revengerat | 607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
Size

62KB
MD5

04fd5497a83ad255eb92eda4d75b9d3c
SHA1

9749bcf4d4721446c7c7a594d1d41c5e0aa3c358
SHA256

607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b
SHA512

eec5fea358b8c4e42d0d4e146e2766a924c8cf1e073ac812dabc7c9678a06ea65cc8db2c16783f336b7b7e2a9e84fbcaa60c552fa51761c1736940490174905b
SSDEEP

768:CksHaoteIdMSc9P0OYka5q1qzPzazg2f7arEBXUt/2Te:zJo/c9MHkaHbza82f2IBXUx

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x002e000000019604-42.dat	revengerat

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
404	Client.exe

Loads dropped DLL 3 IoCs

pid	Process
2332	RegAsm.exe
2332	RegAsm.exe
2924	RegAsm.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	RegAsm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2332 set thread context of 3032	2332	RegAsm.exe	31
PID 404 set thread context of 2924	404	Client.exe	35
PID 2924 set thread context of 1592	2924	RegAsm.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
Token: SeDebugPrivilege	2332	RegAsm.exe
Token: SeDebugPrivilege	404	Client.exe
Token: SeDebugPrivilege	2924	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe	30
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 3032	2332	RegAsm.exe	31
PID 2332 wrote to memory of 404	2332	RegAsm.exe	33
PID 2332 wrote to memory of 404	2332	RegAsm.exe	33
PID 2332 wrote to memory of 404	2332	RegAsm.exe	33
PID 2332 wrote to memory of 404	2332	RegAsm.exe	33
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 404 wrote to memory of 2924	404	Client.exe	35
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 1592	2924	RegAsm.exe	36
PID 2924 wrote to memory of 696	2924	RegAsm.exe	38
PID 2924 wrote to memory of 696	2924	RegAsm.exe	38
PID 2924 wrote to memory of 696	2924	RegAsm.exe	38
PID 2924 wrote to memory of 696	2924	RegAsm.exe	38
PID 696 wrote to memory of 2664	696	vbc.exe	40
PID 696 wrote to memory of 2664	696	vbc.exe	40
PID 696 wrote to memory of 2664	696	vbc.exe	40
PID 696 wrote to memory of 2664	696	vbc.exe	40
PID 2924 wrote to memory of 1080	2924	RegAsm.exe	41
PID 2924 wrote to memory of 1080	2924	RegAsm.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Users\Admin\AppData\Roaming\Client.exe
    "C:\Users\Admin\AppData\Roaming\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msojwz9e.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdot8g4p.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jttbyuxb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F6A.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FB8.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxzskfjm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FF6.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-gtpnzii.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5kand0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3082.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tufgjhrs.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30D0.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES311F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc311E.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p6btdol0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES315E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc315D.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31AB.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-gtpnzii.0.vb

Filesize
279B

MD5
fbf2e45e518f0caba9c7aa2dca3b83ec

SHA1
1326a428ab9082e3ba75e70135b291278da2a038

SHA256
901a1373d9434e9ec1882e3015fc616210947b7f5677987b6006abea2ebc15a9

SHA512
fa39ba5fd0c0c53f5ab684966f0c8ab525c21756a2d7e6c795b1dd6ab3a43fa0edc65e4e8bb7480635d30ce8fcbe54595175ff211a69483c6abbbfa7030623ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\-gtpnzii.cmdline

Filesize
171B

MD5
7f5dd5b8d6bb8b14177f5db4a92ce7fd

SHA1
c9207597080c07c2a10ab6d99c53088f706eec32

SHA256
225cd0d59da1fc8318289daeac007fe172a697bdcf200e1bf84c17f14815174d

SHA512
8a0e75bb0adb45a3892e0faa396cd04e581a779259809d6abc274eeca6903ce392cf86612c671db02b0a29617e4e1e550ff683db7877741dc5d766b6dac55c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.0.vb

Filesize
273B

MD5
3b8762e2c886bac66e24649e4750fce2

SHA1
a2da202923d04aeac2514a1607e5eae838e37dbb

SHA256
6bd6fae6570ad4b9a45ffcfae4ba4f8bbe959386183ebfbc56190b6311ab4600

SHA512
80d4329a26f4b7c70f70252430fb4aa13b4fb6c8199f4891826d5ae135e32beaccdc76980afa5ee8ce2f935185eaf18fb01ea6b3c2b34a68b8a6914bc49bf178

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.cmdline

Filesize
165B

MD5
588164e373053ecf356fe7fa9d4c0f0a

SHA1
674347ea63773d011c28541fff65c053734e7c0b

SHA256
916df1e153890db0cf410b2d9a0d352edc712c18be0250e2d3bcb6f7f9f76852

SHA512
4bb36094730084e3539dd2be356aab24f2900c2608bb65c993583f66920ef4b334cdf52a8ff1b594cabdd8f49d86e8188b836628b63b24357f796294124ee2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp

Filesize
1KB

MD5
bf523d93033e0509c84b3802ca865b12

SHA1
f758e4e5368fec4c2e8677625084d5eb4d61eb11

SHA256
63623c636bb3993d58be1fc24ab5448850263b5760cafdf43280de3b67786406

SHA512
65754be4766eb35c52da2a05fd426de06f51865609e096b43e5c4710ae51070a364f7970c68ba2558a49d86d5a46620cd7fc6b44246b35f4f678ed977438bdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp

Filesize
1KB

MD5
94d9b8cafe541a1d0652086df3933a47

SHA1
f0be88ff80e6f2548082cd2e52778c5ab939201b

SHA256
a35c27c2404ba8f2ba5fb0acbf6068226e0d9f232288687d825176bf23885e97

SHA512
84b0a8dc9b0570d548082edc024947c5cef097c4760676945618faef8bcce53b45a5310b59d21f5d24b8e4c9a95c9e2635a47ce3ef5674394a4304591f32022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp

Filesize
1KB

MD5
0538dee710d9e2f9c6fd446824de5e6d

SHA1
731019093470521b17cf1732a0231e8b7038eec0

SHA256
6232185f286a3aef70025334182f3e2785703c8a512f54ce4e5c220b45c93ec8

SHA512
fe63292b246dfb6a7189a827b51042dc2bc33ce959221724424138887ce2e14a0938ba2cc278a11818e5c6f2ba49f2b902135cf87bb84871f12cc88f3ab32e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FB9.tmp

Filesize
1KB

MD5
f067a9758e2abe81b469f88f17d8a844

SHA1
2173e5a92cd1e6b9a2a408ecadd3f78f68563ce3

SHA256
443dd6dcd2323937cc657742c27062133c6ccc1c8a62a6bac9783958b49bfe1b

SHA512
43c5aa6ebd53da744b06d554ac15b5c3e4751a26f3947c248a6dc14cdcecfe4a73db277ab7f9cef2388e2aeb7474cf793f0670d16376c0de3f2dc8c187bba839

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FF7.tmp

Filesize
1KB

MD5
71504b4bbed15072f4861a7fb5be6c50

SHA1
e65e7507d6cd8d8ba95fa805a7fdc37bc6a11ccb

SHA256
747ad35d72ce37353b98dad825534c54dd2817ecf8ea53b46fd421c5a7e57ed1

SHA512
4c48a51b319163480dd926e1712ec7e3fbe2bcdd60c1dc9c02b0d1e3b916ac20889e6e3db198f6a1c93587c0bf80f795b8cebbd73046541e034065eacbaaaa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3035.tmp

Filesize
1KB

MD5
da04183f62bfb237063a43cc2d5308d6

SHA1
a84b03919ed16da8b0d1565ca5a3b6ba7276b10f

SHA256
00aa699cae83098e441f5cd94a9dc95488b5b076993ffdb29e29d0485c84274c

SHA512
8d6d7da62ce159dfb62704af97b4308f8d71d8dd9ac10fa4e47dc7cb2f99653e116dc4c10defd7a245bae08f5b1334a1f1be187dc164f4e4ffadff2cf67496ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3083.tmp

Filesize
1KB

MD5
a81d828b371263e351b91bf086e93026

SHA1
d10a30595345342d6eaf4be67f59b440b11421e7

SHA256
aa8fcff295f3fb4da1fc165c5da136480556305c8955892e0936e283ba22e68d

SHA512
5040fc525bdaf6896cfcdf387d182cf34ec0da553c6158582e11be3f1570c7649941355fe30098982b89a80a46dccf39bcf74a830221544acdcc2f6962297c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30D1.tmp

Filesize
1KB

MD5
03f71cd82f810a0bf0501c7f0845d6c3

SHA1
df41523018656cc493bdb8d31f8d86d7f041d2e9

SHA256
0affb6536bff20c70ecb9a9101a8a2c8028642259f53792ad1e351a872b521f3

SHA512
a76328af0cc2151c05422a51edef126d304d3dbffb3fa9b03290f318ce8b03368942008d3b9a4015bd822ed100abdd9891ad8ff1322e5b457fc24336a41485e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES311F.tmp

Filesize
1KB

MD5
6d3ff9aa6c17d4b6ec490d640e215005

SHA1
578162ef5af017cde5399b87dc2589ebf14990b9

SHA256
11debeeca1bebac3d07505d040e3319689a51ddb01baa4eb7b3e202be8bb5207

SHA512
d448fcb39ed77684ee2dbab0da81ec1281d8f78b8cd1d198b3225141c4fc1c25bffab569e9535370849e5e0e4ce70ea7de9a995e71ed98f9301ab597c25f1e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES315E.tmp

Filesize
1KB

MD5
908bd690c0732863427088d236726435

SHA1
1b0ad5dff132136266ed6cbd73401e104e177483

SHA256
6824cb9b9f78f94178d8d504acad3a144d1e8d33d3b477d5b2cc4a893bbacbc4

SHA512
61c154c8126c111dc564c3e8fd993716248c46fceee157a87d5da271f50bfeb172742f6bc31fecad193c89a8bc4dbd4bf5351828cdc51b587d47662fbf186b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31AC.tmp

Filesize
1KB

MD5
6e856e72367533b85c418c09f62ad7f9

SHA1
8ba21c75e44a076afb9d265735a241976fb3ea35

SHA256
fcc743a027c7413c42b914e8c3bfc09a2b46dd1b9d63a316e2b43dbf510f2791

SHA512
8670da4348e74e2f6206819efa821fecbb76922670fdb54f4ceba7f449ab6dc924fdb00fa17dd125a429256136e7bef99468b7d883d7d4799a22687377bc420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxzskfjm.0.vb

Filesize
277B

MD5
811d23aeacd42aaae65290aaae9ec2f0

SHA1
70a80ece94d19a509e4683ef1539d22fbc1f6806

SHA256
c1e748f53559c07a1643bb008c1c0181b8db66763c7732f677545815cdafe89a

SHA512
bff902971f73bb270cd7e96d547d7dbab2c7d1c46a6cc9b3273ac9c960e45786fed3cb0394a69201dfc32842257a4d82cac055a6193b0b556a943605fa3bc99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxzskfjm.cmdline

Filesize
169B

MD5
72e3b6191765de75f1e5bce757b11ad8

SHA1
0c7653d0f7692ffbdeb941ec55415d7425aa7335

SHA256
13439198533fa90ac8f434689fe91824ffbcfa3fb92d462153d70a2bc3c282fa

SHA512
7f409918a37e5e86690943a56aa4c48c743e0fde3004e2313aa162d4741d470a23d8209779fc978534deeeb32bc83cbf4bcd0d983b3bc6a89e6585157c7043f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.0.vb

Filesize
272B

MD5
869d0d041bf23f1dd9bd7c7cca60a73d

SHA1
f76f2ce6fafd7cadf58f2638e150bf715cf7c742

SHA256
335a8a1813541fd547823b2a468ed18cfb31bd19f380e3d459ded9d3ad9576a3

SHA512
4968154c2676e553d31c6d31e078396fcd77e166613a96b3e2751c32131a8909b1d1aa35f4bf9c45b311f787c4aaeabf4265711c94ff15b9849c1c46d6f226bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.cmdline

Filesize
164B

MD5
ee9041936742af9c3cc20296aeaa2393

SHA1
44e0ba0a954cd1bbff5046ba378f2d4f22bf299d

SHA256
6ef50b87b770eaa53feddf722689be290de9bfe16dbfdaa47231e471cdaded70

SHA512
51f500b78bd07bf693d6309475ca44cdd85bcc2d0d0a67b2b9769c645bab871e06cec7dffa1f3f036810a28ce3e39c3fc3c0f7d82815f9a2befe8aa416f7f4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifRtNHuiG.txt

Filesize
84B

MD5
f126f07b11f143f551f661d1dd5fe439

SHA1
43fcef8857cbdf5f8c9117214b4f9a829cc74527

SHA256
f2dff827bf3db172542186cb4dad5688465092a82ea27d65a6661cea9564082d

SHA512
ec24c54db085ecb08ee1d5702bb6590540b970d1c881cf52a85db59cdfa350e47baa87043b85871604c9fb45c27be48d0bd57e18b299793c676e5a7716158bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifRtNHuiG.txt

Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jttbyuxb.0.vb

Filesize
274B

MD5
87d91d03f3d3c275269d2b7001ab633c

SHA1
5dfa68f0c3b966f063b0e33325f63421f61bf563

SHA256
72b46e70213d274f69f129807a3d2b28c0d44585e1de0c13f74b35ec1bb2ad0c

SHA512
82ed483e6edb5267437defe55266f572a24a1bac424bf90608570bef2f54bdd47709e488d1fb8a975ffe5d0a1b739151ad866aace0fba3dc45b4f613279275a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jttbyuxb.cmdline

Filesize
166B

MD5
2bb0995917c3f9d9f0daea0d93779f52

SHA1
fd0c77206a24b3a74e3f41343ddfceb9bf3fc2b1

SHA256
c463dc2541125b1c43e33aba6e2d12d20d32fde51f9639b188e29e029b9d4c7e

SHA512
05e5a1b47ef31916c500542ec5d9f33e9fa5f9c1d0177ca648f3546ccc4e4c2e24589a8d02376461267af7121c264933155ace3aa4ca18adcc52f1af2643567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdot8g4p.0.vb

Filesize
270B

MD5
8466f45e2867b033df8cf09c919ff6da

SHA1
a7917c698040bc2d041a8bba0951aa4403462c2f

SHA256
4bafc0c494f5db6879409476f8417e81f8b55ea5c0e237530cc0a1e3f521deaf

SHA512
dc63d62a4b4c92ae4720c76a2ac14c010613ee166fc2c257b6dada8a8858adb8618948d2d2ff6dc1189325181eee44a1c2e0ec92d25077d3dd0476ad5acbbe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdot8g4p.cmdline

Filesize
162B

MD5
da884112731514d9435402b0bab23a6b

SHA1
f15d402cc0ccb04a81a16d497dc6e9f8713f0b7a

SHA256
390a20d0b3ffd2a5e9f25c109e04e43f14ea20d0cf5495003752ecd9e6bb3eb3

SHA512
4642e56a79f884bcda0cc5f7e34f67cb618836b6ae63e657d6821c7c75e76d3f232584f672f23e826682c9a9892f436894e7f55afb3cd7f3b36b246d669521cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.0.vb

Filesize
281B

MD5
fe82b496fc0869ac5a6af8f5e2995c0f

SHA1
4eb77fffa5303d4bce29b13f30d04f6870b7c615

SHA256
e99e6f7256732c8eb576bf9993f93b8e81122512fd9b9d40ad782c197387aff9

SHA512
c3c4fed2340cc138a140d69dbe6fdb94930aecdde43b481cec1486aedb85a39f633906013224ebdc9cd9eb145ccefd7185933e6ea32403fd27a6f5971e49a58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.cmdline

Filesize
173B

MD5
baad789bd25bda4d19d172eb504b4cb4

SHA1
b2def4e08e45c4b0631a3052b177f21908dbd744

SHA256
3389d8f0fe20753aef6ca71e814c1daae1cb1d10427a6bd45c2a7264286ff6c0

SHA512
27c9d09c0b7705d34ed19f8144459da7655443be708675f57fd3375363b73e4ca27de22b7fa5f12a11e008f8c4217ab3710f09999f5fd1990a76b9e76b6b9150

Download Submit
C:\Users\Admin\AppData\Local\Temp\msojwz9e.0.vb

Filesize
150B

MD5
ae24369368f08eba738ede90a9e2f6ea

SHA1
8c7dcaec612073bf7188116faf5df0dd8625d60e

SHA256
f72f4dd62a497e4eb87d5af418e82259c9d20cfe5df59ff70d9db883c9eead96

SHA512
d309556103fbdbe214574c6ac123834bfdf676c4e8994522f216c78d6bae534d072cef15bc3e14bea3f516b8433665d76395db688d48fe95882890f7124d9ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msojwz9e.cmdline

Filesize
194B

MD5
da1509a8c4753c84c4ec27615fbd02e5

SHA1
67ce531713b8ba6c8983ada78e43195ca81c08a4

SHA256
6dc66ce18eb4d3678d088b3ecc78ab2d4685b415c4c00883c679f87047847109

SHA512
b7b2aecb6602a5d17eb8e062a93b9bdc08830d7075b40e81b9344155b82f049c026bd9543960e92eeeb3025f9bab38349da040b379c95937544281caa3f17d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6btdol0.0.vb

Filesize
278B

MD5
cd0c6d3ac4da8fbb08c84e238a9d68a9

SHA1
d4e01b5fcbbe3c4b93ce76d6c3e5dcd4ae30cdea

SHA256
610b60b2b2b0b90b7e649ab1f8aa375f50e7fd64eb1211cbee1b0e8c27d5f087

SHA512
377755552d83765c72e52a8a974cad570276cdbe51fe315abb1c7456a23a7d856a4ecdb63a79b11c0859a45db81e854d128543cb907534eecd0e51f2346067a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6btdol0.cmdline

Filesize
170B

MD5
8352d30a29cc4e1e2496171e80805cc3

SHA1
fdbefb4b706a95dc6d016623973ea2efb1a0cfd9

SHA256
28bbb791fa5d2c596fd7ead871460714efbf144f15eff02577a3c0fded6ad89d

SHA512
06bac8dca9412131d29e7119b7d7a7151a526d44c519c19cd01bcc2e9642a082daaace274ddf709c48b1275de49640f588972ba1d509b7af66f28dc0a43116dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tufgjhrs.0.vb

Filesize
279B

MD5
aeb27c15c6ab04793ce24928693b75d6

SHA1
d5558d114c9ff1d1d4fd26798a733b9411fe46a3

SHA256
a59aea7b946ed5ab312141a37f0c1628bf2262e1fe2a1291868ce993b8bfbbf5

SHA512
c33bfd2d1acb10dfffa008bec45caf0317338f2408733709241e62d72ceea4c4570443aab843f33dff9adac3be931f5e1d137bda168cb9ba218ddccc775a8eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tufgjhrs.cmdline

Filesize
171B

MD5
2153e244242f4d0123cf4ff6002e495b

SHA1
18c467d0cc68b526d9b6002e986e0eee165d8d3f

SHA256
e54101a8761b97ba4af9f3ddf250bf8d6c29e8df7ef0894646a24ce1d84658c7

SHA512
034ac8c3d7b6f9744c3a402747487158c57b727ea5c2f3d8d7002367646e428fcf8f6287b71779fb0e5691db6c19aea4232ff11a86dfc2b40f7ff66af61ac423

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F6A.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2FB8.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2FF6.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3082.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30D0.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc311E.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc31AB.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wi5kand0.0.vb

Filesize
298B

MD5
36f605395fb01d5fe44a8ba775f127e1

SHA1
7194f4f5296f6126af3580177a2346ce3391e57b

SHA256
48fbcb6d9cc7930d4212754ab02f6c4b84cd4e3e3c0958491f842ca95b157953

SHA512
0861fcf1a8d443e0bd36f284742fd21ff846100deeed95d179bdad944bc442c3dfa06e777fcecb14075ba734ce11a144e525c7d3eb06d578af3b31e839081ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wi5kand0.cmdline

Filesize
190B

MD5
7f045438516ef4b018efae23bb467ca4

SHA1
f282a030d7809cdd5081251816287828a738142a

SHA256
f85071b6c1083635d1b37e4e180f8a92560b37780abfbd023ad80de572d4ab60

SHA512
d6dcc79521210ce4236bf96df36f742640e96f381e6717c65509b7268f805dc04ec0fa502b15070e20c978df5ff1066e5b8916078ec1e6141b1a7a0006ead55d

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

Filesize
62KB

MD5
04fd5497a83ad255eb92eda4d75b9d3c

SHA1
9749bcf4d4721446c7c7a594d1d41c5e0aa3c358

SHA256
607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b

SHA512
eec5fea358b8c4e42d0d4e146e2766a924c8cf1e073ac812dabc7c9678a06ea65cc8db2c16783f336b7b7e2a9e84fbcaa60c552fa51761c1736940490174905b

Download Submit
memory/1592-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-21-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-7-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-50-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2332-22-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2332-23-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-1-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-20-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-2-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-0-0x0000000073EF1000-0x0000000073EF2000-memory.dmp

Filesize
4KB

Download
memory/2368-3-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads