38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2408	4412	file.exe	96
PID 4412 wrote to memory of 2408	4412	file.exe	96
PID 2408 wrote to memory of 5020	2408	vbc.exe	98
PID 2408 wrote to memory of 5020	2408	vbc.exe	98
PID 4412 wrote to memory of 376	4412	file.exe	99
PID 4412 wrote to memory of 376	4412	file.exe	99
PID 376 wrote to memory of 1636	376	vbc.exe	136
PID 376 wrote to memory of 1636	376	vbc.exe	136
PID 4412 wrote to memory of 3828	4412	file.exe	102
PID 4412 wrote to memory of 3828	4412	file.exe	102
PID 3828 wrote to memory of 3628	3828	vbc.exe	104
PID 3828 wrote to memory of 3628	3828	vbc.exe	104
PID 4412 wrote to memory of 1336	4412	file.exe	105
PID 4412 wrote to memory of 1336	4412	file.exe	105
PID 1336 wrote to memory of 3744	1336	vbc.exe	107
PID 1336 wrote to memory of 3744	1336	vbc.exe	107
PID 4412 wrote to memory of 4368	4412	file.exe	108
PID 4412 wrote to memory of 4368	4412	file.exe	108
PID 4368 wrote to memory of 4460	4368	vbc.exe	110
PID 4368 wrote to memory of 4460	4368	vbc.exe	110
PID 4412 wrote to memory of 2844	4412	file.exe	111
PID 4412 wrote to memory of 2844	4412	file.exe	111
PID 2844 wrote to memory of 1696	2844	vbc.exe	113
PID 2844 wrote to memory of 1696	2844	vbc.exe	113
PID 4412 wrote to memory of 1532	4412	file.exe	114
PID 4412 wrote to memory of 1532	4412	file.exe	114
PID 1532 wrote to memory of 2068	1532	vbc.exe	154
PID 1532 wrote to memory of 2068	1532	vbc.exe	154
PID 4412 wrote to memory of 1340	4412	file.exe	117
PID 4412 wrote to memory of 1340	4412	file.exe	117
PID 1340 wrote to memory of 4948	1340	vbc.exe	119
PID 1340 wrote to memory of 4948	1340	vbc.exe	119
PID 4412 wrote to memory of 4752	4412	file.exe	120
PID 4412 wrote to memory of 4752	4412	file.exe	120
PID 4752 wrote to memory of 4080	4752	vbc.exe	122
PID 4752 wrote to memory of 4080	4752	vbc.exe	122
PID 4412 wrote to memory of 1456	4412	file.exe	123
PID 4412 wrote to memory of 1456	4412	file.exe	123
PID 1456 wrote to memory of 1996	1456	vbc.exe	125
PID 1456 wrote to memory of 1996	1456	vbc.exe	125
PID 4412 wrote to memory of 4164	4412	file.exe	126
PID 4412 wrote to memory of 4164	4412	file.exe	126
PID 4164 wrote to memory of 4620	4164	vbc.exe	128
PID 4164 wrote to memory of 4620	4164	vbc.exe	128
PID 4412 wrote to memory of 2248	4412	file.exe	129
PID 4412 wrote to memory of 2248	4412	file.exe	129
PID 2248 wrote to memory of 4700	2248	vbc.exe	131
PID 2248 wrote to memory of 4700	2248	vbc.exe	131
PID 4412 wrote to memory of 4168	4412	file.exe	132
PID 4412 wrote to memory of 4168	4412	file.exe	132
PID 4168 wrote to memory of 1400	4168	vbc.exe	134
PID 4168 wrote to memory of 1400	4168	vbc.exe	134
PID 4412 wrote to memory of 4132	4412	file.exe	135
PID 4412 wrote to memory of 4132	4412	file.exe	135
PID 4132 wrote to memory of 3020	4132	vbc.exe	137
PID 4132 wrote to memory of 3020	4132	vbc.exe	137
PID 4412 wrote to memory of 5112	4412	file.exe	138
PID 4412 wrote to memory of 5112	4412	file.exe	138
PID 5112 wrote to memory of 2560	5112	vbc.exe	140
PID 5112 wrote to memory of 2560	5112	vbc.exe	140
PID 4412 wrote to memory of 4704	4412	file.exe	141
PID 4412 wrote to memory of 4704	4412	file.exe	141
PID 4704 wrote to memory of 4268	4704	vbc.exe	143
PID 4704 wrote to memory of 4268	4704	vbc.exe	143

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP"
    3⤵
    PID:5020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP"
    3⤵
    PID:1636
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP"
    3⤵
    PID:3628
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP"
    3⤵
    PID:3744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP"
    3⤵
    PID:4460
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP"
    3⤵
    PID:1696
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP"
    3⤵
    PID:2068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP"
    3⤵
    PID:4948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP"
    3⤵
    PID:4080
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP"
    3⤵
    PID:1996
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP"
    3⤵
    PID:4620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP"
    3⤵
    PID:4700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES347.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP"
    3⤵
    PID:1400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ne6ziyia.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA543F43955F54B3690886446EE283715.TMP"
    3⤵
    PID:3020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbu-g441.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB16B9F2BA2D47D1B76FA638B94E071.TMP"
    3⤵
    PID:2560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svdnayzc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES450.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15289FA58604460AAF3C89C8BF82BA1.TMP"
    3⤵
    PID:4268
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4i3kkmz.cmdline"
  2⤵
  PID:3988
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89BE6EAE55824FC1A9406FF5BDCC49C1.TMP"
    3⤵
    PID:3400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mkksb62a.cmdline"
  2⤵
  PID:4048
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0DA717518BE4A4B8A14AF30CC623DB0.TMP"
    3⤵
    PID:2376
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfizahdg.cmdline"
  2⤵
  PID:1496
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE88B964A44F94E778DB2C18F2C5DAF37.TMP"
    3⤵
    PID:1588
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_qi_rytt.cmdline"
  2⤵
  PID:4288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72FC0E95F2A14D40BBEAC8A11AF3508.TMP"
    3⤵
    PID:2528
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhtfuq8s.cmdline"
  2⤵
  PID:4312
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBDE31BCB5C4B6FADE7CB1A1226D9DF.TMP"
    3⤵
    PID:5040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-njozgcv.cmdline"
  2⤵
  PID:804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc376D6E2269534151AD512469A8E290.TMP"
    3⤵
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.0.vb

Filesize
380B

MD5
6a3d4925113004788d2fd45bff4f9175

SHA1
79f42506da35cee06d4bd9b6e481a382ae7436a1

SHA256
21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb

SHA512
2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline

Filesize
264B

MD5
95b38a8c74981d82ec525799015d6d97

SHA1
25c460885892cba97805154db9a55bac96217840

SHA256
08e6d44598e49dc7c99439a2e1088496d80a106bd9db9bdfe3cdecf42b381397

SHA512
e8ae2c21121efe82b515e6e416d83d19d51e3968f27a0597dcee43afa24ea4ffbc65340000375456bfdeadaa62525114e4a548368980823df42536cdd2697897

Download Submit
C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.0.vb

Filesize
362B

MD5
3b4aed436aadbadd0ac808af4b434d27

SHA1
f8711cd0521a42ac4e7cb5fc36c5966ff28417b6

SHA256
ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6

SHA512
6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline

Filesize
227B

MD5
8186e4024208d1c914553506fab0dd04

SHA1
df87382e8d377fef2e7ff0a908db55e384eb8eba

SHA256
983bc8404b4f410853c91e38a1d57390d481994bad4d392df3d42dfa1bd8a257

SHA512
d297108b4f9306fa8bbf5fd8f233fc1afadc1c892638e91450e0e4889cd36f4f15bce28988fd942179d5dbdb5f758f8aa6e77e21f17da205ba1912d3c92f9967

Download Submit
C:\Users\Admin\AppData\Local\Temp\6sywpk7h.0.vb

Filesize
385B

MD5
0ad1ae93e60bb1a7df1e5c1fe48bd5b2

SHA1
6c4f8f99dfd5a981b569ce2ddff73584ece51c75

SHA256
ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397

SHA512
a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline

Filesize
274B

MD5
44c0207a2520e50d6a4a7382da9dbf9e

SHA1
66b9a02206adb3083554859e38656834082f8013

SHA256
cd37f4c29fd491f47d5fc6f864187a8ff428b8ccb4c3f97c9afa3b3f0cd014b3

SHA512
2a861d8327b76da06c14d9bbfdc090d5f74e5e242686fbbdf7d5f1291367a56b4335dbefd409fa258d863d7d519e4a895b7f989903c821634b13d6398613b2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vxa6b40.0.vb

Filesize
376B

MD5
0c699ac85a419d8ae23d9ae776c6212e

SHA1
e69bf74518004a688c55ef42a89c880ede98ea64

SHA256
a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe

SHA512
674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline

Filesize
256B

MD5
ec0a17d4fe193aec1fd14b42eb9c0ae2

SHA1
ade15872cdce3bf140af7c55c25a52ba804e454a

SHA256
c055eeeee0428292e6296c535079a7e0c7fd3800cab2f2e53ffbc88e5b8cd7a3

SHA512
e184ffa7e3c7d54046789ec76847a6d732dd2c76bbf4840f85601db878113f1e0d7864b2b369b43c4b696dbd568ae581225e0a96754c19c2d7392cc2fffdad80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES105.tmp

Filesize
5KB

MD5
4dcb9e3d915984508e95120284430d30

SHA1
b149fa1ca70c616347403e0f1f0fb66873d5fa43

SHA256
0dda42e578d4c39562b7ca5809ccbe2c607484c3768c202c0bcb7e7174b8360f

SHA512
30b097e468e76fdc23800a79e7e1031d9e00f77cd0294a3f19c2d12afe4b0c60f481ca28a356bc368fefdafa062462a5f4bf7bb36b2b4a5656b5414e3b916db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES162.tmp

Filesize
5KB

MD5
99f16affd591ad8d11bae3b4f2fc0269

SHA1
d27ebe790eb5c1d2198e9af0e7a954fbe4175faa

SHA256
e2a9e59953d56f1349a3f0946fd33ebaa3a8ace8b4402de67abcf8f8d2de0dfb

SHA512
0353bfd63ade6f0da3f07c59b6e380ac3a152f8f6790f20cd1eebaee3cfdb27b69a9936749a4654488a6dc31c583e974c891f93d285d137f8d7a53718873e337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp

Filesize
5KB

MD5
093669c25c4598fda3069a55cbca1f12

SHA1
1985a2dab9b8958494f8b71ada6bc232ba5680fc

SHA256
a26267b044a09be465a326acd22a09b838b8447cdffc13b6136440949753e225

SHA512
d64b33cbc94f8108729acd8524c6f79d320b6652d731f5898074191d6621ff642c4b6b5422f396f7b9fcba5ba916c1fe111e8031b341ef5581cbb02f75559cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES22E.tmp

Filesize
5KB

MD5
55ad4a421e72aeeebdacd497e290a805

SHA1
45c20afb946af4499a27af2e16b41e96a4f99689

SHA256
4e2d0413815496b0b8a858d6945a88a3e8aa8899dd5f8a28ebf08343c22e506a

SHA512
9c3bcc2ea864b2a0a7e71581b6526ca959620a8a21013a7a711640904920737e97ac7bd521141df329622af3e6516f052f25bb50071bb27bf63a267c1ef72a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES28B.tmp

Filesize
5KB

MD5
410449f33c7f5c022a1c1eac007bc50c

SHA1
f149e438a47f1e20d7600196f16d24df29d3e508

SHA256
fc2fcc124fea7b9a360adee8a65a8289444b5a0b7831f5c846b07865d9e7c97a

SHA512
7c1062c7a867965ec41554fb97ceac26e15e4d58e9caf2e3715be0b0270b1be3e4a72a4d300672c96aa0e033e868143799bff4a6836a2a1b36bed999cc379580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp

Filesize
5KB

MD5
ff7c5edf2516d700618336840445b893

SHA1
f86e97833495e0acbc775191e72f27a85856601d

SHA256
86ee465351b6a1770a69ea971a229545b71968d8175794d697395523296b1fcb

SHA512
c2ee8b8c2510c966042f18e75583fd30c7f03c5412c0ce107fbabba701bc8022eee7cdbcd60287a0d1b7e0068aaa94d4a6a47e9a19ebfa76038f29c54a9194d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49.tmp

Filesize
5KB

MD5
aa0768d4c00ef3ebee79395b3254daf6

SHA1
a271d9e516b865136a8bf0f9d1799b04ee23c1bb

SHA256
6d4ddd371042983872bbf6bc7d4d804eb6498ae81a49aba5841df8717b44c6bc

SHA512
3e33f8f3d188b52448dad578f93cb7e421184d678b3b52c836d0ff85676c94c492f6f840e70123430bd96b63fa4d21d8eca5d71ae0e6221d4fb49277a9d4f046

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7.tmp

Filesize
5KB

MD5
cbbde53ca1c9efe25b45964324d3ccdf

SHA1
fc26324c55cff30e8e65717f89eff996afa3c2e8

SHA256
bbd58455633fe9751d48362ee833dec5edbd24dfcc33c7278b2270192ac62ff3

SHA512
1431582ccddeb6051be560d7c80c6ccbf2711ad58a210bb4beb5c15407eee95f9775628a595f4cf7d28ab239f2c17fe459ae4d91ffcfa086e87102e905203830

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp

Filesize
5KB

MD5
e4b948c1dacd2e5a462d83e722baa01d

SHA1
d5f0d762bbb3d2f6aba9443a2fa1999a9c5d2cf4

SHA256
d1ae8d87b507249acf9ba3b1d22dd33820568af64477c3d35bb5a9eb79127efb

SHA512
47ea578945cc5d3210bb1dd68ad7fbfe3e374cb83e6809ded497e312cfd1dc11ee9e020a15e03d209bd5d8c21aba5f4ad0a1ae329efd2931a7c684e36c9b413f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp

Filesize
5KB

MD5
d27bfa10a075d62395fc6a5c93ea6a86

SHA1
f9aef98633010231c4b4e7cb5a8f225a1d14e665

SHA256
e87368c5266ab2caf0377171a97c0323426e4318b702efbd91336de131e478f0

SHA512
cf633c4f51daa712510881acd2ddf324199c6c8461d03c44e5255862a44e1f50b148797d9a545c6e572019c65024da746b5ad988db923fcc7708b96ddbc2d4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp

Filesize
5KB

MD5
a19719e2a42da8dd13dd1c2d2ebd1cff

SHA1
39de108f9b4422f80bde6343ebbd667f6dc87329

SHA256
55a2a1d4284c99c446b1b533f26a42a5992acc72efd4131d523783172bd1b198

SHA512
d3ee8f75a2a281a16eb5ddada1194ab84f5e0a5828bf4a68c098a2379543d36cf356ffbb524747c443a068a5a2e1bc5197b7139d4fdbd67360c9c28f574d503b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp

Filesize
5KB

MD5
63f265524d149878bd62a9eb7c679966

SHA1
1dda74c88aec18b241bbf62f3ded9c80b38083b3

SHA256
c3b4bf2e271132eda02af486ecc540937f6bbe6244abb691ad24ad9871adc037

SHA512
df44a6650faea8346dad8d686eaa8a8b1c0a0e7802fac2069afd90c104aafbe3b3a5e689bedde5c190de0d151adbb3c6622c7621c891df5b2a965aead75aa8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfonx6_b.0.vb

Filesize
376B

MD5
52ddcb917d664444593bbd22fc95a236

SHA1
f87a306dffbfe5520ed98f09b7edc6085ff15338

SHA256
5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d

SHA512
60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline

Filesize
256B

MD5
a293ad07e82dcbb54c2f57551ade5bff

SHA1
d4aa6b89ce051f0c1e74c43508e3808bbe1f5e8c

SHA256
993cb0db255626146a10d11b489352545e83512e7cc3e2c398046c2ec3ef02a4

SHA512
65098ccb0ccaa5b50e6bf440acddac60f6e1f83fc0f778d0952475977fa3001670710bb9553287e56942e1c04f51288291d5da9dd6e084c08da3bb90b551d200

Download Submit
C:\Users\Admin\AppData\Local\Temp\els-cvvq.0.vb

Filesize
383B

MD5
a236870b20cbf63813177287a9b83de3

SHA1
195823bd449af0ae5ac1ebaa527311e1e7735dd3

SHA256
27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403

SHA512
29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline

Filesize
270B

MD5
77b7e08a21b64081672999053e98d8a1

SHA1
7542f0a67b0c87316330a58f014f367aed7d0c9e

SHA256
5aac853ef61bf31b47475c0afea8528f4061e2bdace6e5e1bb10c84f5a7e8ba8

SHA512
e62105ac8ddaaf7bc7a8b4fdb8e9327233ea10d14beeb5932e7b2de14593d12bffac870ce0465344b5d435395a7e53d71667af45dbecc49f92b667c1341fe96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.0.vb

Filesize
380B

MD5
3cbba9c5abe772cf8535ee04b9432558

SHA1
3e0ddd09ad27ee73f0dfca3950e04056fdf35f60

SHA256
946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36

SHA512
c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline

Filesize
264B

MD5
955372532f8f49f04c49ed9bc40f380c

SHA1
476489fffef161ef1e2b6ddf02567e48b4e40d64

SHA256
a1627254a1d75f99046b1fad7e63fdc942a9c0d719a3da9893a30082a0c5bcf0

SHA512
9df3c5d5ffb7eb9a5f586d1a8f2af89e1e9727f1562e0f7e7eea9ebf5418c35161fc5b91108bcb7e5aea1fc754e1fec7c750e14a79e03ff2ae8dba73219ab12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbxakjmm.0.vb

Filesize
382B

MD5
7d4fad6697777f5a8450a12c8d7aa51f

SHA1
879db5558fb1a6fac80a5f7c5c97d5d293a8df5c

SHA256
741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6

SHA512
6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline

Filesize
268B

MD5
268323d591eb97b088de4633149f9aab

SHA1
ba9c8f29164ff4c603e4571f5a74a57a3710eb9e

SHA256
e9fb199a240a2126f453fa9e725a0ebbf5b94f2015d57d675f76f0bade3b0913

SHA512
a0b13d3b82ff472b1dac613964899265833ea31c9c2290c9398b949f3ceb1d6962b04da29e351fd81e8f1a4796cefb167660ba6eb3f596df48aa430fe456b310

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.0.vb

Filesize
383B

MD5
e8615295f45d210bf3b7d023e3688b9f

SHA1
e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33

SHA256
c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc

SHA512
b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline

Filesize
270B

MD5
6ca71efc2bc7de4bb47c8245c97b7897

SHA1
f39ecdff92dc7301188c90c9435d60b9fbfad29a

SHA256
bb848a7421a6dbe0aa4b4997a6bbb356091dca37af6eae8f0381513e1bf38fb4

SHA512
279bc41661e907449d66488e93d2562fb134d096502bb93369a948f367813707e2a528074196ccc135ae87038c22f7a4903ea139a656bd4c998d19e762e28963

Download Submit
C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.0.vb

Filesize
382B

MD5
37c6619df6617336270b98ec25069884

SHA1
e293a1b29fd443fde5f2004ab02ca90803d16987

SHA256
69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33

SHA512
c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

Download Submit
C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline

Filesize
268B

MD5
da1119e67d9b0b1952a3d4d5744fec75

SHA1
ac6c6b2fdb256a3857327b72026304fd5eb04d54

SHA256
12d2ca90b48708ef4da7b5a0cb47249547fcfb40fb07f475ba9bca50e1826d9a

SHA512
b188afc7b1908ce16e72c03be7b380df822c6fb44848f0cf505b539d03b307aa54e09fb5f68b2e384110a06c33d28901e0be652bee24abdc49e76871c59c1721

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP

Filesize
5KB

MD5
0fe8a8eff02f77e315885b53503483a8

SHA1
953a58a0ff6736967270494a986aca7b5c490824

SHA256
2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba

SHA512
e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP

Filesize
5KB

MD5
9874538991433131fb3158b7b1f83d46

SHA1
9e9efd410b28be52f091ceab335eb1e6ed8e001c

SHA256
2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c

SHA512
9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP

Filesize
5KB

MD5
3ca7194685ffa7c03c53d5a7dbe658b1

SHA1
c91550da196d280c258d496a5b482dfdae0d337c

SHA256
09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39

SHA512
949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP

Filesize
5KB

MD5
97ea389eab9a08a887b598570e5bcb45

SHA1
9a29367be624bb4500b331c8dcc7dadd6113ff7e

SHA256
ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402

SHA512
42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP

Filesize
5KB

MD5
b751c6d2b6e47c4ca34e85791d8d82ff

SHA1
e9e7402eece094b237e1be170fecc62b33ffb250

SHA256
c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4

SHA512
d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP

Filesize
5KB

MD5
17a9f4d7534440cae9e1b435719eceb9

SHA1
bc4c3569dbd3faf4beac74a4b3ea02b33e019530

SHA256
5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470

SHA512
673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP

Filesize
5KB

MD5
40106f913688ab0f9bcbe873333d3dbd

SHA1
bbe7cd918242a4ddc48bdcd394621cccf5a15d91

SHA256
1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47

SHA512
67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP

Filesize
5KB

MD5
694fb05871caccdce836dd0f109c4f86

SHA1
0cfa12096a38ce2aa0304937589afc24589ff39a

SHA256
bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe

SHA512
50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP

Filesize
5KB

MD5
83005fc79370bb0de922b43562fee8e6

SHA1
d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc

SHA256
9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c

SHA512
9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP

Filesize
5KB

MD5
bb7c2818b20789e4b46db3b54dbbbb12

SHA1
b262ea7343363caae54bcce98e96e163cdf4822d

SHA256
a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67

SHA512
b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP

Filesize
5KB

MD5
38a9e24f8661491e6866071855864527

SHA1
395825876cd7edda12f2b4fda4cdb72b22238ba7

SHA256
a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96

SHA512
998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP

Filesize
5KB

MD5
7092dd0251b89b4da60443571b16fa89

SHA1
08cb42f192e0a02730edf0dfa90f08500ea05dd2

SHA256
2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7

SHA512
7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP

Filesize
5KB

MD5
bd6b22b647e01d38112cdbf5ff6569a1

SHA1
1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9

SHA256
ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e

SHA512
08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjuqjhda.0.vb

Filesize
362B

MD5
31e957b66c3bd99680f428f0f581e1a2

SHA1
010caae837ec64d2070e5119daef8be20c6c2eae

SHA256
3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751

SHA512
6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline

Filesize
227B

MD5
bbbb334a727989d46da96e8cd41260d8

SHA1
95e7761aad00cbf20ed9cddeba90f2ebfe2e6d24

SHA256
b011f588aece74fcd61bbe9edca12ae91c1de8942f7c90e86c684fe51f01fbd1

SHA512
2a041445632a5134015376539652d4bbf49c215f12e241c0f666e37c6d5b200a448a7c602876f40f88915d2a74a686c120ab9153f2014c1711351c110b52a05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\w-vdve3v.0.vb

Filesize
382B

MD5
44ab29af608b0ff944d3615ac3cf257b

SHA1
36df3c727e6f7afbf7ce3358b6feec5b463e7b76

SHA256
03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d

SHA512
6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

Download Submit
C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline

Filesize
268B

MD5
cfe3beee956a7055ee0d704c23e25644

SHA1
4ebe6f0e4ba38bdf0ead081f970b0a6636a859fb

SHA256
73ab51af248f4b47b2188418a7b281186b45a0f43a34f5871fd6de698d70b34f

SHA512
f8f8bbd8e5551fc9ffba2ce49da5463549eb41885e5b9b01d3652a1cf7cfd396a751cfbf39947281f9c49480c05bbef4000c62540d9761ab8333fed40d36def0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wup2lvx9.0.vb

Filesize
385B

MD5
40650ce23f89e4cd8462efe73fa023ce

SHA1
8709317f898d137650ecb816743e3445aa392f75

SHA256
ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb

SHA512
b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

Download Submit
C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline

Filesize
274B

MD5
13042d89c345b3625a519dee63fed807

SHA1
8ea358a4d87242fb5079356813a296a3fa106fbc

SHA256
28094cc1d930e084b075263e5d8473614deb802d8639713ecf4ccd4762679d0a

SHA512
aae12a606c251d96c74696292effbf9e2002078e43130608b370bd77c47baea1187613e0d923a6f6048e949dab69a7cd415007c89e3b871f94a903c6f09faeb0

Download Submit
memory/376-43-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/376-41-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/2408-26-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/2408-17-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/4412-7-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/4412-6-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

Filesize
4KB

Download
memory/4412-10-0x000000001D150000-0x000000001D1EC000-memory.dmp

Filesize
624KB

Download
memory/4412-0-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

Filesize
4KB

Download
memory/4412-5-0x000000001BF50000-0x000000001BFB2000-memory.dmp

Filesize
392KB

Download
memory/4412-4-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/4412-3-0x000000001B410000-0x000000001B4B6000-memory.dmp

Filesize
664KB

Download
memory/4412-2-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

Filesize
9.6MB

Download
memory/4412-1-0x000000001B9C0000-0x000000001BE8E000-memory.dmp

Filesize
4.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads