revengerat | e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
Size

601KB
MD5

c558f1a93fbb271ba8b0b50b822fe584
SHA1

b96b0203cf05d1864fd6013c563935407421e5ec
SHA256

e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6
SHA512

1a6cc8754156a4be60f269d516d32611065ea0e91ed0fa1d528ca2e874af3c73d778ecb5beb0655a630b4e30d528fdbb216c699eb0ce2df1793dcc5055ff1a84
SSDEEP

12288:qQhhmhhzhhZhhFhhihhMhhkhhxhhqhh0hh/hhvhAhhdhh8hhthhUhhRhhXhh1hhF:qQhhmhhzhhZhhFhhihhMhhkhhxhhqhhb

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4800-4-0x000000001B370000-0x000000001B398000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.exe	Chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.exe	Chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	Chrome.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
47	pastebin.com
3	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
Token: SeDebugPrivilege	4912	Chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1800	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	95
PID 4800 wrote to memory of 1800	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	95
PID 1800 wrote to memory of 2748	1800	vbc.exe	97
PID 1800 wrote to memory of 2748	1800	vbc.exe	97
PID 4800 wrote to memory of 1660	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	98
PID 4800 wrote to memory of 1660	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	98
PID 1660 wrote to memory of 4304	1660	vbc.exe	100
PID 1660 wrote to memory of 4304	1660	vbc.exe	100
PID 4800 wrote to memory of 1084	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	101
PID 4800 wrote to memory of 1084	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	101
PID 1084 wrote to memory of 388	1084	vbc.exe	103
PID 1084 wrote to memory of 388	1084	vbc.exe	103
PID 4800 wrote to memory of 2540	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	104
PID 4800 wrote to memory of 2540	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	104
PID 2540 wrote to memory of 5072	2540	vbc.exe	106
PID 2540 wrote to memory of 5072	2540	vbc.exe	106
PID 4800 wrote to memory of 4412	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	107
PID 4800 wrote to memory of 4412	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	107
PID 4412 wrote to memory of 3480	4412	vbc.exe	109
PID 4412 wrote to memory of 3480	4412	vbc.exe	109
PID 4800 wrote to memory of 4916	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	110
PID 4800 wrote to memory of 4916	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	110
PID 4916 wrote to memory of 3656	4916	vbc.exe	112
PID 4916 wrote to memory of 3656	4916	vbc.exe	112
PID 4800 wrote to memory of 2152	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	113
PID 4800 wrote to memory of 2152	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	113
PID 2152 wrote to memory of 536	2152	vbc.exe	115
PID 2152 wrote to memory of 536	2152	vbc.exe	115
PID 4800 wrote to memory of 3180	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	116
PID 4800 wrote to memory of 3180	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	116
PID 3180 wrote to memory of 1052	3180	vbc.exe	118
PID 3180 wrote to memory of 1052	3180	vbc.exe	118
PID 4800 wrote to memory of 4764	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	119
PID 4800 wrote to memory of 4764	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	119
PID 4764 wrote to memory of 2692	4764	vbc.exe	121
PID 4764 wrote to memory of 2692	4764	vbc.exe	121
PID 4800 wrote to memory of 1840	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	122
PID 4800 wrote to memory of 1840	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	122
PID 1840 wrote to memory of 4992	1840	vbc.exe	124
PID 1840 wrote to memory of 4992	1840	vbc.exe	124
PID 4800 wrote to memory of 3408	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	125
PID 4800 wrote to memory of 3408	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	125
PID 3408 wrote to memory of 3232	3408	vbc.exe	127
PID 3408 wrote to memory of 3232	3408	vbc.exe	127
PID 4800 wrote to memory of 1004	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	128
PID 4800 wrote to memory of 1004	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	128
PID 1004 wrote to memory of 3972	1004	vbc.exe	130
PID 1004 wrote to memory of 3972	1004	vbc.exe	130
PID 4800 wrote to memory of 3204	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	131
PID 4800 wrote to memory of 3204	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	131
PID 3204 wrote to memory of 1068	3204	vbc.exe	133
PID 3204 wrote to memory of 1068	3204	vbc.exe	133
PID 4800 wrote to memory of 2332	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	134
PID 4800 wrote to memory of 2332	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	134
PID 2332 wrote to memory of 2012	2332	vbc.exe	136
PID 2332 wrote to memory of 2012	2332	vbc.exe	136
PID 4800 wrote to memory of 2980	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	137
PID 4800 wrote to memory of 2980	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	137
PID 2980 wrote to memory of 2476	2980	vbc.exe	139
PID 2980 wrote to memory of 2476	2980	vbc.exe	139
PID 4800 wrote to memory of 5116	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	140
PID 4800 wrote to memory of 5116	4800	c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe	140
PID 5116 wrote to memory of 1140	5116	vbc.exe	142
PID 5116 wrote to memory of 1140	5116	vbc.exe	142

C:\Users\Admin\AppData\Local\Temp\c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c558f1a93fbb271ba8b0b50b822fe584_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpi7buve.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE484.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47D732DF445C4E359D6C7274D7613286.TMP"
    3⤵
    PID:2748
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gi5p8dpe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE668.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA57D65FD4E249E8B03C79F295225D6.TMP"
    3⤵
    PID:4304
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\guoorji4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EA4A2EECB584FA5AC32B3C7D52333.TMP"
    3⤵
    PID:388
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijiaw5dd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC75C7257BEC4556A3A87848139B10C4.TMP"
    3⤵
    PID:5072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcibinyx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE772.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36115590F88D4D989FD45FAC22C6B43.TMP"
    3⤵
    PID:3480
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6jcxbsze.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A932A8B8B0F42BA981B2178AD5FB97D.TMP"
    3⤵
    PID:3656
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\raqknscx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE81E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc655637DA252B4818B74C648D4415E6EA.TMP"
    3⤵
    PID:536
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5uf5_xm9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE86C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB667C251DC46EDBBA6A651AF325A7D.TMP"
    3⤵
    PID:1052
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\halwa3jp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91FC171D4AF94594A8E667B1CB6241B7.TMP"
    3⤵
    PID:2692
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxadopwl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE927.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc251CBCB3F0244C58F2D6EB188C1F8A2.TMP"
    3⤵
    PID:4992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gstywjjf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE975.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56B1CB5E6D94783B33062E94E1846A7.TMP"
    3⤵
    PID:3232
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ka6wtjy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C38CA6EFF5458881DF27FF6E156B.TMP"
    3⤵
    PID:3972
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w6buojnb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAED58378E8E94A10AD51FDE659B132A.TMP"
    3⤵
    PID:1068
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uny_ccwa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E2E1EED6E434FA593885119175D948.TMP"
    3⤵
    PID:2012
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\getzhdet.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE95B82BA3C71469CB3378B51C2F51DCF.TMP"
    3⤵
    PID:2476
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4xbnzvn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5AF2AF1510346578B841AD46DBBF498.TMP"
    3⤵
    PID:1140
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyicd5bq.cmdline"
  2⤵
  PID:552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE48619A1196D4605B3335D1EE3E14C5F.TMP"
    3⤵
    PID:4448
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbygpemx.cmdline"
  2⤵
  PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE122A7A19D7540E9AEC92D16699D9E6.TMP"
    3⤵
    PID:3180
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmh9sltd.cmdline"
  2⤵
  PID:4168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77DF6278F8424DC598E0D0EB4E6C6EA.TMP"
    3⤵
    PID:5056
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xdai0v1_.cmdline"
  2⤵
  PID:2484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF10AAABDA4D44672A747D75721F1C66E.TMP"
    3⤵
    PID:4992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i-a8d-_b.cmdline"
  2⤵
  PID:3744
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF826D8587A745C280BAD8E9AD2BC8FE.TMP"
    3⤵
    PID:1660
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6qsiqll.cmdline"
  2⤵
  PID:956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCEC3B0390004E0687AF75EA5DBD4F.TMP"
    3⤵
    PID:3772
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  "C:\Users\Admin\AppData\Roaming\Chrome.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hello\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c350868e60d3f85eb01b228b7e380daa

SHA1
6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e

SHA256
88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7

SHA512
47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

Download Submit
C:\ProgramData\Hello\vcredist2010_x64.log.ico

Filesize
4KB

MD5
64f9afd2e2b7c29a2ad40db97db28c77

SHA1
d77fa89a43487273bed14ee808f66acca43ab637

SHA256
9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292

SHA512
7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uf5_xm9.0.vb

Filesize
371B

MD5
88fa186278224682109ea49fc37c26a4

SHA1
f71c0b748bf14b3a1735e3fffb74c6d8aef7be9a

SHA256
ac052cad47458d05f65db545636bd6ada6114e04a61a7d0c736340972aab397a

SHA512
dfbe4f0c23a63679a6eee192dbd90e68ea6400861a0259820e231b7f13a619aea397d25abb6879bbe19c1054b4e5e267e12a49736eb93bb12d43ee9fd1c5a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uf5_xm9.cmdline

Filesize
265B

MD5
26154f25bbc826794daa8cc54e400675

SHA1
7db8b3b07b3b9907e1901e7dfaf069a9eb146531

SHA256
49661b91504b621e167041ca934a565a3c04b576d563beec3df5e78a63c037f1

SHA512
ae736c294670f0123646ad38d309b33e93ffe75b36e7c0856aba77af6bfe32e39fa33a3ab57e86d5149eb4467eee99cef293349ca3859d2b9f5ffd1594f8f0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jcxbsze.0.vb

Filesize
371B

MD5
0cbe1eebc3d9d1ee2dbc5c7d68480119

SHA1
4464a048b510a148a3593a05f443352fb47b3c31

SHA256
c7933b08416fbe1589d7779199476060d7a0695661bc7b1b4cbce3620ac2cab8

SHA512
0d01f66d2d70673ede4f7bd45abbee7b52d8be2709b7bc35361a9bed2dd044169d0fbe7455ff9d8a52f41d3afbd6ce768a98e5b5c4a1e675a08d40a7f8ec533e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jcxbsze.cmdline

Filesize
265B

MD5
35a1384409a85f82f29004692e4b1895

SHA1
7e17da77622d6aa122c3578d63418752d1581ea7

SHA256
4e46bb61a838d010ab4549d24326b00c821739e7c58e933233861baf9096fad0

SHA512
e8bc4af298bc815e6435ebd41cdcc16ddebb4eecdfc6c7beeb3b129995ac898f42b2e5f86a43e5f2bf29709086fbb22212ea2ab86cab4e9feedccf072b6fc5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ka6wtjy.0.vb

Filesize
373B

MD5
092725c63a4826e3b70627fe94e8520a

SHA1
d52b6e6128ad22c947603c8b0ce8d0ddb24e2602

SHA256
b8da19b332ac934f9a7f6d178284e57c2b8c8da9fc52d52753ddfcf7fb5e2090

SHA512
6ba356f0935dba7a816bac203344d456ced77df64bd8151a1450e3d859defe9ced709aa6696e5032da837fca7a853c77422e9a685f3099758613d26e0a115a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ka6wtjy.cmdline

Filesize
269B

MD5
aeada803a5e5591dfdc3ae5f636279d3

SHA1
f4d232cf7dbba5322926b7dc2db9d4fe7dde8513

SHA256
ae276f380d09a8064ab38757ae1b0f3ab3ec541ab9469c8b42b436c3edf3a61f

SHA512
2f813b23c0ee738bad9947fdf959689afba8890b6304d3eb2adb123e8a5ad92536ea45cf80884cbe2ef1022b1760c61aa86fa0dde4e06ecae049db6b0fee7f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE484.tmp

Filesize
5KB

MD5
7d7f707e7779dbcbe920c7158cb8961f

SHA1
bbba7673720f80ae637e9c2d059beb7afa45a1f6

SHA256
3460d3785c5738530b49c0a9987ff1df00a848e2005d4c7f6e4a6a5b9199af7f

SHA512
a48c2b689115a34413ef16a74f72095450b219734e5419f0e3e6f3f43035366a3d1ad1162ddf2a26f1cd0d3c0ed412d12321daae49c9755145ffce7e7dea8050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE668.tmp

Filesize
5KB

MD5
e07883c8a5a55b0935d5c7da01073e96

SHA1
b869a72c145c9b6fbde4396642f14a7c51c6c386

SHA256
eb4934f5e173b6a0401904c175514647c467184e80fb4739dc4847cdd9e68511

SHA512
26636b7696ba9b7a0629886c7f12fd8e47b2cf1f17916ecdeb77e392337ea19ea67f73efab84c9ce315a0664867c504347d11183a13df0d29178d4163ea3c40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE6B6.tmp

Filesize
5KB

MD5
a9b47cdb4681ada608450b4176ad3c4b

SHA1
9fa54d7d61caeb063b422d0f23b8259b5adb24da

SHA256
311dd94336addce86d1d7885ee76134db3ddcd60aae2c097dd1194c1a47bcbb4

SHA512
d2fb67ed8b9324efcc54f3d466852d365d626b04d25e03e45bfcce6b4ccdd24ad26ec40d0cfe1878a353938ca6e41c8ae6c6992e4d0a17c0edb95fcc69563f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE714.tmp

Filesize
5KB

MD5
d2f7f2e6950228af4226ceb9a139c461

SHA1
aa2e639ab070bd76c0e167febd3539a3f640826e

SHA256
6e0be32e9a79d338538c604bdd4d8cf659c9e3816c2944b88abc453f6402cba2

SHA512
71d43b144c9b3a8541cc316924e648d3da4b0a9ccec00577fc1e81c442a96522929d1fbe81564fdfc5f0229b2a6b4474121a9ccce587c326bb5953a496e29bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE772.tmp

Filesize
5KB

MD5
728c6d03d513e31accb9887ebdd66453

SHA1
23add0ec12e882ef8be2052c8b762c0fe45598aa

SHA256
f6a37f7c4cfcbbd793f5333cfabbfe97d529b079faadb1b1d36a20d604516f64

SHA512
fe47d35eaa34ebe2a9e8e694f2df61866895b005e11861882e36162a30823a98adcfbdfbe13a0eca0084c7e057455cd6d9682e3de881f747eb1caf31801fdf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE7C0.tmp

Filesize
5KB

MD5
b1bef21e37e3996e768e5c8d7afeb9de

SHA1
6bee8734074122a8e6c05ee8ffb1a2d7c5170f55

SHA256
0e5f749bfc3b59a5de90a399b43a930b24db02b63b28d117f5f59b4ecfa33f00

SHA512
3bf19773b28be93de5365483370ade7959d0e3429fed61f58438b5ae8b8af5a50132ea2c4b9540f1f757b522c961058e2669d1a82209859aeb0432caa44ace17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE81E.tmp

Filesize
5KB

MD5
1bfdac30ef37647da869e700046f8424

SHA1
de204f4cb2c54ad1367819ef9e097b4d8e04905a

SHA256
017f73ba31ca4188cb32edbdaf43f0fdd436b0fc9c435eb71b9e0e4e57a0fc7f

SHA512
5d2909a505d332763dbafa5124f9df54ef69f7bf774e0b2741abf372d3dbbbf7f83a2b6a074c04dfe64357b5faed5e81bc312b0e0146f44984dbb57a3632d96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE86C.tmp

Filesize
5KB

MD5
91c208445b001fa1e4a5849ca4f075dd

SHA1
cee905bf01990494c76a06937103c127dd82c1a6

SHA256
ea4e4ebebca9922e6eba33ff14af3651308486fc358639df0e5035f7cef0fa7a

SHA512
d2968d491e6ae8e770224e85aa7d50250ecc34573d88877c0dcb2d9fb5695c8f4ebcdad24e459126e0952b5b7e660dbd8fe4f087a8b2f354f2272103de9eaaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8CA.tmp

Filesize
5KB

MD5
3677a5693cb1d989e8469ab140f63d41

SHA1
974f9705ceb632ce090c76bc203f0215abdec763

SHA256
52111966cff510fa7312347465c0c0062c09f290233c34115ebf02bf7afdc296

SHA512
92a3129e139fef334729ef08437aca5aaede7611aa829fec7d590f7a61a4f738436106344ab9362ee92be07beeedc6db4c0710ce99ea1e644892ec2a7cbbec2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE927.tmp

Filesize
5KB

MD5
b930b03b340c13362434cedd89af69df

SHA1
dca61695153f3399cf02162bf1ca7b179794165a

SHA256
a5f4e30d997fdc731d0a6d3b8f5a3a1c5d13b23d41d318cb573de604660de3bd

SHA512
4d2fc204ebac262e365ac90db5e8bf8d0f96b158b871f0f32bba577da5fc9d87b2c6c4c76a2273dbea1d59ba283db5e464d036fc0ef7eab406ec2ab966b54069

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE975.tmp

Filesize
5KB

MD5
6b8d30ed984f3f65e28ae85fb8910917

SHA1
f96c2a1aa19ec757bc9c7af7f08d7dcf5e6ec1fc

SHA256
242f7640d89d0705e7acce59f4cea4d114b1c9429bf729b9eb62048cdb61632d

SHA512
e09b5e72b42c2933483d846f0e6ace6f08ad16e9f90c3096884213943235a26bea579df570f780dfa06f544e49651b5d41604dc87a3f11a558a1b57ab0fe81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp

Filesize
5KB

MD5
f06d696924a6705f313aca356c803a0c

SHA1
c9d7c8d59dd82f128d0b913b85f92438a457d14b

SHA256
31fbc4cb2c1dde10a28bdcdf687b64245881a1504a1dfbb2f5c9e155683009af

SHA512
ef7a8e9d880ce6324e68e6efc62091d6a73e4dd57decbfa8ca13e75bb70d6d947a4bddaeabb32d0e3d982bf58e98bc0595c4dfd9df1cde82788441cc1d52a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpi7buve.0.vb

Filesize
364B

MD5
71d7346797abae107b1d3f4f6cdc71cc

SHA1
da1c9d302f666c47548c5ab9b900bb22fa1349c6

SHA256
a3f1a0d1e72bb9bd4ffeaadf8d869e9c9d6844abbc1292d67a7a8b2ccca84062

SHA512
af7ef9d7938b0a5c71fcf32f83900ca88540342935b81d6837cc1a2cce3b7f573e6a1e40159e1a7d6f8fdf36def8e60b26ef093b2f8a91a87e4963f3794bd268

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpi7buve.cmdline

Filesize
251B

MD5
3e46e230364bd38dae5658a43c132906

SHA1
3042383dff2d2b061bece2d78798ef1c6052150d

SHA256
7a9b4194cd5dfc7b0caaf06456dd746c1e7918766ece3cc1271604dfbc62799c

SHA512
2677bcbe5c52906e1c721b92e73ddd1c8b622d8a4e6d1be05aca4e4fc160718ed8d9dbc27677add7d88e6b82d4fc147b541708013a6d64f5d8109386bc94fdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gi5p8dpe.0.vb

Filesize
350B

MD5
d218f9a92f7efb8352e4379529dfcf53

SHA1
be4cfdd2c4b4e38bc0efb194ba82e1ed51ab2747

SHA256
049db6eb92be2d9e346d46136631a9cbc0b5631f97a9c983cd0ad1d57b4545b3

SHA512
bd27e08697d495b1f09a0adc597582c322d8f4497182aa714c741b8fd3a246aecca86f7d89c7e482439852560f7b1daa066e9c2890c33ddfc3c219cc0e8e1e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\gi5p8dpe.cmdline

Filesize
222B

MD5
f48dde0dcc084b5775cd7ea767fb7f2a

SHA1
b634ebf46f8afb42c320c13d9ee778b3640a2a3a

SHA256
cbe1193f0cf4caf34a5fc5e59f7fbec128382ad745016d2f175645ecaaf52bcd

SHA512
c212e592ddbd71d8d586e64eecdd2a24743604cd8a7f3a0a2f99aab9387a9b8f96a71367cbf0d5356b14b808d41104d3bd512830d099c3dcb15a3e994e578d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\gstywjjf.0.vb

Filesize
370B

MD5
a28f759b56747dfa8af30fc20a56b25c

SHA1
280c659d3894ee7e9bd358d8f34917989a41cac5

SHA256
5c2ea2dbd122f95e85ed48d0337aa4e4dee8491b403b5d059dd8ffd955f3240e

SHA512
279633924303dc214d8cf8b1d3b8bf73064d4fe4f7b10a70e428df3f06d598022e093ca326b30bc0bae203f2905bdd8e71586a4b3b1651c39c5c16c9be9e8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gstywjjf.cmdline

Filesize
263B

MD5
8e784c2ad4cd086c3a78c134ae819b60

SHA1
5d74075394d499ac5e7a20b1ba2d438eb0f1a649

SHA256
df4a870cb7ff196d6a5b9a7c4f22e6f5c0f8c33bbad0fee694c99528a6ac48ef

SHA512
31b2c031fd888e509165844a9cb8b711782b964357f4560911faf7710b8a27bfdc1848d0315353092120825854e639b4dcb04e05ceefa430509511dacf9b83a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\guoorji4.0.vb

Filesize
364B

MD5
a805663cdeb9e9f6fe89453e0929e69c

SHA1
c47e036fc5f9b6645b9df46bb45c31882e16359b

SHA256
5ce9fc68b157fbad93b7e5382c2c6700338c6cf0fbda4ab35973af9e12ba7976

SHA512
f9461261003da237a521634d21d9093f2c7587d00adfc4a24322dd6651c65729cfbfcb1e1cabf9764795c6ae035e93787f72b58b9fbba91802ba4aee708d0800

Download Submit
C:\Users\Admin\AppData\Local\Temp\guoorji4.cmdline

Filesize
251B

MD5
fa76d3979c8bebec514c317381a1909f

SHA1
5c97685f5a998f8505a7d8209f9bf8b1e82db99d

SHA256
cf6ee7cff2e6b1d994c3fb560deb11d17e957cfd6d3d14b6aad064a6be1eb509

SHA512
482ecc59f54a471eb746753142dedc18bc6b2d3061eaf63024b898b65e343a02a3e514b6c3813cc5f4a0abd985e6366876960897db951c962c97455d1cd83cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\halwa3jp.0.vb

Filesize
370B

MD5
7acaa9f580e1192f71d1ba97256e3433

SHA1
97fb9f84089b3fd1421b46cd7ab574449ebc4f79

SHA256
26335ac76903cd1bd1cc14e9992c68d232fcdd8459c36c06347fc59eba4b4dd4

SHA512
d8ecd96f397926d439ebcc4084273140ec7999d8c24e2220589ce2c9b8c98802c69bb4158d6e36b288f540d97f73e549a0b3193ac05f270d94893c2d5a8b8d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\halwa3jp.cmdline

Filesize
263B

MD5
b498e08a088a3b2abf52b1dea66e2dbc

SHA1
d5b8e12f1706149b5dabc5618c24a6768ebf3d17

SHA256
a93f8f721b006c98e7978954bc281a69fecb2eaf51b3dc3a8148352219e33298

SHA512
2225f5d271f0e57c3328e19f48aae006243c5e088f353af8c6603f4371366ee3895f4253e1cf48da72743531962731679ed5b7880e34a212586263199c1fc009

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijiaw5dd.0.vb

Filesize
350B

MD5
9bfd3f70ffc33ea1d6c18d3f8b2e1d8d

SHA1
6b8d8bde6af0427cb620189a5bb40dfb17c76e21

SHA256
eab6eb97916296b8e37f7e462781d446f11f42b65954a33e3a373c26fe1bd296

SHA512
f9f77905f0d545adb3d3213274b5c1833c03d3085e0b4396752f8d29e452a42fbddbf9c5c3dda56a1864050beec6b54fa28d77629e3b2f6944b500a5f6a40835

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijiaw5dd.cmdline

Filesize
222B

MD5
3d11394e96d0fcccdae62b29b90fabb5

SHA1
9600b73567e809cea76ad62273423cf6e800d35a

SHA256
73f46967dfcb8e84d6032a56938503baa45dc49957f81c4a7f51fda84419a858

SHA512
9d1e78f66412840201f4a72ce55b7500e1b34960b1ffa5c0b55a363971360ba021fdc14b69ced7653d395fc5553bd21a2e036d01149ff14ea87b3e7523226f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxadopwl.0.vb

Filesize
373B

MD5
fa7e4466b90ba25058de76b30262f0e5

SHA1
3a9d8bee1a114480f4970acca214fdd28498eb0e

SHA256
c964605b192f8705f0cff7ea09f9ba8aa711d2da75ff70e757f209d6b73e79f6

SHA512
8c585991733cc02560ad8cbf4c8c94cba9e0226ee200005c9ecd348e6e72fee1cdf9b16467d5061b32c95a51d9664c77ee31ab1f50532bbba0db288da70ca1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxadopwl.cmdline

Filesize
269B

MD5
8dba181282d5a894e0630db294ac4736

SHA1
f033efa89aba65d45fe02cd6eede7b1266ed7fc4

SHA256
14a7aac70e404d0edc398c2b6382d8f17f7cfc04666fae81f6a691426b841135

SHA512
e069eddb83819d3cb85c00fa6199b841dec4e71616f6ea70c4d19a116ba710926967a681fa513fd64314bd3324331daeffda5b35689e9a32107901d2efc796c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcibinyx.0.vb

Filesize
368B

MD5
301aeb81144d04563cc208ce44618fd9

SHA1
c6855cb8ff33826ef90c45c3e4c18bb88a598899

SHA256
ab4199785e8e2c566b040e9cdd3f6b000a9d3bef126c0efeed3cc42dbd3a558f

SHA512
bf911ab97e8154d3ea59b3f3701eecbb8bab9ebaf84fd8b7e2f6a3b97bea265f0b80fbdc07333addbcf6ff216789c842a35d653a7a0c52a877499ad31d8336ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcibinyx.cmdline

Filesize
259B

MD5
33ea2caa098261a6376440bf31294ec1

SHA1
4d818403e07440d67127f7bf3f6b26962e41f394

SHA256
eeb0a1ade05a77cfe7a7bf1cae0707fdb4781e00e50cf75a6e5d60f6729b7a01

SHA512
eb407f92f53874784787998f991009da300b2b1b3b6a641d7a41dd53e26dfff96febacc55546291bc4c7b7a71715ac472f88b3d1fa917b766bf4780f9fba77a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\raqknscx.0.vb

Filesize
368B

MD5
7c23d3162b53d19bd75ce4bac650296f

SHA1
e99b70fcf76d679536050ec41a4b542ebbe9be53

SHA256
c95ff0c03c6d2b670e874bed895433af0202bf81c63159a327745e907f05b22c

SHA512
bdf2c45a390386bb669e8165a6c05e7028cea302546a4a418ef50e850328726911492f267c9d76b2c1abe3cd24e3f84b96d5d5191b4e39ea2e11ffdbc0056d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\raqknscx.cmdline

Filesize
259B

MD5
ace5f726e5135bb7376ad51f2cd124f4

SHA1
5150f277901ec6df5d0f470271e273f780c7443d

SHA256
bf354472ece7ddaa1a4189b78d2ec9fb7ba2e471cd00f99cab0e08e347ba9a0d

SHA512
5a148e6022a3f40e05c51380d75a7aa3145490c6232623c7bcc33d41f9444ad2274f9d851a43ca1304cf3a57c25e4081f77dd54b2208feaf8c9f1670f3a845e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc251CBCB3F0244C58F2D6EB188C1F8A2.TMP

Filesize
5KB

MD5
e5e84034d2ac0354aad54f1673cc8997

SHA1
282c061198e58ad7bc7e80e9023abfa13c797979

SHA256
7b4bafbda45f2ba57821a007501793fe2c0192ca444194e86954f2894a607520

SHA512
9632d990e670ee8709a1e40e5c8971fbb010fd08356054a17752dedf57cbee551fa14a7bfc6508bfe2944ad5ba646b2e2b5a67a97ab89b4bcc09133c66008fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EA4A2EECB584FA5AC32B3C7D52333.TMP

Filesize
5KB

MD5
4101ed14982d97a01f2f2f7783d4f761

SHA1
b76c8ad34bb836e196608d5b00a955aaaca0cad6

SHA256
ec39ba99027e63008c6720907a01d81d5d251f77cda61ef7e3bcb2657a737238

SHA512
74fa7e634201a7079b5ee468c158d69e137fb480c982be56c112c29017f1689cce5931f790ef0bef697a9bbf9931b544f70dd94a3311525b2e8fd449c4eda7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36115590F88D4D989FD45FAC22C6B43.TMP

Filesize
5KB

MD5
7546d642743508a62fc0f56dd8284640

SHA1
6797c7dd228f1e2b3c533f81c6ba982c029dd63d

SHA256
3fbc778e3e0fd3fcf622574f0b6b88ad4f551399623b5aa55b0a1dad460881cf

SHA512
246ddeac4bdf3ddecfb6ca665326d4582d96b246bca5bc2bb250c876f8685df88cb9326becd763d4ab7efbbd866f6e8ae58d7315e5380ba3c52527a29e3e13bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc47D732DF445C4E359D6C7274D7613286.TMP

Filesize
5KB

MD5
0bb9bc2dfe7f734ab0c2890c36ad2c66

SHA1
bc67a6b7db05994295bb6b519d241f5c1e4c6db7

SHA256
8945e532b20f7a711de0b6f9afa9292b902e62feb5c0c23ac18b82a621fb10f8

SHA512
d31a15d38667a62f67cff177d6ffab56f5926a897613d361e97ec606192daec0083703f2fcfba1b0b4802cf40830c9e1e9905fab9172b5d4dbaf686d24b3529e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56B1CB5E6D94783B33062E94E1846A7.TMP

Filesize
5KB

MD5
66e297ddedc5c50c7ec186230a383460

SHA1
1773e2dd43911f382a6c238c80700752ef9e9de2

SHA256
2355a1758d9b87f7ec0867bace4ecc11157861488129c85caaa94be094199e16

SHA512
99c0a867bfa4870e768fd611a84767346f406fe5092344782d6817e125a64795b1504456ea315e4f40cf2981f13323cec57ab2a6be89677a5e536ebd1f03173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc655637DA252B4818B74C648D4415E6EA.TMP

Filesize
5KB

MD5
b6ad3aac3b85b68ea607a441b8c253c9

SHA1
c85b0a0a85f32c5ba262a988c990455cf1f6524a

SHA256
9ac8e31466f47602d9cd538fd5f643804bd9a82ba68d1c21cfab62249f54c440

SHA512
33802601db773d4dd8e5e2983f603d638d6b86ee9175c723c5932c018e37d61649581d8d3a978a7e3de559f0dab7664d66e08a786e5d57abfc185df3cb59ce1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7A932A8B8B0F42BA981B2178AD5FB97D.TMP

Filesize
5KB

MD5
80f4bfe0eea9342943d6ee1cd6ae742f

SHA1
72c32d6d88d1be8a356f7fe32cca1916c5f89a1b

SHA256
8b55dd177da6968bcb2e0783659036040e6dbdf9ed8c7c0944da5b504175e2f0

SHA512
8052433e86b4a5effdd689a9895d7e1f2db8965fcdd7580f9c769837d09a78a360f9eb038148493f14166b06d5ec0aaa2d8ff14e92a650c81db2bc38f4bf299a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc91FC171D4AF94594A8E667B1CB6241B7.TMP

Filesize
5KB

MD5
3eba8e5a29fb3ae762d889fc8b8cc82f

SHA1
81cf9be1aa1a5589b7e9c7aadc1e584b5a504e31

SHA256
a8b96ac3ec50a1d99e38c3f869b5e089e2bb0ef77fde9f3547bf6d06a35d62dc

SHA512
910ad0f23308ec55dc47135da11676ce1e89133c336c3ab9609e780bee3e9a48462859ad275e9b4d258fe7d74a0f73772f15afb0e90e2e90c4dd892777e5ccc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA57D65FD4E249E8B03C79F295225D6.TMP

Filesize
4KB

MD5
e7f640ec19677c0935e1a3c4001def7d

SHA1
0a5d7c5a46a05c64a061d71d4fcff49ffea81047

SHA256
b1d81a9389f1c41e531b8ead4f5ba64acc817a1f6d1b8fc99e1ce681b41fac0a

SHA512
38ad8eb3a9f5d55cf675361b8bb041d1b476f609adb92af3fffab266a3d77ccd8d4fa6be106d7f1f0953ba176a153072aa643963773839ebc0bf74f6d1d40979

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAED58378E8E94A10AD51FDE659B132A.TMP

Filesize
5KB

MD5
8c4f799a2ea1844abf72a2d21fc1caa2

SHA1
1c9957e6676cec3f188d1b5e640e9440b5e4fa69

SHA256
6f475dff998dc22aaf745a084db90602b0b2bb6a3935e2cfec55dc6aca53b499

SHA512
f69c529ee1385753709f8d02806bb5eaaca5322f27e74e89d872eca801f24f1177c6432ada1d5573b258768c5399159726f3812a4ea42c52afd83dad35505f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC75C7257BEC4556A3A87848139B10C4.TMP

Filesize
4KB

MD5
658e06248e3b6740b4779ad3ee4d9de3

SHA1
4fb62f19e197a5db3f8f10b5f2ab043d76da2c5a

SHA256
bf6ba1cf1820ff3f799286d2ba311ff4a5ed9b01aa88a87f964f413b52ebd1c0

SHA512
a603957d4d3a9255f84c95f80f8a60b3571275cdd789822f49500bb60566280995abd7002a0e697dace198462078b4215195aa2543657e9af86cd12635cc0c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDB667C251DC46EDBBA6A651AF325A7D.TMP

Filesize
5KB

MD5
28140801d27f0b268232b3119161fc0e

SHA1
84500167e696e800ef6a9230246564396d8afffc

SHA256
176b2a0335d7d540818c89fc986aab8493bb044f55342373dbf6df45b615b27e

SHA512
4a10b50e09117dd192ac4992188b420bf8121e4878eea5acfa8f2a914189514920360c87f0fd64cf72fa18f0980b30f05f7c7ab7ca0cbbc28ddde9bf7c217187

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF0C38CA6EFF5458881DF27FF6E156B.TMP

Filesize
5KB

MD5
2462ca0d81c85c4721a0f608bbf64300

SHA1
f1aa961f39ff7e5927637a262b487f787e331dfe

SHA256
6a1a0137e29956cd79a698fb6260eaaeca1adf1eda0bc4d3d5ca90b369590875

SHA512
edd9e12fbe397a7ee320789a373929216f2b064369fe0d497ad7837a57a4a4070d33cdb4acd8f8b4906198e167e4cdf1c09e6e7b978a4926938abfc8adabb39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6buojnb.0.vb

Filesize
370B

MD5
d05abac972a7c3d935cd497fffb3a799

SHA1
4fe46532885b39e8494db8f1bf86d26b8e9e52db

SHA256
69a1e37cf1d90047e4cb423756440e52ee74990d1f54e31bd96d14eee35d5c50

SHA512
f19405afdcfe7a784011e89cbe3e9261cfb7d80cecc7bc53097637ab71f94981399f0ec246352335b53a939b7131d12ef098859ea8d6de0c3be69efb97b82ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6buojnb.cmdline

Filesize
263B

MD5
e339315af05e3d82f353fcbc2c6d2ac1

SHA1
15a96a07f5c0233c958d19fea74b3e9e55b9d3c3

SHA256
8d84a8ea7a40d8d70a0346bff496acd6f977895a694790da036d3caf87fedd2f

SHA512
0400f852f57c7e71c1101516d5e50de07feda4a2d8d03f4e8e694d3b3dfbbdb1ee545938a0a2bcab2bc5354714217fde477321be053cc402f4d2ccec759fdcb0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
601KB

MD5
c558f1a93fbb271ba8b0b50b822fe584

SHA1
b96b0203cf05d1864fd6013c563935407421e5ec

SHA256
e19811007358c2fea5eba596d6a63a70e11b0accd479ce63afd9be273422a3e6

SHA512
1a6cc8754156a4be60f269d516d32611065ea0e91ed0fa1d528ca2e874af3c73d778ecb5beb0655a630b4e30d528fdbb216c699eb0ce2df1793dcc5055ff1a84

Download Submit
memory/1800-27-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download
memory/1800-18-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download
memory/4800-5-0x000000001C920000-0x000000001CDEE000-memory.dmp

Filesize
4.8MB

Download
memory/4800-4-0x000000001B370000-0x000000001B398000-memory.dmp

Filesize
160KB

Download
memory/4800-3-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download
memory/4800-2-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download
memory/4800-6-0x000000001CE60000-0x000000001CEC2000-memory.dmp

Filesize
392KB

Download
memory/4800-1-0x000000001B0B0000-0x000000001B156000-memory.dmp

Filesize
664KB

Download
memory/4800-7-0x000000001D360000-0x000000001D3FC000-memory.dmp

Filesize
624KB

Download
memory/4800-8-0x00007FF99E805000-0x00007FF99E806000-memory.dmp

Filesize
4KB

Download
memory/4800-0-0x00007FF99E805000-0x00007FF99E806000-memory.dmp

Filesize
4KB

Download
memory/4800-9-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download
memory/4800-305-0x00007FF99E550000-0x00007FF99EEF1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads