce255536886b23fcc7c5aaadc9d1e5a33e9b0f060b90680a29645ba5c5f27abfc3dfd746e17bc8511805b6b0628da8a774f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\w02urbll.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\w02urbll.cmdline

Filesize
227B

MD5
11f9ea43216a0f2c7860f35c8034d681

SHA1
99ed4702055858d4947fafc0eb2b6e1d87ecb89e

SHA256
684e9536d22e9c34cffa9f54ac59d17d154229bd349ff28bb3ad43784d9c6892

SHA512
8362a433f3d5e37d56577ecafbe8d6ac38111310581c69d7ff364fe59c63be80b64a58b030799b88947ffe8cc8c38ff7f8b7de9b6d40840fa003774aab357627

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafrou4c.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafrou4c.cmdline

Filesize
268B

MD5
d692b083918558ccdf065b5beba693b2

SHA1
c1792f3aecf512a3fcdeaf8053f0838d901c8625

SHA256
2bb10f72f7d91237ea31c777e27a131bbe74fb9f0c5993f309a25c67928b70a0

SHA512
5a51cd9ad2d9f6b7ab4f5155c0cadec2aa1f9e7af01efab6ce20ba58478de1ba0c12b16c3f2e5777927b2fa2074506814e28e0766bed7e7e666537f631a35a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygtqodyu.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygtqodyu.cmdline

Filesize
274B

MD5
c632a409104781f6bdce562926bfa898

SHA1
17f76fd478bcaf4bbe0ed5258b59164e32104b69

SHA256
e5ddc784f8159b6b10a105242d2193d02a49fd4f49a40191fd1feb1ecba58cbe

SHA512
acae9405dcfa8f1a2e51b8bba5fa5e3f73c6d2cb911df547651174c9450d674f94954e4d5a11381fbf120898b217b7f3b2b1e800719abf22decf8ea502919738

Download Submit
memory/620-4-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

Filesize
4KB

Download
memory/620-1-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/620-2-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/620-3-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/620-0-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

Filesize
4KB

Download
memory/620-306-0x000007FEF8BB0000-0x000007FEF9221000-memory.dmp

Filesize
6.4MB

Download
memory/620-307-0x000007FEF85C0000-0x000007FEF89CF000-memory.dmp

Filesize
4.1MB

Download
memory/620-308-0x000007FEF7D50000-0x000007FEF85B4000-memory.dmp

Filesize
8.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads