revengerat | 756d29c6d075b93d00eccf8a6d92749d1271a435af40dab969ce57374382ccb0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02/07/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe
Size

56KB
MD5

1e727208babb46498fbfb78de5c9bd4e
SHA1

4e31a85577912269a8c94f1d86a04961aaca0785
SHA256

756d29c6d075b93d00eccf8a6d92749d1271a435af40dab969ce57374382ccb0
SHA512

1fcdfc5fc22c5264871d4b2c37962376d027409a34c1094db65b4f739d7da54b441fafe791662bd42f1a5d2dff1df03c93db286fa1c71a7ed1738666a80a0ae9
SSDEEP

1536:Bxmk78Angr84FEUq8y9kDQyVvUFIRhCSX1U:Bxt78AgrJEUq36vzRhCEK

Score

10^/10

revengerat trampo_novo_cr persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Trampo_novo_cr

queda2122.ddns.net:333

Mutex

RV_MUTEX-tgZHxuuVYrpxj

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2212-3-0x0000000000440000-0x000000000044A000-memory.dmp	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfkjkfjkfjlf.lnk	operadbor.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	operadbor.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\operadbor.exe"	operadbor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2956	ipconfig.exe
2460	ipconfig.exe
2500	ipconfig.exe
1708	ipconfig.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2864	PING.EXE
3052	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe
Token: SeDebugPrivilege	2700	operadbor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1736	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 1736	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 1736	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2956	1736	cmd.exe	30
PID 1736 wrote to memory of 2956	1736	cmd.exe	30
PID 1736 wrote to memory of 2956	1736	cmd.exe	30
PID 1736 wrote to memory of 2864	1736	cmd.exe	31
PID 1736 wrote to memory of 2864	1736	cmd.exe	31
PID 1736 wrote to memory of 2864	1736	cmd.exe	31
PID 2212 wrote to memory of 2700	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2700	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	32
PID 2212 wrote to memory of 2700	2212	1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2708	2700	operadbor.exe	33
PID 2700 wrote to memory of 2708	2700	operadbor.exe	33
PID 2700 wrote to memory of 2708	2700	operadbor.exe	33
PID 2708 wrote to memory of 2460	2708	cmd.exe	35
PID 2708 wrote to memory of 2460	2708	cmd.exe	35
PID 2708 wrote to memory of 2460	2708	cmd.exe	35
PID 2708 wrote to memory of 3052	2708	cmd.exe	36
PID 2708 wrote to memory of 3052	2708	cmd.exe	36
PID 2708 wrote to memory of 3052	2708	cmd.exe	36
PID 1736 wrote to memory of 2500	1736	cmd.exe	39
PID 1736 wrote to memory of 2500	1736	cmd.exe	39
PID 1736 wrote to memory of 2500	1736	cmd.exe	39
PID 2700 wrote to memory of 2344	2700	operadbor.exe	40
PID 2700 wrote to memory of 2344	2700	operadbor.exe	40
PID 2700 wrote to memory of 2344	2700	operadbor.exe	40
PID 2344 wrote to memory of 1216	2344	vbc.exe	42
PID 2344 wrote to memory of 1216	2344	vbc.exe	42
PID 2344 wrote to memory of 1216	2344	vbc.exe	42
PID 2700 wrote to memory of 2828	2700	operadbor.exe	43
PID 2700 wrote to memory of 2828	2700	operadbor.exe	43
PID 2700 wrote to memory of 2828	2700	operadbor.exe	43
PID 2828 wrote to memory of 2248	2828	vbc.exe	45
PID 2828 wrote to memory of 2248	2828	vbc.exe	45
PID 2828 wrote to memory of 2248	2828	vbc.exe	45
PID 2700 wrote to memory of 1988	2700	operadbor.exe	46
PID 2700 wrote to memory of 1988	2700	operadbor.exe	46
PID 2700 wrote to memory of 1988	2700	operadbor.exe	46
PID 1988 wrote to memory of 1156	1988	vbc.exe	48
PID 1988 wrote to memory of 1156	1988	vbc.exe	48
PID 1988 wrote to memory of 1156	1988	vbc.exe	48
PID 2700 wrote to memory of 2340	2700	operadbor.exe	49
PID 2700 wrote to memory of 2340	2700	operadbor.exe	49
PID 2700 wrote to memory of 2340	2700	operadbor.exe	49
PID 2340 wrote to memory of 1072	2340	vbc.exe	51
PID 2340 wrote to memory of 1072	2340	vbc.exe	51
PID 2340 wrote to memory of 1072	2340	vbc.exe	51
PID 2700 wrote to memory of 1252	2700	operadbor.exe	52
PID 2700 wrote to memory of 1252	2700	operadbor.exe	52
PID 2700 wrote to memory of 1252	2700	operadbor.exe	52
PID 1252 wrote to memory of 2420	1252	vbc.exe	54
PID 1252 wrote to memory of 2420	1252	vbc.exe	54
PID 1252 wrote to memory of 2420	1252	vbc.exe	54
PID 2700 wrote to memory of 1396	2700	operadbor.exe	55
PID 2700 wrote to memory of 1396	2700	operadbor.exe	55
PID 2700 wrote to memory of 1396	2700	operadbor.exe	55
PID 1396 wrote to memory of 444	1396	vbc.exe	57
PID 1396 wrote to memory of 444	1396	vbc.exe	57
PID 1396 wrote to memory of 444	1396	vbc.exe	57
PID 2700 wrote to memory of 2296	2700	operadbor.exe	58
PID 2700 wrote to memory of 2296	2700	operadbor.exe	58
PID 2700 wrote to memory of 2296	2700	operadbor.exe	58
PID 2296 wrote to memory of 1680	2296	vbc.exe	60

C:\Users\Admin\AppData\Local\Temp\1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e727208babb46498fbfb78de5c9bd4e_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\cmd.exe
  cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2956
- - C:\Windows\system32\PING.EXE
    ping -n 60 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2864
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2500
- C:\Users\Admin\AppData\Roaming\operadbor.exe
  "C:\Users\Admin\AppData\Roaming\operadbor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\cmd.exe
    cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2460
  - - C:\Windows\system32\PING.EXE
      ping -n 60 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3052
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsixkdx2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B45.tmp"
      4⤵
      PID:1216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h6vit_gg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BB2.tmp"
      4⤵
      PID:2248
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5tahvnsk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C10.tmp"
      4⤵
      PID:1156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\povb1smd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5E.tmp"
      4⤵
      PID:1072
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcx5rtw7.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C9C.tmp"
      4⤵
      PID:2420
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lk-lsz1w.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CEA.tmp"
      4⤵
      PID:444
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kup__ynf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D76.tmp"
      4⤵
      PID:1680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\01du-zvi.cmdline"
    3⤵
    PID:1104
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DD4.tmp"
      4⤵
      PID:1288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qrpd8xla.cmdline"
    3⤵
    PID:968
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E32.tmp"
      4⤵
      PID:2124
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4myd2mc.cmdline"
    3⤵
    PID:1316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp"
      4⤵
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01du-zvi.0.vb

Filesize
272B

MD5
f22a3a7c21e3628dbef771e5ab634ccc

SHA1
a53c94b8bd1b9f8abb96c9667724a14535957212

SHA256
70d64746c9aa9c3fd76ff6cf73d0ebd04e3fc1b389c9c0c9b7e5042d653f41c9

SHA512
bb2c26954847ca1fdfd1ae14054bae16b24fcb64b1204a81af4e5fffdd3c9783f6455030376b767ba4aa8d9a0716127094a082cc49153b92ddab01d38b75526a

Download Submit
C:\Users\Admin\AppData\Local\Temp\01du-zvi.cmdline

Filesize
164B

MD5
33801d3beb5a7d64b2284d15b5475cc7

SHA1
e342060d17935d095176acd8ecb04bdbdd964004

SHA256
e933e1ab7c0849e43dfc1e9f55db6ef1c0e681d7aab5a4228a1306d560201141

SHA512
b30917addb203426dbf9259b50ad4c2cd22d476317618e6eb3c00a0a86e3ad55173774312b317ea7a3ca03995e4b19ff546563c613cb69a9e35b5150f87450a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tahvnsk.0.vb

Filesize
273B

MD5
0db8bdaf1bacb7b6f483a89fe2104409

SHA1
dd99a8b5f95436fa1a2622bd49a72cc0956999cc

SHA256
c48b6dfe3868e39dee170c7e2c52b25a72194e7bfd15cf9ce4850954f04bcf7f

SHA512
6a4d5940295d986964035645f3c248372f9e38267ba282d22b1b0f3766925d63b4998b912190d93d803a95993a8accc2fa71068533a48a2356f9d9fbf9e613a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tahvnsk.cmdline

Filesize
165B

MD5
9ebd99da0389a826283721985eb215a4

SHA1
426111d2c90ca58dc83a1b03df4101101ff12f62

SHA256
a27e08370b6e354f87efe922f492c21c69d39c706283907739e172d581784f91

SHA512
aa158f3e243c7f2c5c5c8c80677d64c02fcec675e745a42cbbf6786639e2c0affa653a673b56dc4eaa4831971a684a585ffa03b33ea77063ef27f317a0238b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B55.tmp

Filesize
1KB

MD5
877da534a12a805c0093f67a55229ee6

SHA1
1ef3940c4907524b2aac9cc78f6fa8866755a251

SHA256
2914baeaaf6d8d7e704aa00a83230e682d5686d7aedfe4003131362d834f6984

SHA512
3b1e361c7d6931e3936169562887bb29d5e4ab0ec2d9a81063de5593c4fb13090f6d72da5dee0d7b2035d8cc0753178d3a085e59e18f40d75e0d15817dc0b001

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BB3.tmp

Filesize
1KB

MD5
2cc19897f43bebcec40371fa8a71c079

SHA1
ffec3a959ea9908dea265699ed670c76d3879648

SHA256
d06c1175d229031ec6f2a3c247b2f81b4cd58ad6bfa9d58b4d171dfba0838ced

SHA512
6fb64e5ad9b10b8706ecc9149ddfc0b4b7f727a7b3d746490eef4e50f2de7a95a745272976b781c9271efcc613a4339741c8782f541614e510a80390f2000c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C11.tmp

Filesize
1KB

MD5
edb32dfefa7af33fc83f0016a7309b75

SHA1
2a38934db7fea976486c3225f2298b09c9c58395

SHA256
9ed128083e7f1c5691af97e4d49c46b58b7eb1809a113b28ad47a2ff1877200d

SHA512
429a2de49224b76174cc3e9511eb35326c2fe342322814d17bc3b929dc279f49945a8127b668d0cad864a2289a8ccaab34fb5ba16a7ef7928f6a4605796128b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C5F.tmp

Filesize
1KB

MD5
0f42e1e22acb0ac9934d9952bfe3c538

SHA1
d6ec64687333c5ae62dafa788f5f3cf2c03f7345

SHA256
9d0823fdde71641d72b652ee99f5d81f67a12e0d5b0822e8fb40e4ea868eaf3f

SHA512
a0003ed9f638d5cf79d4457832f5346b08201e3c3bece1afb9c0553d453660d330933d9752f4261f3eacd5bfd73eaf2653e84eb794149de5726ab00f5299dae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp

Filesize
1KB

MD5
9338b9973a6a6359ab25bd425214bc8b

SHA1
18234cbddb0b47ecae91470a3bd1d4f30f5071af

SHA256
ca3e7fcc760139f69f6fc86beee808089112cdf2b35c9ed0c2b59a81b6df2865

SHA512
b2320bb44fdf11dfb75b04df73a209b54198e6b438be48b2fcda3976625a1127e19c2ce58dd925d3129b4707645da0dae7e2e5594b79865cf5101a780b586d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CEB.tmp

Filesize
1KB

MD5
dbf1b49d94636827378c7dbfd5c336ef

SHA1
ba14f6770d61c9ee18e6351f834e25ddbd4c5b94

SHA256
cad79b32b610024de5227f5c4f4faaaf79572473a1404366401a99a31b2c068f

SHA512
4cd518795ad311a19b922ef55d25781b79a0110df42b40682ead115da82bed678fcbd7642ca6d8206b258be8647826289c69dd9ba8f067f541638225708e0e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D77.tmp

Filesize
1KB

MD5
b38638ab8121e49307b93ea7ee570276

SHA1
96243dda8b6c8f187c5b6624ecd94851b9bb07fc

SHA256
8e8bfd1edb9205e79d131976be50c8065074e0b2b8ad2c20d6e3a00755cefb01

SHA512
74cf87aa19b1294601df8c953cecd609cb3836b3ede58a857b929fbb1c736943c1a216a6c57f1a56ff03904fe1cb667fcf2761e142e5667dc78ad552799bbc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2DD5.tmp

Filesize
1KB

MD5
fb427418caa7c13bbaedb3c1e58f454c

SHA1
e5d1f06701b4ebd8fbe5d42584e9e18223380332

SHA256
76da059270e3c8b26ea19f5b15097861fa7991de2d929ce5c765fbe93ccc7d20

SHA512
634ee783dcdf2dc95ba7095b75be83d12bd20e33b596a9dba32bd91c68ef82e436fa8a7127daa0966022fc07761c8994a84a216bb8171068104db261cdd76a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E33.tmp

Filesize
1KB

MD5
4ccbf56008b893301479677acaaa11ad

SHA1
875f39a8b17b9189396334724b3903f862513bf3

SHA256
cd1408fd8770f4dff523f7ea966a275137d26624de957fe7e501a9917cd5d03f

SHA512
f30b9174fbc36c78675d7a2f519e4803ac458f6e6d8c0daf02f6f94b7b2ef1be774c52c6f56ad313f34e6965eb4a0ac9b7bd4e7393fe771dabdc47fea7bbfaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp

Filesize
1KB

MD5
c4c8f8c5bf8a7a57e00345dc1afffa2f

SHA1
fe3ac5c5f83fbb4509cf1ae3b466f201638583b5

SHA256
11ba3f7ce1a44f140ca47eeec69e2b1a19fc03cbb78439210e020d1122aefcd8

SHA512
3970e5ace06df5f3af75aea9005dd3c53e897d45da67997d2c730f3e64ed7e9a7867a418d17eeddc34555925fdc25b57e504571f87f29bd16b2518a189566129

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4myd2mc.0.vb

Filesize
281B

MD5
3cc1d6744c8b410df7174c627678e726

SHA1
c3a59cbb02e9359992e874b2466fd3b1ed924a8c

SHA256
1853a4797075d2583fc7a8d78268390eba044287b0c98892baeb4ffc14d7a03f

SHA512
379990b686fa9002bd49e57da5ed2527ab5cb9e2bc23686bd7715519ed1194957c1768b38f66946fd88fa8754d165951775d79b61e5a95b5bdc155140d758bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4myd2mc.cmdline

Filesize
173B

MD5
8e0329c95f7eeed20bc5356977773704

SHA1
0fdf01b80a1d542832e898846f57f4c51a64a8cc

SHA256
5ef296adb33bde0c43a9d5b8cb2d683d8f185c99986e7e466954b9d3be7124ca

SHA512
e83a4386ae3d8c6af6be73766416266c222292b01cce1ad42c11cc973433ad152e2eef16b2a09916c4e63c4af9a44d7152224d78963ff98c4dc74740f5a1b9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6vit_gg.0.vb

Filesize
274B

MD5
93ca7bd6b779380c164af941a4406178

SHA1
7189816ddfc21b5820c339b4d425bc003c3c889c

SHA256
74cde593b8ef7ade6255ca150bd862a15bcee5c5ffc6291dcd2346b8011cc060

SHA512
93dc3985ee4a75addae00f152095eb9c97b2a80dd7652e1640cd0cc8862f13b327bade3f5d93efab2a9a4f059ab8776d4a21f37636272c290a89eb7e05ecad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6vit_gg.cmdline

Filesize
166B

MD5
a7385d9b908dd5df1565d3935b7f2c06

SHA1
5a987cb63401741ae91211b361d46af183ff91fd

SHA256
34c53c24b92864ef47762ce73a505c0a624bd2a5127ecff129ae555636e63a89

SHA512
16a1dda7fe5e97e031f89fc4c4d36afdcc9d6a017f98e893de7ad00c8108d362cc44509261ae586c8870441fd149f62ea7b112e47cba5c9d68461e005e815339

Download Submit
C:\Users\Admin\AppData\Local\Temp\kup__ynf.0.vb

Filesize
279B

MD5
c3162970c4db2e615fdff1a27190b28b

SHA1
49785ee37393a423aea1dd75c14cf1f715d69d41

SHA256
8cdb0aa4755b4e7e46cacd2f5de0543588a0c6755f1dfa6aa5e6e2b9c7c8cbbe

SHA512
19aa61925dff8f54a33262571b76ab95ff1e4c83bd15fce715d8f71ccfc6f93b132c6229034742c544af9ddb9794922c3dc97b4eadfd28325c865503669512ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\kup__ynf.cmdline

Filesize
171B

MD5
2e2327a01d72b23ccb9bb72b39396aed

SHA1
73a8b343d828ffeb7c90d5d22188b9dfb0cbdaa0

SHA256
e141a283fa2f7041e908c169df2542a72e60c78fff1277f2a02c09c0dd1228a4

SHA512
45cf4a1aab1f2da6f02fdf625540374ea7c8ab429aa358b8ec2b11689f972da10839896b1089491324834a4fddb800d6a4c6b0466b319c512fdb2f7e7e1f38f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lk-lsz1w.0.vb

Filesize
298B

MD5
b45d9bdcdfbcd656dddeef05a63beaf9

SHA1
2ffcb7241eced63c8adfbaa7d289db8278b0e548

SHA256
3b4a0f2c75e5d852f70cfac18c467197a1061776d11fad57947e17bb44e2c9e7

SHA512
9a9aa33ce61d215a72ed949c37527ae3cafbc2afda5fe4a2638328f3d8ca8273440c6dc76a06765eceeb131032702e96abf606e6276561d6e660defafbf3a5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lk-lsz1w.cmdline

Filesize
190B

MD5
01134ef365b1b20e7cd11c7244eaccb0

SHA1
3477d5e8a7e65f2aca1c1bf48fdac23698973dc7

SHA256
5d93fcf55bfaa573955628aa7a891f80026e499f055cd83fca484a003a1f92c3

SHA512
0afcb65b5bfbb88efdb8743045c2ce65d8143b43bce00e48420958e8c50ed46c373f74845732d3e629ed428ae1fc54dc04a1a789ebd8d34f755cb2241b8e0ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\povb1smd.0.vb

Filesize
277B

MD5
bd87123dca69f7f877ae169fb4571755

SHA1
46e4494f9e3c3084c1a773207217f0ca51abadea

SHA256
198ebaa5e40ed9a68d033fcdb3bbc041a98d322f9a52aeb50b4acb178f996920

SHA512
2daedfd7980844373e5fc96e7bb2a523b6fb3ab1dbe6898950b7fa16df723ffb0ec82763d6236c3e2766bde357b218ef99758f168559714c252fea5cd2af7476

Download Submit
C:\Users\Admin\AppData\Local\Temp\povb1smd.cmdline

Filesize
169B

MD5
52beb85ca8b6d43ab7b557c028ab1487

SHA1
66d813b81c78aa1a0087b192029e6a202f2dfd57

SHA256
a94f0281bfce44076a8ec49cccb2649e17fce105714d0f776f98d803d8a6a4c5

SHA512
dd0208f2c55028c1f835347c409434f15902f4b95033f4d1c99b19b3b0ef13ba8e6b9ca5e14075094217482e1b69659534d5840beb79fc77962a4d663f0369ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrpd8xla.0.vb

Filesize
278B

MD5
3789937f4979d7de941922376cc47dc9

SHA1
242788cefe7d486ec0add955b4602da4055a9949

SHA256
0d7f796849c5e65cf21e61708c73897bb401ee1aca244d5ef408bde5d6e1fb41

SHA512
d42e053975e6cd111ad7a2089e6fcffa4226c99c32912cd48ea9abf2199f71c17538b258f398b4b301899d32585a9c37020d61d7c5a95d2068e3f92f9a3580ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrpd8xla.cmdline

Filesize
170B

MD5
98eba2605251d9a9656d056b7dbcf337

SHA1
0613c96f110001d99aed4c9d33e8af6d2141c8a7

SHA256
9df6848a569e079c549709d3faf7206451ddd31cf5db7fec004b490d5df5ff56

SHA512
91278497eac8fcaf8ca68a23fbe032dd92c07ed79a3a941ece9788356ed88066912ed667f48bda81790055c84d8f7c9010b677a4d39ed701c5e8828a5d8aba89

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcx5rtw7.0.vb

Filesize
279B

MD5
1e972d65c4de775614a9904608c590a4

SHA1
705903a8ea6ab7a9166066ee8a588a62aff5ddfd

SHA256
a9fe5f310a23bb5152675e5680aa92dc1b671af52b60da07e44333eca21c9e22

SHA512
0d1af1d0f4b0cffd6f79a5959b389c4aa9e43a5979e1bbea200b0797e327417b83e3151b83000095d46c3321c599de79650f71cc1faf8c82faa5ba2cc6e2cc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcx5rtw7.cmdline

Filesize
171B

MD5
9383a4b56f4169584966f1c4d79aea5d

SHA1
4366ae5c327966decbf448a954787ac21b693ba7

SHA256
da6b491ac28a8dae4bff3190c64527e66568e877f317f1f1955194c8eb93fdb7

SHA512
230e91eae1c868a701631b682293eac31deb8aa92469fb4216b6dcb1b653c8f11dc7a41991dc3bdabebff9dc7d06a6ce4fb1e64206a66c1d59eac7ea622b35c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B45.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BB2.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C10.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C5E.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CEA.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D76.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2DD4.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsixkdx2.0.vb

Filesize
270B

MD5
fbfbe5d60d56093955b89a84a82b893b

SHA1
8b7fce2f1689fbce0e3ff1a19580ac8a2b4cf8ba

SHA256
e065ba9d6ac7bd0340403a6b3952bf7ea06e503daa4a594fc5dcf1953b86c273

SHA512
61b4cc54977e477a7b8d1e2bd9f874b7305b753aff641448798a61eff89491e815f19eba4cd5a7b89e9ff5568b33996c5bb3bd8a564deb780548f4e4dbaf3faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsixkdx2.cmdline

Filesize
162B

MD5
5eb3f2e75c03e9ed4c62a14a650bf230

SHA1
ce7b503d10cab4154c6c91d3966ff56ae2b6a871

SHA256
b31b5796bacc43ffabee1d0aff7689abe3f54e040fdc4146973a417cc0ff07aa

SHA512
0d6ff3e3ad65e997cfd662b797e3925de6dd521fcde93bf4868da37031a0a490645453bd120531f3ca60a1e71694a10198560614b6d9043a0388b88b5da9417b

Download Submit
C:\Users\Admin\AppData\Roaming\operadbor.exe

Filesize
56KB

MD5
1e727208babb46498fbfb78de5c9bd4e

SHA1
4e31a85577912269a8c94f1d86a04961aaca0785

SHA256
756d29c6d075b93d00eccf8a6d92749d1271a435af40dab969ce57374382ccb0

SHA512
1fcdfc5fc22c5264871d4b2c37962376d027409a34c1094db65b4f739d7da54b441fafe791662bd42f1a5d2dff1df03c93db286fa1c71a7ed1738666a80a0ae9

Download Submit
memory/2212-1-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-5-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-3-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2212-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2212-11-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-2-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-0-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2700-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-13-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads