38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

max time kernel
591s
max time network
604s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/12/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4380	3964	file.exe	78
PID 3964 wrote to memory of 4380	3964	file.exe	78
PID 4380 wrote to memory of 2940	4380	vbc.exe	80
PID 4380 wrote to memory of 2940	4380	vbc.exe	80
PID 3964 wrote to memory of 1484	3964	file.exe	81
PID 3964 wrote to memory of 1484	3964	file.exe	81
PID 1484 wrote to memory of 2376	1484	vbc.exe	83
PID 1484 wrote to memory of 2376	1484	vbc.exe	83
PID 3964 wrote to memory of 1408	3964	file.exe	84
PID 3964 wrote to memory of 1408	3964	file.exe	84
PID 1408 wrote to memory of 4420	1408	vbc.exe	86
PID 1408 wrote to memory of 4420	1408	vbc.exe	86
PID 3964 wrote to memory of 4324	3964	file.exe	87
PID 3964 wrote to memory of 4324	3964	file.exe	87
PID 4324 wrote to memory of 956	4324	vbc.exe	89
PID 4324 wrote to memory of 956	4324	vbc.exe	89
PID 3964 wrote to memory of 1572	3964	file.exe	90
PID 3964 wrote to memory of 1572	3964	file.exe	90
PID 1572 wrote to memory of 1876	1572	vbc.exe	92
PID 1572 wrote to memory of 1876	1572	vbc.exe	92
PID 3964 wrote to memory of 4064	3964	file.exe	93
PID 3964 wrote to memory of 4064	3964	file.exe	93
PID 4064 wrote to memory of 4940	4064	vbc.exe	95
PID 4064 wrote to memory of 4940	4064	vbc.exe	95
PID 3964 wrote to memory of 1012	3964	file.exe	96
PID 3964 wrote to memory of 1012	3964	file.exe	96
PID 1012 wrote to memory of 3584	1012	vbc.exe	98
PID 1012 wrote to memory of 3584	1012	vbc.exe	98
PID 3964 wrote to memory of 404	3964	file.exe	99
PID 3964 wrote to memory of 404	3964	file.exe	99
PID 404 wrote to memory of 3140	404	vbc.exe	101
PID 404 wrote to memory of 3140	404	vbc.exe	101
PID 3964 wrote to memory of 4852	3964	file.exe	102
PID 3964 wrote to memory of 4852	3964	file.exe	102
PID 4852 wrote to memory of 1828	4852	vbc.exe	104
PID 4852 wrote to memory of 1828	4852	vbc.exe	104
PID 3964 wrote to memory of 1864	3964	file.exe	105
PID 3964 wrote to memory of 1864	3964	file.exe	105
PID 1864 wrote to memory of 328	1864	vbc.exe	107
PID 1864 wrote to memory of 328	1864	vbc.exe	107
PID 3964 wrote to memory of 276	3964	file.exe	108
PID 3964 wrote to memory of 276	3964	file.exe	108
PID 276 wrote to memory of 5016	276	vbc.exe	110
PID 276 wrote to memory of 5016	276	vbc.exe	110
PID 3964 wrote to memory of 4832	3964	file.exe	111
PID 3964 wrote to memory of 4832	3964	file.exe	111
PID 3964 wrote to memory of 1404	3964	file.exe	114
PID 3964 wrote to memory of 1404	3964	file.exe	114
PID 1404 wrote to memory of 4576	1404	vbc.exe	116
PID 1404 wrote to memory of 4576	1404	vbc.exe	116
PID 3964 wrote to memory of 2544	3964	file.exe	117
PID 3964 wrote to memory of 2544	3964	file.exe	117
PID 2544 wrote to memory of 4524	2544	vbc.exe	119
PID 2544 wrote to memory of 4524	2544	vbc.exe	119
PID 3964 wrote to memory of 3468	3964	file.exe	120
PID 3964 wrote to memory of 3468	3964	file.exe	120
PID 3468 wrote to memory of 428	3468	vbc.exe	122
PID 3468 wrote to memory of 428	3468	vbc.exe	122
PID 3964 wrote to memory of 2940	3964	file.exe	123
PID 3964 wrote to memory of 2940	3964	file.exe	123
PID 2940 wrote to memory of 3196	2940	vbc.exe	125
PID 2940 wrote to memory of 3196	2940	vbc.exe	125
PID 3964 wrote to memory of 4080	3964	file.exe	126
PID 3964 wrote to memory of 4080	3964	file.exe	126

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\75rfhdz4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2045.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF57C24E6713545D6B0D9325120E2C817.TMP"
    3⤵
    PID:2940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-9xryqi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES212F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21F9CB8978F4B0987526C7772A9367.TMP"
    3⤵
    PID:2376
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q90ftacq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A2E209E18BE469B8DF6280695DDE4E.TMP"
    3⤵
    PID:4420
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ukoowkaa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2371.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6F0308F1FDD41E5ADB7A09B1EAB07A.TMP"
    3⤵
    PID:956
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfwgsloq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE874E7A38BD84D879914CC502F88148.TMP"
    3⤵
    PID:1876
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uf8wxb28.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES246B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9F83CC9DA1E4A60B3F3A5EFB6D179AB.TMP"
    3⤵
    PID:4940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ydnlmixx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC614F72478A44511AE38D27EC3A349BA.TMP"
    3⤵
    PID:3584
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a97jpbm0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2536.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6FFC3F68DFB41DFB633BC152FFABB0.TMP"
    3⤵
    PID:3140
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwuastya.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF34C9EE6A0F47BAAEF09D154B76EBF.TMP"
    3⤵
    PID:1828
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbheco_h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF2B4567624DC4B87C12998E98280.TMP"
    3⤵
    PID:328
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yofjqxx2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2650.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAFF69094D6F47E89057B5E24A724172.TMP"
    3⤵
    PID:5016
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zdb_sghw.cmdline"
  2⤵
  PID:4832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12D18EC7A59E43B39A31AAC8FFC27EF.TMP"
    3⤵
    PID:3276
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iiuok69l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES271B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE41FF0DDF1074020B03E4A55FB1CC65A.TMP"
    3⤵
    PID:4576
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xkqak3bo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2778.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9630C6F28C144F4B319F1AE98A970DE.TMP"
    3⤵
    PID:4524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k4vgpbmj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc329197642ECF49F9997FEF0E33E4B35.TMP"
    3⤵
    PID:428
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pj4tafjd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D9D6C13C8FC4BB8A233B5269452F277.TMP"
    3⤵
    PID:3196
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuv700hx.cmdline"
  2⤵
  PID:4080
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3553945412EF414A874E8AF11BB2F4FA.TMP"
    3⤵
    PID:3884
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6b170ys.cmdline"
  2⤵
  PID:396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1603773C4314DB0AD9A839230A339C7.TMP"
    3⤵
    PID:2308
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpcxpnkx.cmdline"
  2⤵
  PID:2908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES294D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc201FBB94F62843658F63CA59B9A286B9.TMP"
    3⤵
    PID:492
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vtcghz8j.cmdline"
  2⤵
  PID:3952
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4E98D4D702A4674B153FFDBE9ABEDEB.TMP"
    3⤵
    PID:2856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qslox1fw.cmdline"
  2⤵
  PID:2032
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5856CDFC163497E8DD4313D3CA9D430.TMP"
    3⤵
    PID:224
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmxacgrs.cmdline"
  2⤵
  PID:4940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc325EB4C346C4993A7FBC9409C7FEFB8.TMP"
    3⤵
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
1aeb31263fe0bbc20af9e4352978ddeb

SHA1
5b3bc4e08862c0df913811ad1cb6fb6c82c781fc

SHA256
bd00ef0480683638fe864da372b04ec7138cc5d65bcf0b243bc786bc0e131795

SHA512
42784c34d62f10be666141cc9c0df8a32dcca10cbcc5b2290a079bfac52ebaa2728692b788dd8b07458df13cdd400fae66ad750e3fdecaa6cb76e91cb12aafca

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
628225f70a7f7790be8f8510681dec44

SHA1
e71ed2d62139275facd4679f94fe8eaaec8eb9ae

SHA256
51baffdf72f37229d0f28189f8c00aacbee314356a628b2da8b1271574d350c5

SHA512
89d5c69c7fb2a24d99afb0e5227f1493456a9f9fae50d07178bcfb1670ab878affedf2ba4507bf21b664cf413d696e21481a894434a7850231194dbe675bf4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\75rfhdz4.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\75rfhdz4.cmdline

