38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

15/04/2025, 17:34

250415-v5ylksypw9 10

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

01/04/2025, 21:24

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

101KB
MD5

88dbffbc0062b913cbddfde8249ef2f3
SHA1

e2534efda3080e7e5f3419c24ea663fe9d35b4cc
SHA256

275e4633982c0b779c6dcc0a3dab4b2742ec05bc1a3364c64745cbfe74302c06
SHA512

036f9f54b443b22dbbcb2ea92e466847ce513eac8b5c07bc8f993933468cc06a5ea220cc79bc089ce5bd997f80de6dd4c10d2615d815f8263e9c0b5a4480ccb4
SSDEEP

1536:fkSJkZlpqwZoMoG5XoZnOZBX7D/3BINVRX3FjBqa8D3tSYS9h:MXlpqwZoMz5XoZncB/3BINZjy9SYS

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	file.exe
Token: SeDebugPrivilege	5344	file.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 648	4332	file.exe	86
PID 4332 wrote to memory of 648	4332	file.exe	86
PID 648 wrote to memory of 4196	648	vbc.exe	88
PID 648 wrote to memory of 4196	648	vbc.exe	88
PID 4332 wrote to memory of 5080	4332	file.exe	89
PID 4332 wrote to memory of 5080	4332	file.exe	89
PID 5080 wrote to memory of 4552	5080	vbc.exe	91
PID 5080 wrote to memory of 4552	5080	vbc.exe	91
PID 4332 wrote to memory of 4728	4332	file.exe	92
PID 4332 wrote to memory of 4728	4332	file.exe	92
PID 4728 wrote to memory of 5620	4728	vbc.exe	94
PID 4728 wrote to memory of 5620	4728	vbc.exe	94
PID 4332 wrote to memory of 4592	4332	file.exe	95
PID 4332 wrote to memory of 4592	4332	file.exe	95
PID 4592 wrote to memory of 4280	4592	vbc.exe	97
PID 4592 wrote to memory of 4280	4592	vbc.exe	97
PID 4332 wrote to memory of 4160	4332	file.exe	98
PID 4332 wrote to memory of 4160	4332	file.exe	98
PID 4160 wrote to memory of 4796	4160	vbc.exe	100
PID 4160 wrote to memory of 4796	4160	vbc.exe	100
PID 4332 wrote to memory of 4972	4332	file.exe	101
PID 4332 wrote to memory of 4972	4332	file.exe	101
PID 4972 wrote to memory of 6032	4972	vbc.exe	103
PID 4972 wrote to memory of 6032	4972	vbc.exe	103
PID 4332 wrote to memory of 904	4332	file.exe	104
PID 4332 wrote to memory of 904	4332	file.exe	104
PID 904 wrote to memory of 4232	904	vbc.exe	106
PID 904 wrote to memory of 4232	904	vbc.exe	106
PID 4332 wrote to memory of 4856	4332	file.exe	107
PID 4332 wrote to memory of 4856	4332	file.exe	107
PID 4856 wrote to memory of 660	4856	vbc.exe	109
PID 4856 wrote to memory of 660	4856	vbc.exe	109
PID 6028 wrote to memory of 5344	6028	cmd.exe	115
PID 6028 wrote to memory of 5344	6028	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfbojglq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62E940C67692490EA6B742DE7A6E575.TMP"
    3⤵
    PID:4196
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-riutqpe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2F16299958746569F96C0A73E3AA8F1.TMP"
    3⤵
    PID:4552
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zfcqam7f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB120.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5227AFBF5B346E7BBBFA58F8E351715.TMP"
    3⤵
    PID:5620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlfmjnjr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc153BAF9311844A55B03A4CD6498EAB4A.TMP"
    3⤵
    PID:4280
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ae-yirff.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC50251679B546EE84FDE6969961FF9.TMP"
    3⤵
    PID:4796
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\of99s2vk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9691B95E43541F1958CDECF661445E0.TMP"
    3⤵
    PID:6032
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6omspeuo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB304.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F848D6A24F40DB82CF1ED94910A915.TMP"
    3⤵
    PID:4232
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n2xp166c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB371.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE64748530704A368E5B52E16D5B39DD.TMP"
    3⤵
    PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\file.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6028
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5344

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
9c6ac33ba71944aada745705a00df178

SHA1
f6a21ee8058ef5c21ed0280c82e735c2aa1de9c2

SHA256
71caaa867fb5ff1f94b5153db0c0cc5f77145dbcd2a8d4b2b783ff94c49efb12

SHA512
558c860e4d7e3b1a46de9514108bd4c7d1f7baee6dadff4cf1e9c21f5e3f28420167f3790f9a8db499c22482bd9df61e605e67f4e82ccb052328a41954d4695d

Download Submit
C:\87aa137e39d11fff59dc51f1712eac20.exe

Filesize
8KB

MD5
411beb852f8e724b536779c14350655f

SHA1
cfab3bb95239f7c4a4468fc30929c8cca8b0a1b1

SHA256
27fc5ac33e3d5ca3d0d949ad8ea79e3f3439bc5a18b58e1ad42aff98fe36796e

SHA512
7787713524833b017de30ed6aa885c8eb13320164c37713aa663bad3815d77defcc8a78c4dfa60f952171eb19aad34411df9474f33ffb3f1487fff7770a7ab17

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
7996a34719a448d2bcbafa7c43dedffb

SHA1
924b91a1ed5c23b7411c51ab9bee0a71db8663df

SHA256
6c92a61b163188c26bb6ecf8a69f67a307e97e8e62c6950c392eb6918743eb94

SHA512
8ce8cc386b4900e26a6f103c82d90f2fb4184ab4bca92a9205f3221616d6e3c4777f7ef10462a786909c8e549fe93d537de7ddbfa8e5bbfa42d73b22fa900aa8

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
b335a4804990a10af9f1356c28049b0c

SHA1
62a1cd3fd41ae5add4eaafbc6f23b782f6cd4058

SHA256
c09a6d4efd3f86e99aef515ee8daf3d9ba3fd65376ab2501be0261d58e8c631a

SHA512
2b34c54e9bda8f2eeb7301725668e0c32ae9dbdf0960722139dbd5ae34218086f964b1273b7c5061805e221d1592a3f5c105cc177537643dd5c543fafa78a011

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
4a447dfb4d959c3e93c99a5552c0950c

SHA1
52b7272ec1f5f9ab82bce5ae002d9c4712e81929

SHA256
f7932dbb39c161cd94d8287892569e500117c32dff0c908a63810707b9aa0c72

SHA512
2c21c816c84452c113e1e8ea3bcd5e98b07cdea1164cde3e9234e8740f7312869389041da27f3e6b2edac15fc39abce4b8bd9378e5d9712ee02f1c00e6122f94

Download Submit
C:\ProgramData\RevengeRAT\xblRvZwfR.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
bd36118f664923e46d9af56be85aa0d2

SHA1
dbf9ff73a53594dffc9092ebafd5bd23a4c0943c

SHA256
b411d0066a147f85ea231943f6dd7e1445deebf007a58f0291d48cd508b07fd9

SHA512
c7f34f60dde6aceb0022d384b62308acd3f78b8153930cd0a5bd99d48628f1263bb7543656e67331839fb3d12acb99cd8f6c1bdc18382b09f196f22b7f6fd004

Download Submit
C:\Users\Admin\AppData\Local\Temp\-riutqpe.0.vb

Filesize
369B

MD5
c661933785e3e98d10da94c34182924a

SHA1
7dc31ed6ea77b420cdfed166515a071aabf91baf

SHA256
d19fc3f8d9b65a105935420577b9cf7d3e93790310d830cc9e4e0555d67b4701

SHA512
4e36fda53d193a948b8949850197c56b1a97a82abf31ace0070d261abd5e0fef2dbe332d62705ba200c75600ae84def4613370414615b6dc10ea5f1c47838815

Download Submit
C:\Users\Admin\AppData\Local\Temp\-riutqpe.cmdline

Filesize
223B

MD5
bdcb4e82646217934461867c7af85ae9

SHA1
87db5ae2baed76c7d3843be39a0bf25d37e47f11

SHA256
55a3c3b7e7a1c5747324488dda450ff39268a6c9488c18b0724d119192b734ac

SHA512
ec5087ac6c7a2fd954f521c59de8eaf16408d9d51a22c1fb02b7cbbd37260401000c3e3efa0f7afeb21ac156713a14f32ff28ffdb1b9c29bc5a954ea729dc61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6omspeuo.0.vb

Filesize
345B

MD5
cd6c54181a29d34a9c388ae8b2bac97a

SHA1
842877924fe997161aad06beb122b4d7ad7025ff

SHA256
401083c6f8135c71830c9fa258e49863523c1459e6c1e59a3e574cb0a8a41646

SHA512
7d78bc9b75dadb1e69cd6fa3f529286f4fe4c240a76b7332a6df93e77a90d605d9012bda9b6b52b42cf7ee027d250afff53b74ca34fed01487220e74db68e199

Download Submit
C:\Users\Admin\AppData\Local\Temp\6omspeuo.cmdline

Filesize
199B

MD5
16c8f5654ce2f7d5d9cde4fc09be04a8

SHA1
2458f62f8a7ae73fb9817aaf3c0e9d9d1133cbbb

SHA256
e62c0254b24f371e757a4cb84e75709f8ae8464ce5f954e53e1e8783d304afdf

SHA512
8666da489d4de523e45cdbffdb2606a251439a2da21764b299b0ae59455144c394c995d890de29c2aba26f083cd803826a837c5aa21382b42a99db54d040655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB016.tmp

Filesize
2KB

MD5
2586a5be4b8bb4a3ee946cf0fec4690d

SHA1
17884765594169e8d2d0ba3c517b3d252fa77fb4

SHA256
db7772a334235b9e47a30453ab76ea43de299d85aaa165f72b2d14834879552e

SHA512
759013787fab6ceec84eacab7ec6379ac4274a19c13737d065d081ec69d5f8271c32e31dfb44f3591e48bdfc8b9626ac6c689663fa749fbdf7c9f55c15c4c7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0A3.tmp

Filesize
2KB

MD5
aac77c851d5e32b877f55182eca7701a

SHA1
dc6bebf595b0b4451bd36f85cebe41d906c00f42

SHA256
128e6bcec9ea7c40ecd633506671497c23fc5ad02cfe0166da99a22b408cf196

SHA512
d4c720fe03d753c20a58a6e7b8f655e8d13f448a6362e115b2fa8358bf76f0dfa6011369b67333ea011d7a3e2e8e2aebd4c6b7271b25a85f7812ee5b840dd1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB120.tmp

Filesize
2KB

MD5
ff558f8c3e979c1ad28cdd242014463a

SHA1
77f2fd8f602baae170705569d8a0782cf4495e3b

SHA256
7ae73afcada4eb3b2abc7997ad2c5b92fa9f9f45237d10856ded4514753fb9a4

SHA512
bd820f602911fd412a3a08f796b30697ab26dea0cabd7c07ae2c5bec802d84f8fd22ddad0e00182f4057610efc9b03748abaefd637f4c85e82d239433ccab23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp

Filesize
2KB

MD5
f9fceac197bd3339da4f512b9587d8fd

SHA1
585ef22b9c508b9f88627fe2aaf18aae7ff410b6

SHA256
61073995bf27c6d464a0c87e72e00431b9d96603eae5f36ee8e084e4d7507e75

SHA512
89b62fa0a4e3133842a0752b39f4dc41eb4f598339654d6a7954965f66877586570460d9f1ebb2d22e96a725976c0ea1d1b5ddace32df7118d00a784b0507605

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1FA.tmp

Filesize
2KB

MD5
2c4a72aef60f2168e71568de5b7736bb

SHA1
9a9baf73e1517e361003235844f90b94efdc4352

SHA256
aecdbd35c147c96865ab247e9e0ee9f90f65752009f7cd31f571477d9c4f37c7

SHA512
49aadd9be7abae6b5b09dc50966f9db223005131871761926e61f767a646b9f3d66fcef3ab1b7e771dfc7b826db10d921bd2e4c7547fbe63f6ab9d3371fdbaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB287.tmp

Filesize
2KB

MD5
3d61f19f4d9b0a1bb03c141c29196c13

SHA1
2575d5e2ae2bde75e0bfe7a1b12eda20b5d582d2

SHA256
57656e66af931c57c965603af0b5c0e7119e48a3cba556b709802d8b8aa28abd

SHA512
fecac39ebb2fe20da3b6a3944210c54a6e4470d76a69e4a9ea57cd9a26ee0c9d5a035d2378809a9ccd3f38b91b32f6abe0f851883625e56f1bae47d5eaac33fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB304.tmp

Filesize
2KB

MD5
e3917444a27ba33536ff16be3ebd7562

SHA1
8ed40145baf4ca55edca490b609df420163d6068

SHA256
fb7b0e0935ba33c4af99a298ed2861f30ad95b2f59e54673ac08bfbd105166f0

SHA512
eec599496f4ac80e8ff4e02b0a8379f9645151d3af1313b876d523a397d0a38588fcdf166658c87482d9f342ef52b163666032574ce8ba8205358703bf71107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB371.tmp

Filesize
2KB

MD5
d821ba0ddea80b1209ac977af58b23e3

SHA1
9a20ecd69945066354734e976a70a0fa13f9cfe4

SHA256
49d074bfeb527c79009033b72d1d246489359ecf7689c45b246cbee6792d8682

SHA512
84a3cd6ef7d2b6834d2c4a55effb0abbaa1a6c378ddc40198fc0101055315766a5b4e600519df3dd5cccfd2aaff89fe5ef6acf14e53945d81cde1d5bc4344208

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae-yirff.0.vb

Filesize
345B

MD5
c8f33b81180ae953e6e8d5451208e55b

SHA1
14619702dbbda508a22d62240d7fe49aa3f1df0a

SHA256
412137881e3f3de959a2d007b4a2b49d052571353f8a974010255f4c0f044082

SHA512
3a23ba1d02585d081c3f9c95625fdf7bf2a0947ebe40ec6352b581b39171a9710f8934b4600954f658c957ff889f270af2cdf8dfccfca35a61ec408fc8eb5a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae-yirff.cmdline

Filesize
199B

MD5
93a3b26c473a70f0a854ce5378484d39

SHA1
240409e056676bd278b3795281e294f55fbb8b96

SHA256
bbb61b21cea918e7d280f7a1330d08abe325261033e5f275b5fa33d1cdb3e221

SHA512
16c725a10822e41f6c315098af6a56123ae1938d79cc489446d4fe64f16368c78f4224e155f2ae8428563b9086b1f23952e6ccfcf4c584492ff288f9504c3b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfbojglq.0.vb

Filesize
349B

MD5
7e8dc285e017cea4559ce6031c044024

SHA1
7e87c47b4441e938d993097906d0d78d321569c6

SHA256
a615fea96d0b746bc79189352ba83103cdd3ee700f361ce0621ed4ff46aad4ad

SHA512
c6e83f3bd083b0aeda81f08225732ba4952ddb479aa5c7923e1bccbb532832815c13b6ac264550b03b57d4ba0b0debd1a7d2c03acb41c31b317936d914c09950

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfbojglq.cmdline

Filesize
203B

MD5
ee396f938fa2b5df2c5e07b542bab614

SHA1
1f378b004d67e1b0c9002d18b08d00093f876e4c

SHA256
78a67386c575092570865183050fa8642b501ece12600d09bd513b9cbb39b8f9

SHA512
e017713dc872d40affc8cbecb79a7aafd1fb6769a9b3535bba3c1f2912d045dd3a14ec67c5e88e3385e0c5831c243636fc438c6f9d9f8e91ec65d3ed689172ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2xp166c.0.vb

Filesize
349B

MD5
f1405abb8e9f89c7517c03f3ecec1564

SHA1
c37550afa9762b44f9c82c852d021ab3624e6ded

SHA256
f76e8960b34bb917632dc6cb47cf1c69b53a7b9b5e58a5ccbcf9a099cacc2c99

SHA512
90819d8cd3fa47e8ac2e79f8abff7ef4f4692185d7ca65fd45cb9144ea335dc92fca5308ae369407f288a40e6d488082a1e89fda5c59c5e5725a80ac76d04733

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2xp166c.cmdline

Filesize
203B

MD5
e4a55d7fc04a1f724db88e156325a90e

SHA1
28fb8b1b8dea05379e0b1d93a66b17be46bdbeba

SHA256
27d78b4b8cb5b2c5614f3e92950392cbc7d4c015fcb1b9953a926b1f8ac6629d

SHA512
936e9e2d01b129fcfbac01ec4482c6fb0927231a96f251787f641bf988a2cee52bf00d273e6e2e3d1400dfbb90c095d6a9fd0b6a08c5336e198cd310a73f63ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\of99s2vk.0.vb

Filesize
356B

MD5
86c68da5eca3f86e9afd81f7e9a34a23

SHA1
e0d5a1b459cc26d07f190de7c53adda1be1bd28e

SHA256
069e4022d9d8a43c9b2fd85a75458624f29235262ebc1efc889d2cd64ed18d27

SHA512
5c54931607ea8ab16c1ab3c36154b81e4ef66a30bb9d911e21ed1c0914b88f097f3e5d4056120daeb8c07698c41f8865e792c05673876ccc3aab419f9c9aa1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\of99s2vk.cmdline

Filesize
210B

MD5
d17e6df7ba0ff3f6c12bc8c42f5a053c

SHA1
6b8a1432ffd8e5e2b75a04d21a94ffecfb9785fc

SHA256
16ef6dcdca6f5be6d309a719909f9fb549e1da6ca4c0f085ebfb0547014a0aca

SHA512
d50c9840909d48902e96bd0d9dda1853e55191707ddf583d6c69f698544a018a81c1ce04b5acc6cc998ab40aef289866e715917922a84899e73de7c6024ab4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc153BAF9311844A55B03A4CD6498EAB4A.TMP

Filesize
1KB

MD5
959b6a60190e9afe6e328137e397da69

SHA1
f531c4f001eb9c1990cd64194e09f871e88abb1d

SHA256
9e4a772d4b9a4b48d7101b6a698b655b485f3367fa6ec1e606079331ad8a4a50

SHA512
a997deed27bfafbd43bf77185b55f96a2b1d83ddde93e158c4c6fe3c977ebefdd382b0c5c9c9def83abf7684a82900fbfdcaccc995ee0438451f7e23673762e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3F848D6A24F40DB82CF1ED94910A915.TMP

Filesize
1KB

MD5
cbff7107f47a4ac55a18af6c6710c34c

SHA1
65bec7fe045adc005d55dbcc3bf23179ea678cc6

SHA256
61635a41485be5ef65a9cbf21e06501f2457f5382bd29ea9ce2901a5b7408774

SHA512
69a0c9e126cd7cda50da6366bf2f44da55e93b0d7f0c78e791ecc89d9e28d345e3c08b7292138fcb36aff0ac506f15f5d3262f8174b09909dc55a0e6405670fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62E940C67692490EA6B742DE7A6E575.TMP

Filesize
1KB

MD5
19ef61b3387a71ede7704efd63a111d8

SHA1
d6fc5831d1eb4e6ec09bbceac14d1858bf95108b

SHA256
7e3353bb1fd38d66a53bfcecf5bebe8d9052916abccc7d96ea241541c9af8610

SHA512
658423fe5ea03091f5688c816d8a3a14e5b33fe9785c7d8112c1faa797bf73941e76c7682cc7b0a05a40770ff062a65d2798e64d401c47f80d90f2b1f286f88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA5227AFBF5B346E7BBBFA58F8E351715.TMP

Filesize
1KB

MD5
1e1accabea11b2f2b119e3cd0dfb189f

SHA1
36f01d204ad1691c3b38d727bd6029f1ea4ed787

SHA256
5259fea78d4db203e2d10c628fd91519ac4e99b602753290889dba1ccec56c8d

SHA512
3599231c75bce9cba236352af0bdc16c36e537e48812f0a4e0b0748d653f2e6860819952bf512b273bbcf3dd3939c6b129c283f31539d576a257ceafe9f53764

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE64748530704A368E5B52E16D5B39DD.TMP

Filesize
1KB

MD5
20ef8f695fed113f459624133aa73992

SHA1
f0aaf3ce1967b5ae8c7031fbe930b1a7e3142bda

SHA256
3bac257a86632110fff75cae8c9d784afdf9522706d397ae086ee6b19d4a955d

SHA512
bd1c8d57ecff5a5dc3940307775f36771627ce0b4b228b6a6a56ef3b0659cb2f9cb1c9e754d4f805bfc094dc44cbe06072e8270363fbb7f43b246202049d1a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC50251679B546EE84FDE6969961FF9.TMP

Filesize
1KB

MD5
b7370f71606afbaf01745643bc55db56

SHA1
9cfc962aef724cfd27b4d0a1f9c9990fe840eb0b

SHA256
05cd4041b325837f2290bd65e2c160ea91241339e4c53fe29b243542df417ade

SHA512
5591c8fc1a7ae23bfda9872fcc5c7c5c5d8b668996b280a027bd18dd930edc0d812548185bea1e426f71ec0783d75719066df345ec95d1f92af938f98887495d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2F16299958746569F96C0A73E3AA8F1.TMP

Filesize
1KB

MD5
bfd4959434733d8f77894f8404c17580

SHA1
dc3f693ada395c8a442d76dd49563e27707b4cb8

SHA256
97f2e2662747d0e72c9940c818adcae0c7e65c82bffb2553d32ff40e54416227

SHA512
f6cd721c908cd80d44da9e803472a0744bfc27d2c899acb403243397545fd64e61df0b61b6610d1dab54222268228a282832580fb41980927387da566b9b6357

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9691B95E43541F1958CDECF661445E0.TMP

Filesize
1KB

MD5
4cddbc51aa87a8da871ff6d3e264e11f

SHA1
8315122c35faeb53d9aee9043368cee0cb8ca91e

SHA256
36ac27154a7c665d75d189b50f8f91bb705a9bd7fce0e467fe7b6852fc6e77b1

SHA512
f4bd8b62c5392ad9bcd567d5c7c63f6ca93d447482ec1c37bcd669f1af4b96c9c3d3466b0e1d7d82130fe18457b8e2d8ac6459d2b6d10f75b744a13b78c56716

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlfmjnjr.0.vb

Filesize
355B

MD5
b02aa2d6231c9f9aed584a810a9d9a4c

SHA1
b2ef685abd5b60cda83851a37ec5741cc8e6236c

SHA256
8289d136aa677d7218469a558568a4ed5adaac9631221c7956d0749f2d31c216

SHA512
f02034fe2d9dadeae831cf5282d45383fc9c18eac1754a4a5c59d759785efc801f138628c12305f6e72ded9505536e10b9992ef83360a10c26ab936dc03dcb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlfmjnjr.cmdline

Filesize
209B

MD5
1d7469723643abe73dfb775d46c77b24

SHA1
8e97064cbc3626cc81e387b37ac0f1f8b6a8e733

SHA256
5154bb2719203de6829780520872947252f6f612cef7d0e26572bd68e00c1948

SHA512
f8eea1c5d2a3d2e9386c6e615c11cdf37829898052d431d642098f7ca896dd5f8ca783d854eb367740fe24ca25403fc3bbb7e87fdae9e684ced204c9f396366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfcqam7f.0.vb

Filesize
359B

MD5
f2eb66522e81f5808c8794592b7d0cc3

SHA1
d10227a9de168dbb33ddd6663c14bae72ec45191

SHA256
2bb58efd5e05b869678e245802cefdc4f9e24c8f1ff5c0d44fe12f398f7e045c

SHA512
a9bdbc6466c144d3867778260dc971dede176983c38c9b3bf1c2fd95c46f6dca25acbf42dd57f727fff2a29252eb63cdfcc44cba8ced86c672f42d00c2d45670

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfcqam7f.cmdline

Filesize
213B

MD5
689714556f5ad165faeac5bc6c474011

SHA1
528b8f16ef7cae12559619503f8ece1ae44e3d8f

SHA256
07d157537c614aaf88c54eaeb0fcb17df5123386b5465090eddd94c82a76c079

SHA512
3b86ce31c6e2e449d3841d2ab1f5b032917cc745129887bc96d255b37b6f684e9f5189f8bb29ab75d8cf71123ddf1fb90fe395a4a41c2f02cf65b47437b95837

Download Submit
C:\f8209c423bf0ab838b.exe

Filesize
8KB

MD5
46f36c562d0d52b6d33c70851cae92b3

SHA1
c84081861624b2dd7b6941cb5d3ae8c6e96379a3

SHA256
17ea6325fe38b265d65bb30b944f396aec28a95b8d3c639f1e1ae130c716668e

SHA512
33a91e54243d9f90b78320357c945553898e908ae64a4c8a2587af618495c0c19c7a3ed33c26b0ab8f1e825dcd6358833794e23e8a2885c7801f4dc938a0882c

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
3d7a626746839b1d8c1fc4dd96fa14e0

SHA1
532f4ba3dbecb997a1582123a729d26ec8500afa

SHA256
b72b94e46803344a6d7f9b96f78e9e9a29dd6fd8645f04662eb0164039c349de

SHA512
d136a976b8389593c731072aeb4ee0ce4c3a71e891d8c2529dc31f27f65e4618b18d74d8330dacefb27eedd3fc89353fee87e2fbbf399c4e7889603b57fc3aba

Download Submit
memory/648-27-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/648-18-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/4332-0-0x00007FFB7F935000-0x00007FFB7F936000-memory.dmp

Filesize
4KB

Download
memory/4332-10-0x000000001CE80000-0x000000001CF1C000-memory.dmp

Filesize
624KB

Download
memory/4332-7-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/4332-123-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/4332-6-0x00007FFB7F935000-0x00007FFB7F936000-memory.dmp

Filesize
4KB

Download
memory/4332-12-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/4332-5-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/4332-4-0x000000001BC80000-0x000000001BCE2000-memory.dmp

Filesize
392KB

Download
memory/4332-3-0x000000001BB60000-0x000000001BC06000-memory.dmp

Filesize
664KB

Download
memory/4332-2-0x000000001B5E0000-0x000000001BAAE000-memory.dmp

Filesize
4.8MB

Download
memory/4332-1-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/5080-125-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download
memory/5080-45-0x00007FFB7F680000-0x00007FFB80021000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads