revengerat | 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b

Analysis

max time kernel
4294212s
max time network
157s
platform
windows7_x64
resource
win7-20220311-en
submitted
19-03-2022 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
Size

501KB
MD5

c8aa6223ca40f85c1ae6fd9024aab6ea
SHA1

895469c785046dce30badb4de957f5f89657ba0b
SHA256

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b
SHA512

9800a04b8b408940e0c54a752fc87b41edd79d7764cbb16a0357084ee8b1dc3d3a082b424ee3f68632cbb128bde0e867854e2216ec88de48c247d5c248bed530

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 17 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
behavioral1/memory/616-78-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/616-80-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/616-76-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/616-82-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/616-84-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat
behavioral1/memory/1396-120-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
\Windows\SysWOW64\acsvc.exe	revengerat
C:\Windows\SysWOW64\acsvc.exe	revengerat

Executes dropped EXE 4 IoCs

Processes:

virus.sfx.exevirus.exeacsvc.exeacsvc.exe

pid process

1640 virus.sfx.exe
432 virus.exe
660 acsvc.exe
1836 acsvc.exe

pid	process
1640	virus.sfx.exe
432	virus.exe
660	acsvc.exe
1836	acsvc.exe

Drops startup file 4 IoCs

Processes:

MSBuild.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.URL	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.vbs	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.js	MSBuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acsvc.lnk	MSBuild.exe

Loads dropped DLL 7 IoCs

Processes:

cmd.exevirus.sfx.exeMSBuild.exeMSBuild.exe

pid process

852 cmd.exe
1640 virus.sfx.exe
1640 virus.sfx.exe
1640 virus.sfx.exe
1640 virus.sfx.exe
616 MSBuild.exe
1396 MSBuild.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
852	cmd.exe
1640	virus.sfx.exe
1640	virus.sfx.exe
1640	virus.sfx.exe
1640	virus.sfx.exe
616	MSBuild.exe
1396	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\acsvc = "C:\\Windows\\SysWOW64\\acsvc.exe"	MSBuild.exe

Drops file in System32 directory 5 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exe

description	ioc	process
File created	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File created	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\acsvc.exe	MSBuild.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

virus.exeMSBuild.exeacsvc.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process	target process
PID 432 set thread context of 616	432	virus.exe	MSBuild.exe
PID 616 set thread context of 1684	616	MSBuild.exe	MSBuild.exe
PID 660 set thread context of 1396	660	acsvc.exe	MSBuild.exe
PID 1396 set thread context of 772	1396	MSBuild.exe	MSBuild.exe
PID 1836 set thread context of 272	1836	acsvc.exe	MSBuild.exe
PID 272 set thread context of 1952	272	MSBuild.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exeMSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MSBuild.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe

pid	process
2036	schtasks.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

virus.exeMSBuild.exeacsvc.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	432	virus.exe
Token: SeDebugPrivilege	616	MSBuild.exe
Token: SeIncBasePriorityPrivilege	616	MSBuild.exe
Token: SeDebugPrivilege	660	acsvc.exe
Token: SeDebugPrivilege	1396	MSBuild.exe
Token: SeIncBasePriorityPrivilege	1396	MSBuild.exe
Token: SeDebugPrivilege	1836	acsvc.exe
Token: SeDebugPrivilege	272	MSBuild.exe
Token: SeIncBasePriorityPrivilege	272	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exeWScript.execmd.exevirus.sfx.exevirus.exeMSBuild.exeacsvc.exeMSBuild.exe

description	pid	process	target process
PID 792 wrote to memory of 764	792	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 792 wrote to memory of 764	792	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 792 wrote to memory of 764	792	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 792 wrote to memory of 764	792	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 764 wrote to memory of 852	764	WScript.exe	cmd.exe
PID 764 wrote to memory of 852	764	WScript.exe	cmd.exe
PID 764 wrote to memory of 852	764	WScript.exe	cmd.exe
PID 764 wrote to memory of 852	764	WScript.exe	cmd.exe
PID 852 wrote to memory of 1640	852	cmd.exe	virus.sfx.exe
PID 852 wrote to memory of 1640	852	cmd.exe	virus.sfx.exe
PID 852 wrote to memory of 1640	852	cmd.exe	virus.sfx.exe
PID 852 wrote to memory of 1640	852	cmd.exe	virus.sfx.exe
PID 1640 wrote to memory of 432	1640	virus.sfx.exe	virus.exe
PID 1640 wrote to memory of 432	1640	virus.sfx.exe	virus.exe
PID 1640 wrote to memory of 432	1640	virus.sfx.exe	virus.exe
PID 1640 wrote to memory of 432	1640	virus.sfx.exe	virus.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 432 wrote to memory of 616	432	virus.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 1684	616	MSBuild.exe	MSBuild.exe
PID 616 wrote to memory of 660	616	MSBuild.exe	acsvc.exe
PID 616 wrote to memory of 660	616	MSBuild.exe	acsvc.exe
PID 616 wrote to memory of 660	616	MSBuild.exe	acsvc.exe
PID 616 wrote to memory of 660	616	MSBuild.exe	acsvc.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 660 wrote to memory of 1396	660	acsvc.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 772	1396	MSBuild.exe	MSBuild.exe
PID 1396 wrote to memory of 2036	1396	MSBuild.exe	schtasks.exe
PID 1396 wrote to memory of 2036	1396	MSBuild.exe	schtasks.exe
PID 1396 wrote to memory of 2036	1396	MSBuild.exe	schtasks.exe
PID 1396 wrote to memory of 2036	1396	MSBuild.exe	schtasks.exe
PID 1396 wrote to memory of 1188	1396	MSBuild.exe	vbc.exe
PID 1396 wrote to memory of 1188	1396	MSBuild.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
"C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
      virus.sfx.exe -p0JTQsNC70LXQtSDQuNC00ZHQvCDQstC+INCy0LrQu9Cw0LTQutGDICLQo9GB0YLQsNC90L7QstC60LDCuw== -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\virus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\virus.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\acsvc.exe
        
        "C:\Windows\system32\acsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        Drops startup file
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "acsvc" /tr "C:\Windows\SysWOW64\acsvc.exe"
        9⤵
        Creates scheduled task(s)
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sarwcohx\sarwcohx.cmdline"
        9⤵
        
        PID:1188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42FAA4B282BF4489987DCBF624045A2.TMP"
        10⤵
        
        PID:712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zacf2ksn\zacf2ksn.cmdline"
        9⤵
        
        PID:608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB80F3C1A99834CF5AEE54C0491DDBC6.TMP"
        10⤵
        
        PID:388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yopkt3c4\yopkt3c4.cmdline"
        9⤵
        
        PID:1696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AC73365CC064291BF037A9F0547470.TMP"
        10⤵
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hsh1qt1\4hsh1qt1.cmdline"
        9⤵
        
        PID:1828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6458AD6380414B8687AB2EF5C9F0DFE1.TMP"
        10⤵
        
        PID:892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fwtkjaj0\fwtkjaj0.cmdline"
        9⤵
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA064.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F90AB2DEC3B4975A7593D6CC1E2E87D.TMP"
        10⤵
        
        PID:1236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2pl4uhy4\2pl4uhy4.cmdline"
        9⤵
        
        PID:860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA12F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89B63A217D3541488681CD8A82557D9F.TMP"
        10⤵
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ix5hzxik\ix5hzxik.cmdline"
        9⤵
        
        PID:1884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA209.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA33380273C7645AF8F369DCFDCB1AF4.TMP"
        10⤵
        
        PID:1164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjxxks3f\gjxxks3f.cmdline"
        9⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EC4D9E7F2D74476AB4B1CF3B55565E.TMP"
        10⤵
        
        PID:960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfhuggcc\mfhuggcc.cmdline"
        9⤵
        
        PID:588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0AD1754C584862A2C8967477A9CA8.TMP"
        10⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\31pqz22v\31pqz22v.cmdline"
        9⤵
        
        PID:900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA479.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D8C231CAC840C5B43049C39ACED55A.TMP"
        10⤵
        
        PID:1444

C:\Windows\system32\taskeng.exe
taskeng.exe {70C46D6F-49C9-4863-A50E-67D5DEB397DD} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:1696
- C:\Windows\SysWOW64\acsvc.exe
  C:\Windows\SysWOW64\acsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2pl4uhy4\2pl4uhy4.0.vb

MD5
7212afdd0670866c081634fabf3e48f8

SHA1
643439c9fcc621b4363baf3cba30c2637b1a0e07

SHA256
6d73e6e412b28bbbb95b28ee65f3f75aa183690d33357b422b747144b7889540

SHA512
1bc788e1b5286dae9c06fa5b8b579871735d9ce656c5f3254065c3c56553f57cd4bce8bb007950a12eb798ad9acac72d4afc42d82b30a7046884a0e21fc97b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pl4uhy4\2pl4uhy4.cmdline

MD5
13e9eaf7ea2e2c5d129fa1c098291557

SHA1
af18a5dae1cd06b5aacced376e4e5ca382cf49b2

SHA256
e8861cc34076b3169de48baa711819b2e67d73653c3baf837a2df7fffc25c969

SHA512
45180abe4a4bc7450e6f9c8c9e7067d7280f765f6edac786c018b4be61e2d5a5d70a714d095659c2e920f22830645caefad4e76b383cd41f8476f6dc51ac0501

Download Submit
C:\Users\Admin\AppData\Local\Temp\31pqz22v\31pqz22v.0.vb

MD5
f2a87b34e31322d5af0f89a732f899cb

SHA1
a1d91a0e0cfcaa1e8eea3559f057eeae11f6bcb6

SHA256
e411fd07aae2108cf096fe55bb30ba37f5a672c41999697149e96452ca3e5425

SHA512
aee56951d29f8033666a6fb5c6ddc7035a5518bff8690442d092b07948285d83b4186baf92e6e0ac065abf3af1cdc90d7fbd5641bca4d506a0fc3d21c54a4386

Download Submit
C:\Users\Admin\AppData\Local\Temp\31pqz22v\31pqz22v.cmdline

MD5
030e3d6f30b446e30b75fe629f76ba4e

SHA1
ad66460b8a7cb9dcc136d3a5985801455e5be05b

SHA256
6a46c713cf67965efe3d92e4439a0d6b9a41819bcbd6751a319aedc5ca2d63f1

SHA512
fe628942346cba324b5268f50cfd61b804b0189d2dacfdaa2b091ee96db3a75f6f992b0f423119cf2b620ff6c7910d07c13a31a379f776b40069202661417546

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hsh1qt1\4hsh1qt1.0.vb

MD5
24ec0d492277e96c058af01bcfcc4b3a

SHA1
1cbbb8d176dba926db8436da5aff054216fe4af0

SHA256
2222428703391a1fc761d2d46aefb0206e3afa9853abc4406c078a9de1e62f4f

SHA512
7ed3396a26f426d5bd8855694a497805f5878bc6d6b3cb158c8dd4ff32489b1da624b7fdcdb081b45d42d1fa7dd0f2b3f272fd14c35481762a74bc54ed2a3c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hsh1qt1\4hsh1qt1.cmdline

MD5
dd7a46a940e2e6c329239ddfe7077002

SHA1
7babd24d42511db60ce137763fae02f4c37987ae

SHA256
c3a71bd2f5bbbcad8d3f7726fbffceb6ca4cb21ed35fa18a9a527d719f785824

SHA512
0c54f738072499eb607d08af0423ae332f0ef79e0d3031013a1d94d4d0dec2a97e49841a17c3a1c08a8e6c951ca40089240da3a2499e50eef5a262009697a097

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D39.tmp

MD5
d7bfb448fae2dc97fa8cd84f8e45a7c8

SHA1
e8f4d703a3e2dd920e26c60f37ea79845201203b

SHA256
728432891168b18ecb43767aaebcac81c7b6b3f677ad32d0f2eee9ec108c27d9

SHA512
726c812f8281372d2b9e7098c53ac8e5f593430eb9bcc3fcc38bb46a37dd3b1d62218d44a59167314169230be66c2b4a144d09256b0a8bf431a35d9852937205

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E13.tmp

MD5
0f653f8ed6566d62d2db6e257ffd1109

SHA1
852a9e8f841935b7c6a048d6bf0d721d0061886f

SHA256
af9541393a27576ea1b520f5b0ebefeaf7b69f9cb18afda27f239501105afabd

SHA512
bb945d9d006655f841fbad7fad9d9b6971a7a8ef84b0788cccd172bd82159e25455a9aa99327ee94a46007ac526cc8c19eff8e6714090a9ba2d6cfe713584aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9EEE.tmp

MD5
bd6bf24b60335fdceaa23ab3dbaea6e0

SHA1
714adc9720c07cc82bedb1d951da8b1a1996012f

SHA256
b13e136dada5079cdf7f85afd75306593a56e5c96108537e99d4e3a84cbf2984

SHA512
5070abb92138c08da6eb91d9d7e66831a237789a5a9d90c1154025c65890e4c2b400c80a236548bdc3aaa649a06d89dcd2d97dfd05b4e7c109b01201d8ae14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FA9.tmp

MD5
772cc37cd9d6da566cb5b444f237aa25

SHA1
36f4591c580192312c5ac82a9e0a831cb240a0a2

SHA256
00d17b216f4625d6c0a761b549b806a639e9acd5b2964c023d11cb7b5900d6a9

SHA512
8d36f08bf2a6ed68c3cd2f6bfc50d0381aef0a3d64cc6e1c5d90b62effb0c1a4135f1a9c5dca68e4affb65970e16a48ce2269b5a29610bd4cee1de559d3f987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA064.tmp

MD5
7d318771e45d6e4564c0101633a4fad5

SHA1
785e0bc31cbbc94e4c534a9ceb154714630e9d76

SHA256
e5d6e2690f1b1ae8e2e24eb1c573154626e39ebccece31f5c372e657106f2093

SHA512
1d32cc45e5ca29172782f88bf448a8fe19ce6b71aa642070daf0ce2826272fb10feed7f4b27229ca6d6d1d86a9904687c457203ebc91966536efd299d467d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA12F.tmp

MD5
a1e1811eb01b87a3f2c02ccc66bf1249

SHA1
34718d850dcacfa55bbe9da432281ad68c8b95da

SHA256
06bbee68a5ee1df93fe03c8507c104b7707dbcd53cb0bb4488fa63e56cf8fbac

SHA512
5183f638b69d00b75b087828a94b1e564e7e74ae48d7db55c2e813c46bd4b3cabb1b7bee9471e02d1fe9fd10d6d43a94352aabf0e3bec6b424b3b89e1d24343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA209.tmp

MD5
a07cee704217375f20640952e44ff675

SHA1
1096221c50dffa0bf9af31ae9351903cd4bed2fd

SHA256
a6bd5cd584df9c7e6d905c6d83be0cf97349450327fc9c7c2c84f5658fe357a9

SHA512
0a4973b0f054c0765a296bb703cfe6175df33351b279d8b3b5147192e73a9194ce132d41953595051fc5e28a3d1c1a8554751b2548ec845da8000b497f035d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2E4.tmp

MD5
c9524679000bcb14a1b6e71dc6ea4b78

SHA1
5a31458a8dd564c2cd39e5a7eaaa6ecaf36cb34e

SHA256
b6e51ff42f7d8e41e74417510208e057554e99c76a7fe8760157b3f3aab40ccc

SHA512
dd0f1592d9af8775376c567f0fd52d76a0a96926bf74c7706913738e604b404410847f10463a847f1ddb47b9368664cd1d7766c3c310d73c2abd41d8b5140574

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3CE.tmp

MD5
5efd2901093f2687d220b2c38f9cd954

SHA1
35070215376dd25931d13522fae7057db504ab01

SHA256
0ef0cd896dd44e8722d23f1d58d613759101917a8562ae15336dcb1fa29bfcc2

SHA512
2cca2877e72ffba4c0db3dbb8c68da07e10e9caa51be7ccca5ac21c494e0fca576b805140b65295f1f9a3e13cda56c65e9ea602e96cd4930f5fe54a77f2e86dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA479.tmp

MD5
d0288b04cf7432e123b820ae8203393c

SHA1
fac5aadceec8ca9acfa8a481dc648624cbaf9dd2

SHA256
4d79ead825f3b6316c0d9746252ff6325bc99b680903507255c1bfb82df48dc1

SHA512
52adb5dca54c136f3513679584d39a15bb445fc78275f15d9b1a27fb56f9f12c60f0c571544752cca1406b93267d1537e0b8cfb14731eaafad21e4a993abe5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

MD5
313763e1158ac32e596f279922d5fa7a

SHA1
f53fd94eae3c4b49eaaea6d7276a027d592fa6fd

SHA256
cedeed1af7694e6e59ec05f0e07c87e083a110d7109289112b42c365ffab66ae

SHA512
850f1aac826e79f51e45edfda06f23fd37b6d9e1fc6851daee7dedd5ac4a5d1839fb3c7022d0cd3de8cd053bbb0db75c93b41081602a7ffe613d9afae38e0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwtkjaj0\fwtkjaj0.0.vb

MD5
503cc829036ecec5de26c96dfe6cea8f

SHA1
7b511c2388501ae5e36bb9655983adbd7cbc4d96

SHA256
5ea6914239a44ee338bdabe3ffe141509f38bd70c5f95920e0820a23980a39e9

SHA512
0949e215a2cdda57ff133502dd9b43a7a716227f607692ab083374c1506dfd00d795f8f7da6a04eeb248cbf0e0dc59822a1c1317b5dadf52a96ce0531fa6b225

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwtkjaj0\fwtkjaj0.cmdline

MD5
f34216b0f140805e19c02a989f9726ec

SHA1
3f56d51366dba54dfd268af509374c97c868fe31

SHA256
49c098288b29a3ed0121b4a0b1133cb8a0aa5454207cfe82f8148a1d949e10c3

SHA512
2ef79f9c4d5f5508094e81f3efa517927efb284a18fda5012df21506453e8650971f322694d0ad06e23a3307243c5e4fb1f88dd8d6802311588c27f4f59686f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjxxks3f\gjxxks3f.0.vb

MD5
ad7aa2942da4eb02d567296d261bbca9

SHA1
3f90c02ba6d4c157e0aad6796d00304057abf133

SHA256
738c8474791533b7e0eb28aed7af7f3a1d281d8b7d502e2a04c5c1db539c353d

SHA512
5f919c9f00f780c6fa9dee87476d1680d07049e6e1447b3f0234db5438b2ceafb02824025b4ad63cf420b4250e37eb685a11b6dc882f2a9c1279f1932e9e3cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjxxks3f\gjxxks3f.cmdline

MD5
4a1d36f8f68a3b5099ec91630e95e3ed

SHA1
9c0d835ef37a66d5c00a28abde853a4446d2331a

SHA256
c73b2403ed9a83456da45a3bcd4de92255b33e65a20d6ff39f47e0ec737531c0

SHA512
5dcde546c95cdc5454e2a85dce835fe364275450899d6a02b003d6168d98a231b4efd2632dafffec076b0b0eb76d9222514ffe348a48e94513880a28b88b3f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ix5hzxik\ix5hzxik.0.vb

MD5
9f7cad9fd40d0862a0fcb54ae02c5267

SHA1
cacde3b65fd2b661f22f1594aa6e982826a61f34

SHA256
1479809a1d7e36e7a06bb483c7d2d54854e5a486f9e562d9755c53f4569f4571

SHA512
405bd74bcf9833b042379e675499484df467909ec32f57120034e1918ed56c5471b2071168db7f0070d11110f89b7feae9902254e33533fff35c3698c2331ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ix5hzxik\ix5hzxik.cmdline

MD5
b74bef72df4a037e743755b38e33038a

SHA1
fd52d935cc845bfa03c1f6e6d7829f5476b35af7

SHA256
7db881b2853a40e2d6f1df46c1b84edbca4e07f472aa2a78bf5bb481dd230792

SHA512
f08ec9cf926b845a17cad2685b19515570b6808b5650d116755d993f49855c19bb638f59e95ab260e7570df6d258aa3445e9299eb209ac5e682f7ed2a872fd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfhuggcc\mfhuggcc.0.vb

MD5
761234d154293c0d90c750b76795d6cc

SHA1
17dcc982694db0ab56a4ab89645d397ed9a02a7b

SHA256
4b2750027615d0eea1bd1102d576c1cbec8fbf347115e2322a1189e39ef72da0

SHA512
364ac9edd6befbd1a560fa8c8038aed7d385007cec57c6bef1dc4a2b9d392dda11632d9e19a6459607eb3570c1b133e8399f3c27d2bdee1f4cde8ce6ad387dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfhuggcc\mfhuggcc.cmdline

MD5
fcd5a2a445bbdb541bacdc7e19b29d29

SHA1
955b76d4f6b07d08a96d7bae2368a6d5aa14545d

SHA256
848defa726a28808ff00dc0c7b190506fc8f1be465ec298a288ce9c00c373a29

SHA512
d507eb3c4e8975da948be7d9a06761c54a401b11301b594377c6d509b52715a323853781e9d38c380670f4266555aadc93277cb4115616f7b4dba356a1542bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sarwcohx\sarwcohx.0.vb

MD5
43a8f98a0bd9ca2e2664c19fe7b7e4e7

SHA1
8ff7ffe20db725f8a5204039cea64c0d3d8d87b2

SHA256
e0036f57d0154459e4f687e9bdacf66487469ea519a89ab8be6d73f35cbf62b8

SHA512
570756ac49978d1134be7902dc44fb7f35878ba093b7e8b61bb0df7b64109bc7807ed48d9a725a425b8ef4671193880211bbbf247a487e195519a114e0c97ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sarwcohx\sarwcohx.cmdline

MD5
5a30f1e87548586e51dc42e69ec7f5a1

SHA1
b0c5c380add97701a82f3252b1803de232b85b00

SHA256
2d8a100e8619e9936ba1a2ae2ee79670fdf3e4131cc63408be65e2ecbc0ccff3

SHA512
8dabd51eabb34fef36e8d34c6fe8eac81975051ddd2f411b1e13a91504b18bafc31c8a10a14a1df0298c409c2a9dc966a0c2818d0c48936a7418e61496d4a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc42FAA4B282BF4489987DCBF624045A2.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6458AD6380414B8687AB2EF5C9F0DFE1.TMP

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6AC73365CC064291BF037A9F0547470.TMP

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc89B63A217D3541488681CD8A82557D9F.TMP

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8EC4D9E7F2D74476AB4B1CF3B55565E.TMP

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F90AB2DEC3B4975A7593D6CC1E2E87D.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA33380273C7645AF8F369DCFDCB1AF4.TMP

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB80F3C1A99834CF5AEE54C0491DDBC6.TMP

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD0AD1754C584862A2C8967477A9CA8.TMP

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3D8C231CAC840C5B43049C39ACED55A.TMP

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5
78cd7fe96fcefee2dc19332106da3ebb

SHA1
c36b1f451e75734c99070fceea6fa1fef43c953f

SHA256
5147181b11646207d24192fb4d0b893b1ea2220f3b3ce032ff9057297ece794c

SHA512
18a304a4ba7b8d8680bf4727cd3f68595f3e00046872215fd68ddb6f9363b3b14637a7abc53b2aa97073b423f8c3814b5e8c8f385ab0c22f9598698305b1e56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt

MD5
1e3348c1a4f7e3ff5ec118e0c31d64f1

SHA1
60118a6f01adcd2aaecd8f0625ab728b862f1d88

SHA256
947db6a90c3d89c94e89698749283ea13a6f33b31bde2c995f6a2cca8f140961

SHA512
dccb6375ecf87a62ffffe965d88f3c602ecfb09c5d9e9120a4cab3f6775ebf2749fdb8cac453e52ec4b6c1c06b0d72b52c2249ca0a3c7fa15b61d7f50cb696a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt

MD5
1e3348c1a4f7e3ff5ec118e0c31d64f1

SHA1
60118a6f01adcd2aaecd8f0625ab728b862f1d88

SHA256
947db6a90c3d89c94e89698749283ea13a6f33b31bde2c995f6a2cca8f140961

SHA512
dccb6375ecf87a62ffffe965d88f3c602ecfb09c5d9e9120a4cab3f6775ebf2749fdb8cac453e52ec4b6c1c06b0d72b52c2249ca0a3c7fa15b61d7f50cb696a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlRvZwfRtN.txt

MD5
f1ba33ad4b56ad7b7686f89feb608559

SHA1
85d3b17567ad850d13f9b83334f370ce29606a95

SHA256
c7aed8ea013e7ca83936882c859052ca20c0be20fd02a4df6f1668ef601da24e

SHA512
ce6c0549a3f2daaf27a416dd6f3e0b2736b40b54fc7b816e741321ac90e544ee8ccb7070607595adc697cdd6b5a9e4f9f28de53ce11bdad555a13c4144319007

Download Submit
C:\Users\Admin\AppData\Local\Temp\yopkt3c4\yopkt3c4.0.vb

MD5
7d86049d27793e2d5c59b2e781d902bd

SHA1
b9bcf51ed6e18e3477e7408a36065787b40ed203

SHA256
b185416165c4cdbafbae92ebe75dd7b997c6d5228ddcb194c68d352e71704ff2

SHA512
95c83498bbe3ff9c3cbac7bf6c824b90acdd60df5abfceed027b5a2ad9ac3c97aa6a104455eacd6a14f6197d41e453159c4b4dcd36c4bdd6eeb3c90c8d134d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yopkt3c4\yopkt3c4.cmdline

MD5
1a529245c142ee44adcdee7c66dc599a

SHA1
d34fd8d2120673346e9eee372a5b96b10de27362

SHA256
54175ade0597d4345f93c9a475ebab91fb20559200fc4d050c45a78a3c2ce158

SHA512
a698fabdef37af679c8b8dba3c05f8cfe04422905a8bb011c7f8b162673efc9a2df577e86088fc45429a4d185f9e51031d1d4fea55cbbd3f2dff41de037ee53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zacf2ksn\zacf2ksn.0.vb

MD5
0b56294a5290d612f74518c86dc0c75f

SHA1
8c3bddaeee6a4b39f482d5937fe6af67241aa10c

SHA256
62ce6fc9bb7cf24deb2ad36f187e5b00f3a0e20dfc6653337e883b7f03c37223

SHA512
082fa8443eb2584fa6a83a83bef31c8a6310244176b1348735f348c6cbca1bb5818398936eae0464c65ac4f776362d723cd4a756f9c78061bc88fa2b8569e296

Download Submit
C:\Users\Admin\AppData\Local\Temp\zacf2ksn\zacf2ksn.cmdline

MD5
0e5b40581189cdfae88e6dbac5065fcc

SHA1
d3d77a639c80eed7dd57e48db816c37743cfd184

SHA256
e326dc1ae8968331165708466563d83e2090cb1f4e1845f5b8cf8a9aeefd981a

SHA512
4bdd58ee32251003855bdcb2cee8609514f8a5b01c19b72ab7eeaba22a506fe40d9649b06ec6fc1da19e5f913c6fa8d1ff7686d04905bab782eb4814bb012ada

Download Submit
C:\Windows\SysWOW64\acsvc.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Windows\SysWOW64\acsvc.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Windows\SysWOW64\acsvc.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Users\Admin\AppData\Local\Temp\virus.sfx.exe

MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
\Windows\SysWOW64\acsvc.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
\Windows\SysWOW64\acsvc.exe

MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
memory/272-196-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/432-69-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/432-70-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/432-71-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/616-85-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/616-100-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/616-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-78-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/616-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/660-107-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/660-106-0x000000006FB90000-0x000000007013B000-memory.dmp

Filesize
5.7MB

Download
memory/772-136-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/772-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/792-54-0x0000000076AC1000-0x0000000076AC3000-memory.dmp

Filesize
8KB

Download
memory/1396-121-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/1396-120-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1396-137-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1684-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-101-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-181-0x000000006F0A0000-0x000000006F64B000-memory.dmp

Filesize
5.7MB

Download
memory/1836-182-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1952-216-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1952-217-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download