Filesize
256B

MD5
63563807b39fefb59b023fa5cca85d34

SHA1
f653216c13c71219798e3c0015dca238e7e1db2e

SHA256
0343b5995c1f51f2c289c48ba08e2f16700ac257d1726237615d665e289a483e

SHA512
8077944aa9fb2def3956462f5d7449fd43a097e841fa8a135623fd82c5d2e0759ecff1b3342676a009941d71b026dcaa31dcea109be8780bb7879da78f2210ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2045.tmp

Filesize
5KB

MD5
d5c5f4f603337702059836f660e1724f

SHA1
cbc264e40c56966d26c490b7746d23fbbe3bd40b

SHA256
e7b9900f7ada06a840319f48e3ce303793c2fab048350fffb990e31a2da86682

SHA512
afd03acb6e250f308bdf0f39050428c91d8693be0956e3d6f4f8955b872aa0bd6e2f5dd5ce385c2cb9d67cb3e97749fc26fe21d7848cc2fca14815be373b7140

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES212F.tmp

Filesize
5KB

MD5
e0687da99614906ffaeebcb596cde94b

SHA1
e5b061107ddbc72b8edb9fc4915a95715dccda7a

SHA256
0153f5bdfad535c0d6ed765646355e5530436ddfec7a8a0ba70f9a6e7ebab2f6

SHA512
3cf6781996005acb63b344e334145876bb3b7abf30880b7f3c56e661f695bc9dc80df3d6a80fc40e04482283fb9f21e2901dfe59d8535e6d88b5f471a58186c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES22E5.tmp

Filesize
5KB

MD5
1955ff112536267bb41687484eff1a76

SHA1
3cf58cb206ce12e79f7a5eb11b8f9793ce75ed6c

SHA256
50f63937bd66739b410f7875cbdab1ae6b57e69767969f65b92be5514a3540eb

SHA512
a29c08017c61679f8804bbbf7622f2ba9d658b1ac229b1740391602b9de9a7b0db219a7cadbb754d255af635363263c3f1e8e650d57d808dc9359ebb4ee0b5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2371.tmp

Filesize
5KB

MD5
b815612088f88d46057e583f1aec1620

SHA1
8f340c1ca71cd90a9ded60b92b7705a745d83c7d

SHA256
f871b5d9765cc1072bff5e76c2009969bd0a97b89bace6e1c4c448fee1eaf38b

SHA512
ca395413eb5c177da03a3697eca14ece57583f08fe66921bb01be92c08b4a9c6af99ce6447b90e427bea4307236bde0f9c34273c67f4233ecbd46473bb7fdcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23CF.tmp

Filesize
5KB

MD5
4c38ccb369f598b0783a7016e0bf4b83

SHA1
feab58746e7b311c84153cf1b85f49f87455e892

SHA256
903a342f277da3bbdc630c945214b682ce5957b957431962995e1cc298747e4e

SHA512
e2e40cc788f98dae64e09f3f2b772791066f3f26d6f64b4e0b4d471c9d7b17d67aa72f1df7f952ffd803ea20050524363197262b66c95a192f5000143a2408d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES246B.tmp

Filesize
5KB

MD5
d4435119e54649d3f326936e6af661c2

SHA1
e80916fd8b78d5b0159af8df7b48a0a15c3c7284

SHA256
d1764bbb8910ca2fe16e11e367b305d95848fae2647b4be9b6a2d495b18d6575

SHA512
bbe52629e46dceca379ad28fbf62d28a1dca63ee1b6298eec125e66b44268196a071d870f7519ae45b22257b06b173709e54be10309aed50912df75e6b282a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24D9.tmp

Filesize
5KB

MD5
54952283eaafa32e3689a0c765cf8c5c

SHA1
c9c552a190d9f237795bc9af248287d02476c435

SHA256
07b1d03e0db5f872e908951e612b9c07f7fb74c7acd0ba2c7d59f5e060f28b7d

SHA512
cccbffc4c2f51acb18d63a91e4d65a282e1ccf1e9cd0d306f1712526f458a6997a265d20d82fa1495b0ffe8ad26ed6211100fb30a172c67b7bb90ef6ef144fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2536.tmp

Filesize
5KB

MD5
31452e1e19e143e89295f50c786b3dbc

SHA1
9213efc829f3f248300b0121c6eecf3eb1cecc7f

SHA256
a209dae953a83217852a127a46a6d5950e0af506b70ea17392093dd2926bd5fe

SHA512
05af362a32e37b81ebc29fd07adab46ee5b1b61f8e7946f0b1194e647b08577ba12960d4a9808c72583f065f57d684314f50ec357942ae1403c9f88a03ce2892

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp

Filesize
5KB

MD5
3a632e3c6aec096124b8db72ea136f9f

SHA1
a719698e0af8214e550ba0fce9cf099cef3bdad5

SHA256
a0f7e0255f2122175fe53f6088ef3266a23522c4af0804272cfbbc34df38cb31

SHA512
cac26e46a1d776def76034b8e85391e777901760df07493a0edb1dfc2a4f2f36dc53ab53fd1941df2b17fd0805ea705bfb2b41efeb32eb10a894455b83ad55e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25F2.tmp

Filesize
5KB

MD5
f1863dc9dbaa7c695968a360683e89cd

SHA1
8e7a16018ec107da0f0b9b1dab68e525834b0868

SHA256
8625fc2f3deb6c375c55a5a55ef716d365a0eddc78eef5c9a06663636be710b7

SHA512
5b4ed4b3cb7d7c2ef6227bbf6e0a594e79fdcba0c737ad5dfe6c29a31c782b5eb5b9038f9cf886e8d50ec68d42ee03c76458fc6b7ade8c44ee9f06edd89fff46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2650.tmp

Filesize
5KB

MD5
dc9093378042e20ef7ebaeb396c655f0

SHA1
0e729f85660e793fe8f24b7e3fe281c746f352c8

SHA256
0371bbb000c0730050df93c0091298298ab1b6fb5dc74c396df2f1ac8ba24d14

SHA512
a87acbbe16b6060101f7ae3323d41f25c431cd2675accf695edd5be40c07316b772897f8ed029fbed2ef385091eb1f629cc8da299ca8a933e4478c3bab75905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES271B.tmp

Filesize
5KB

MD5
6eff4463403eca4fa50a1b5e0b55434b

SHA1
e08e6ec0771812df659f9a10381cf0b822d6b162

SHA256
7c8b3eb06e1a11e3a8acefa404d669d3084f8424e58d32d112ece2fdfd390dcb

SHA512
f168d1bcdee39f43dee320f4ff31eec3f3f61131e9773c7418d41261c630e355babe988ac36100c2edcda0adb1334c4916a7a549a448039418d55924bd01f9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a97jpbm0.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\a97jpbm0.cmdline

Filesize
270B

MD5
0402d197ae2ab2d82a7c4c821f9b147e

SHA1
6757fb9d1c632d66cc5375637601d741b03d58d2

SHA256
fcd91755ba84512b5f0757c563ac9fc8b130fca68140f9d61a819f8b6546cc6a

SHA512
8bf9fb244711ca5cfe0d543250de1797839f1398481c0b3f2f323590bf16b7ec823ea820f3cbc3a775b7a388aee7a432d815dd53a4d7371f98c5c64c8a14b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-9xryqi.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-9xryqi.cmdline

Filesize
227B

MD5
3dba558bf95ee5d92be4874bf06c2fcc

SHA1
d3f7a5f3d745dc05356a327d28f44bff2805432c

SHA256
09483404028cfad9826495c1cc9b908f684bf2e9a1e3df69d4fde26b545ed02d

SHA512
f68346bd16f19036983bfaab10f5c4585e9980fd1e32e36e6307d1ad120db57786fbb9876b7061db0beb7235a9e1bbae24e8ee738f425af2b790f7e8fa68f338

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfwgsloq.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfwgsloq.cmdline

Filesize
264B

MD5
fa5a7f2af2d00f749836fed956798088

SHA1
5d9d853cdffe8a67c33f4194eed9c295f419e2b6

SHA256
c2b05c5bbc8366c8e9d44bfa524ca38ef4d8c17d00745cfbdedfb2011ff1933f

SHA512
670c1f184a0caa26a0acea4bebe0bac08e239795e5f880f365b4d71451ee9df07b53eb2bb651aa71dbf9fd650964a95602c1dde426a6c014bd768fd7c65829c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiuok69l.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiuok69l.cmdline

Filesize
268B

MD5
029b95a8811aa3998b70ba1d24d61a7c

SHA1
ad505256d693fe995f6ebc73f3064842400654fc

SHA256
ec2c008db35b25c871ae0d8fdf1cb73ce4b1f9b1f6dfe94b93b5cbd1d4d8bdf3

SHA512
6e94bbc4236a420811bf27cdcdcacfb9bdc1d4042411c8d6de5bc392027f4690fcb17451ac248189e0c2bc356cacd702dea4e619e22fc3f413efc7aa9915b5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q90ftacq.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\q90ftacq.cmdline

Filesize
256B

MD5
dd3fc07a1feefa6dec98873346a31a97

SHA1
da930db3cdbab3170e5c109bbe25ae36e2970cf5

SHA256
eb0fb277cbfb1824ef0d0c878c3f33654afb5f5883e9c6ef70ada557ec5b1808

SHA512
75e5e95ac97d0a6627c13cc6b7412c9b1842353f9f279b7b36e5b0bbaa24bf8bb2f9ea6585957db8d6fb4fdf064595dd938822e14df46e669066e1b979929a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uf8wxb28.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\uf8wxb28.cmdline

Filesize
270B

MD5
4646b732a5a4e19e351f9d4cc04362dc

SHA1
bc9a63ca44eecb43a33b2c451218597244fba39f

SHA256
827086a47ae92b9ff1a328e3c7fbe3fda5bac23bc6cd022b64d01d7524011c74

SHA512
82030afb34aa6d6c6ec9027a3ae514040ec79482aaee3967e1ecb4950d511fc8c73288b9c4b28e63796cf051a6f62ff7bba6d78dae10a7e15ed55019d8671394

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukoowkaa.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukoowkaa.cmdline

Filesize
227B

MD5
85c842a183a1745dd84299b34f4124ad

SHA1
c921c93c9b3a0519577d1298b06461e541881e4f

SHA256
89ca500c13b7e711e85e758c6364e1e93e65b1ffc25af6396ee3560088d6c38a

SHA512
329f352d1ce481cce17651840e268b354e4646cada45779af8f0e143133ddd887bb0653716d425c854f94acd676c58a87758e12846d5ea4c11367b4fe378ba86

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc21F9CB8978F4B0987526C7772A9367.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A2E209E18BE469B8DF6280695DDE4E.TMP

Filesize
5KB

MD5
fa0ea61b86cdc0350ee563b84dad436c

SHA1
16d17ae28546db405e12cb5aebaec3c4539e553c

SHA256
c18ec284bc3c78bc8cf6da74461d62b266e913e62b11ceae01d72feac8c855e8

SHA512
6dbecbdd8c3b14b382391a3a08da70196d41f4115b1835c424abb154ca4957e14e52f20f49dd3b1b2e711af58bfd20322b0672bd7c5bed7564cdcb84b4ae00a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA6F0308F1FDD41E5ADB7A09B1EAB07A.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAFF69094D6F47E89057B5E24A724172.TMP

Filesize
5KB

MD5
7c04bf84192da6fdc87e35d3c35ef21f

SHA1
7d24eb1534f1023232529764a360f70241cec9c3

SHA256
8d1915e1a237d10e8a995ff66e41c159b3a571745c1ea59edc2cbd5a0eb81f2f

SHA512
b82b36b7e6e42c7fe85a979fc684808deecc9670fa8e6d30162dd92c0c24df29e12dcece12d8f21877150f25e60e2ac3f56c4ba99de0ca93cc6485cbcb705926

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC614F72478A44511AE38D27EC3A349BA.TMP

Filesize
5KB

MD5
9b48a2f9178836ca18aea1429f94005e

SHA1
a5dcf1548a7beea98afe950e93bcc0acebfd14df

SHA256
b984cfa846dc36a52bb14fc3b1fc70de05886dcbe77453866ff7025a60a8d875

SHA512
6b0f9283c9b3cd5d8cde31b50f86fa3cefb4cf90d01b691fbdf3981286ba0f96fa56a956091654e208af29e01f60f0b543aca1eaa2876581e2da6ac63d1ece9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9F83CC9DA1E4A60B3F3A5EFB6D179AB.TMP

Filesize
5KB

MD5
dd5d3c54c9a01676248cedf0194704d2

SHA1
27b3435ffa15c65fead3f5bb62418c76ffdccaed

SHA256
75af85f8a1d9d2ba86869b8134f4774bcdb5cd99976ab14bcd6790e0529a5fc7

SHA512
2541d4cbc6f8cb9f9295d86b0e9c45b0c5203809c827caa43d5a8d40dcae447c13f06841c10fc43b7f3695f6590dd6a17e552869ebe064110a3d427bdb7614c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9630C6F28C144F4B319F1AE98A970DE.TMP

Filesize
5KB

MD5
91182dde4d9f740b9c8952c4e0256a1e

SHA1
daebc222cb1e1ec88a07529f8e78bf78ed43e0f7

SHA256
21ae62443f91264c7b0ace37913117e66ceec1cd83996cfbe7e1b5012d0ba6b4

SHA512
0e7d33b7f2c50835bdfc2be8b5a8b2cc824eafd33cb0c94f937bae4f32ccc70874d98d1b1a31a86923316957fc3f7432b00db2b1fc1c3d4f820ae7645ace4261

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE41FF0DDF1074020B03E4A55FB1CC65A.TMP

Filesize
5KB

MD5
8fc1e6ef9cd7da9f7f078b4e83ab5881

SHA1
207075e49285ef1309fbebd47fd234bcbe3d23be

SHA256
bb847df8a5eae666314525cb43c4a2b04a04a3e120106a0520ac22446740df0a

SHA512
e812a6cacc047581b453b73e7c09b0e595b6b17250dd30457f23b09cf485810cbb0712ca981584406c0902b85d2af061d32fb294febe6e5bd3c853a93b4bd343

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6FFC3F68DFB41DFB633BC152FFABB0.TMP

Filesize
5KB

MD5
1b0224657b89b0fd8c562033931b4462

SHA1
f4500927e58534c2726e72cfd2697740b9eb02fe

SHA256
e88aa8ef58393fea0ffcbb97083e4ee5562df7efa29906e32fcfef8408869cbf

SHA512
71a560a02d10b3263cf89f90455609b8ebb1575b96ca5e8f6e73cac8ba162fd9c78dfa08391dbee09f8f1d6b14123c7e6543be1bed397e81a9376d75f45e4581

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE874E7A38BD84D879914CC502F88148.TMP

Filesize
5KB

MD5
7d84046a9e410e722c2cb028a8ac43fc

SHA1
50f99867408c2524fa83f03672f885916a8ccaf0

SHA256
d9e98a47cf09e79fd8be822d03d015ee6761c8b4a8e21b892abc2c84e1255f75

SHA512
55d31847d3e8d5eb72624396d43f84ce74b0728fb68093b48a89bb12542eb1321c6a2f5ee9c74ae83810dab100b59705b458b4e94e8d54c8b45ed649568a09ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF2B4567624DC4B87C12998E98280.TMP

Filesize
5KB

MD5
7de03b6198ad29b6123748fa57907834

SHA1
3da082db9aa91268cfc5ff3f2052547e16cd7a65

SHA256
028decb2a1db85af02b972c740b15a9e27f62407ed6e9eabf429341e8fa9229f

SHA512
2d6a648d631ba96602a4c491c4027247d04495eaffd0c75798c4d438a1c0e85a4ab970b328f4858e7f548a975be3d315b519b789b494eebe1e3e1e7000193b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF34C9EE6A0F47BAAEF09D154B76EBF.TMP

Filesize
5KB

MD5
14f64896a9d680a6f92558a22a2846e4

SHA1
b7d49857cd9794a521fcb2618ae519e53692c21b

SHA256
348eb53565e89641919320a393d01bd10cbee456730c58f8c8e02ed45cd4f356

SHA512
476f8a6349a4045037594487cfbbff3f263f4d3844dafe5fcbe5be53cbb6a2383145abf1d4d338f0d5a8623b03b5b129344bc0e924cff82c89c91f99a18bc1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF57C24E6713545D6B0D9325120E2C817.TMP

Filesize
5KB

MD5
a4dee325ec70bc35d4140981f4c6d174

SHA1
5330b647146564e0ed0fbb35fa2a191b80bab189

SHA256
7ed5a237aefc220f94f7a8f87a26ca25b1fe6f0a0ec4ae95150f2a6e9b0d41cf

SHA512
0764966ae546ab259903b581ffbe56b02e3f99f798f5f4524856a4ea2cb592a6a465599091ec7c43415ec38ec56087ceb657afe27063bc435d143785ec595a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwuastya.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwuastya.cmdline

Filesize
268B

MD5
34c3931de675064c5f56b16b739a96e4

SHA1
d1c8fcaf077ea538dec0a68decf386cd0804838b

SHA256
fdd7bb7eb241bc716ae334a37e3cada0f79ebd1e9937d1c2b80a1e3d5e8031ef

SHA512
234f8f24a57069ff7f53e0304447a2434d5ac9b915b2a041f1145c47f84b8c372099df6c6f9c520831f014a86cca41dff091c316bb6f4a902c0d4aec980bb78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkqak3bo.0.vb

Filesize
385B

MD5
44c3238e3e25a90ad2d90226be511ade

SHA1
eb8a7247b134333bb31e866f828ee95083edf724

SHA256
fe7ad6b4902084a2d89525ac14f614d6758e05a9987edc1dcb76506ab93fbeaf

SHA512
13a7fe2c7b470d8a4c0303fdc30275fc03ac21a915bedfba0076d808d097be6864750c5a2fe10bd80e42182fc397334b1e20d8b12de7bd826e6f3ebd7aa47cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkqak3bo.cmdline

Filesize
274B

MD5
3b3b0f8ee5be542518962a4bc55ea210

SHA1
16be16218e7ddde7a021660b0dacc1c6514cb639

SHA256
dda53295c68357644e384090ecc8897e5ab815d252bd1c33dd01091f2480f64d

SHA512
33aa07d1b66b0514775dd7adfb4add6df871f3faad3069235a583b7960eb81cf151690eea61d3058112752ab77a834a2c8cd156abfa126b1a54eaca05fa62b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydnlmixx.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydnlmixx.cmdline

Filesize
264B

MD5
9c0d7164256e76ca6952fb568c5479c4

SHA1
f1cffb2508c7b0a56da3c51986dadf1e6852a17c

SHA256
194780981e639e0e4c55ac0d5897efbe2dfe871702483b7d0f015cfde21ee314

SHA512
e22563e45103354391d1b859f76137d02af6c83a80bf312a0ccf422c6669cb9aa14eb637db5d41cb80a30a81a56af4b24d3c9e760b2a3d3b79b26bd3714ce92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yofjqxx2.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\yofjqxx2.cmdline

Filesize
268B

MD5
8b20b9fe0bbfd8c3a183b58cf8f729cb

SHA1
3ac57f6b58c94aaaf1a7d0c5c132e30e6a92bf8e

SHA256
a4bc45a1d8dde1b59580fe407818d9d0f1d0de78e3039ceaa8cd94e3a2dfdf43

SHA512
ad797e4d14f26927b39eaedfe5e399aa6a1a0cb4a148209ef8bea8f0173a1213ce2993d23dab025fb88895175c2527ed5d6175ca1609c1403a12a58b90ae1b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbheco_h.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbheco_h.cmdline

Filesize
274B

MD5
f4a477dfb9f2f94dbc8386421b05c6b3

SHA1
316995986199916a99ed7d163c3158181e175a17

SHA256
d8c268151c536f3633e08804fa2d171d85210533269d642c6f001f7660ffaefd

SHA512
19a14584bdd83b7b1fc940476f292a2dca373a8a92243f950138ab828623f7d510b5436a610dd0d57f0937f09d5c0c641137a0f515a59efbfd444bf22f7a45da

Download Submit
memory/3964-6-0x00007FF87F835000-0x00007FF87F836000-memory.dmp

Filesize
4KB

Download
memory/3964-4-0x000000001C9A0000-0x000000001CA02000-memory.dmp

Filesize
392KB

Download
memory/3964-5-0x00007FF87F580000-0x00007FF87FF21000-memory.dmp

Filesize
9.6MB

Download
memory/3964-2-0x000000001C8F0000-0x000000001C996000-memory.dmp

Filesize
664KB

Download
memory/3964-3-0x00007FF87F580000-0x00007FF87FF21000-memory.dmp

Filesize
9.6MB

Download
memory/3964-7-0x00007FF87F580000-0x00007FF87FF21000-memory.dmp

Filesize
9.6MB

Download
memory/3964-10-0x000000001DBA0000-0x000000001DC3C000-memory.dmp

Filesize
624KB

Download
memory/3964-1-0x000000001C370000-0x000000001C83E000-memory.dmp

Filesize
4.8MB

Download
memory/3964-0-0x00007FF87F835000-0x00007FF87F836000-memory.dmp

Filesize
4KB

Download
memory/4380-17-0x00007FF87F580000-0x00007FF87FF21000-memory.dmp

Filesize
9.6MB

Download
memory/4380-26-0x00007FF87F580000-0x00007FF87FF21000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads