revengerat | 02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe
Size

108KB
MD5

fbdca5d8d0459e4f2c0a1a6f9870a000
SHA1

65ccc01b26739706066f7c5d8b52ef67e4830f89
SHA256

02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0
SHA512

0ab28167405d40634a6353f7ade8dc7a3ddf57920ac211568a8b44c75be5be108f4f8e6c15d512367542e3057f6bc690c65c1d67d38a073a46e8941e7c1cdf1d
SSDEEP

1536:Wn/RHEQG+JGI0pz0y5W78MmEMmaZiTVRV37jBqaG6D3tSYvGxdHI+:2KV+JGI0pz0yamEMmaZO9j39SYv7+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00140000000193c1-320.dat	revengerat

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.lnk	Systemt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe	Systemt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe	Systemt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.js	Systemt.exe

Executes dropped EXE 1 IoCs

pid	Process
580	Systemt.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Manager = "C:\\Windows\\system32\\Systemt.exe"	Systemt.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Systemt.exe	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe
File created	C:\Windows\system32\Systemt.exe	Systemt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe
Token: SeDebugPrivilege	580	Systemt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2868	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2868	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2868	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2848	2868	vbc.exe	33
PID 2868 wrote to memory of 2848	2868	vbc.exe	33
PID 2868 wrote to memory of 2848	2868	vbc.exe	33
PID 1984 wrote to memory of 2644	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2644	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	34
PID 1984 wrote to memory of 2644	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	34
PID 2644 wrote to memory of 2616	2644	vbc.exe	36
PID 2644 wrote to memory of 2616	2644	vbc.exe	36
PID 2644 wrote to memory of 2616	2644	vbc.exe	36
PID 1984 wrote to memory of 2688	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2688	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	37
PID 1984 wrote to memory of 2688	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	37
PID 2688 wrote to memory of 2664	2688	vbc.exe	39
PID 2688 wrote to memory of 2664	2688	vbc.exe	39
PID 2688 wrote to memory of 2664	2688	vbc.exe	39
PID 1984 wrote to memory of 2792	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	40
PID 1984 wrote to memory of 2792	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	40
PID 1984 wrote to memory of 2792	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	40
PID 2792 wrote to memory of 380	2792	vbc.exe	42
PID 2792 wrote to memory of 380	2792	vbc.exe	42
PID 2792 wrote to memory of 380	2792	vbc.exe	42
PID 1984 wrote to memory of 1200	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	43
PID 1984 wrote to memory of 1200	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	43
PID 1984 wrote to memory of 1200	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	43
PID 1200 wrote to memory of 2908	1200	vbc.exe	45
PID 1200 wrote to memory of 2908	1200	vbc.exe	45
PID 1200 wrote to memory of 2908	1200	vbc.exe	45
PID 1984 wrote to memory of 1388	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	46
PID 1984 wrote to memory of 1388	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	46
PID 1984 wrote to memory of 1388	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	46
PID 1388 wrote to memory of 1956	1388	vbc.exe	48
PID 1388 wrote to memory of 1956	1388	vbc.exe	48
PID 1388 wrote to memory of 1956	1388	vbc.exe	48
PID 1984 wrote to memory of 956	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	49
PID 1984 wrote to memory of 956	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	49
PID 1984 wrote to memory of 956	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	49
PID 956 wrote to memory of 2096	956	vbc.exe	51
PID 956 wrote to memory of 2096	956	vbc.exe	51
PID 956 wrote to memory of 2096	956	vbc.exe	51
PID 1984 wrote to memory of 2920	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	52
PID 1984 wrote to memory of 2920	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	52
PID 1984 wrote to memory of 2920	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	52
PID 2920 wrote to memory of 1700	2920	vbc.exe	54
PID 2920 wrote to memory of 1700	2920	vbc.exe	54
PID 2920 wrote to memory of 1700	2920	vbc.exe	54
PID 1984 wrote to memory of 1368	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	55
PID 1984 wrote to memory of 1368	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	55
PID 1984 wrote to memory of 1368	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	55
PID 1368 wrote to memory of 816	1368	vbc.exe	57
PID 1368 wrote to memory of 816	1368	vbc.exe	57
PID 1368 wrote to memory of 816	1368	vbc.exe	57
PID 1984 wrote to memory of 3020	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	58
PID 1984 wrote to memory of 3020	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	58
PID 1984 wrote to memory of 3020	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	58
PID 3020 wrote to memory of 996	3020	vbc.exe	60
PID 3020 wrote to memory of 996	3020	vbc.exe	60
PID 3020 wrote to memory of 996	3020	vbc.exe	60
PID 1984 wrote to memory of 1780	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	61
PID 1984 wrote to memory of 1780	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	61
PID 1984 wrote to memory of 1780	1984	fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe	61
PID 1780 wrote to memory of 1404	1780	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdca5d8d0459e4f2c0a1a6f9870a000_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmusqvzu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D.tmp"
    3⤵
    PID:2848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\34v2lytd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB.tmp"
    3⤵
    PID:2616
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\faebkov7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc129.tmp"
    3⤵
    PID:2664
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bocwfinl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc168.tmp"
    3⤵
    PID:380
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ymdxc5p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A6.tmp"
    3⤵
    PID:2908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iyrnsxlr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E4.tmp"
    3⤵
    PID:1956
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iqkj4nv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES214.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc213.tmp"
    3⤵
    PID:2096
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sn_uxsea.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES243.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc242.tmp"
    3⤵
    PID:1700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvv35xto.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES281.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc280.tmp"
    3⤵
    PID:816
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zxvy3uxv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AF.tmp"
    3⤵
    PID:996
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf3kz7w-.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EE.tmp"
    3⤵
    PID:1404
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qplma_u9.cmdline"
  2⤵
  PID:932
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32C.tmp"
    3⤵
    PID:2400
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yaq5qigl.cmdline"
  2⤵
  PID:1784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35B.tmp"
    3⤵
    PID:1760
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msgnwkeh.cmdline"
  2⤵
  PID:1396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc399.tmp"
    3⤵
    PID:2996
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zgwe43lk.cmdline"
  2⤵
  PID:1944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C8.tmp"
    3⤵
    PID:2404
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\on7luw26.cmdline"
  2⤵
  PID:868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES407.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc406.tmp"
    3⤵
    PID:2944
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3mk1jwf.cmdline"
  2⤵
  PID:2772
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES436.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc435.tmp"
    3⤵
    PID:1736
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jeuxx85d.cmdline"
  2⤵
  PID:2732
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES484.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc483.tmp"
    3⤵
    PID:2852
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z7vtpvj2.cmdline"
  2⤵
  PID:2492
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B2.tmp"
    3⤵
    PID:2780
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rb--kq4o.cmdline"
  2⤵
  PID:2636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F0.tmp"
    3⤵
    PID:1644
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zrjm6qzd.cmdline"
  2⤵
  PID:444
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc510.tmp"
    3⤵
    PID:640
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0w0pjlmo.cmdline"
  2⤵
  PID:792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53E.tmp"
    3⤵
    PID:556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xszb8sqh.cmdline"
  2⤵
  PID:1536
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57D.tmp"
    3⤵
    PID:2964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u6_4ugvm.cmdline"
  2⤵
  PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AC.tmp"
    3⤵
    PID:764
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\buwxownr.cmdline"
  2⤵
  PID:2076
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DA.tmp"
    3⤵
    PID:2164
- C:\Windows\system32\Systemt.exe
  "C:\Windows\system32\Systemt.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\njz7u7hf.cmdline"
    3⤵
    - Drops startup file
    PID:612
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF44.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF43.tmp"
      4⤵
      PID:1096
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iluke4st.cmdline"
    3⤵
    PID:1864
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF81.tmp"
      4⤵
      PID:2144
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbcnqsnu.cmdline"
    3⤵
    PID:772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFBF.tmp"
      4⤵
      PID:2400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l2o33yfo.cmdline"
    3⤵
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFEE.tmp"
      4⤵
      PID:2228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d05p-u_o.cmdline"
    3⤵
    PID:1072
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB01E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB01D.tmp"
      4⤵
      PID:884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgmrp7x6.cmdline"
    3⤵
    PID:2588
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB05C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB05B.tmp"
      4⤵
      PID:1584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijoek3m3.cmdline"
    3⤵
    PID:2380
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB08B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB08A.tmp"
      4⤵
      PID:2436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgfuyo6x.cmdline"
    3⤵
    PID:2700
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0C9.tmp"
      4⤵
      PID:2832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-dcf8kkd.cmdline"
    3⤵
    PID:2824
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB108.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB107.tmp"
      4⤵
      PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5wuzidt.cmdline"
    3⤵
    PID:2976
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB137.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB136.tmp"
      4⤵
      PID:1992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aeowsr6o.cmdline"
    3⤵
    PID:2812
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB175.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB174.tmp"
      4⤵
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemManager\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\SystemManager\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iqkj4nv.0.vb

Filesize
383B

MD5
31e3735822581170bc315b1cb272d384

SHA1
89927d7f6961bb5fc5996a337045cf33880b5b46

SHA256
89186a964aea638a3fd1db4e9c83663cbd2d2df68f7a12871d4dd7eff66824ad

SHA512
f07f66747b7c970516c7471460ee80d1e69301b0a500bf52d353a69cb6579ad12e84de95a0fc8b6bc8d31b6b4111d2113c11d2f7b70937409c1e801678b21f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iqkj4nv.cmdline

Filesize
267B

MD5
19993113e0a8e3f5f47307125eebf0e5

SHA1
153d535a93db115e3de41c54b898eceb767f3c44

SHA256
d339b464c769ac6d815f2785648ed9413e66ee180b6cbfdff3372699c030ae84

SHA512
56d1dd78adaa762e23836231bb8c8503f3987f05d82e4a4afd4b0931791de8e1bf03f0e66ef2c870508c152bf9b63a466edf7275a91195b14f5d73dbd833a17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ymdxc5p.0.vb

Filesize
383B

MD5
7ba97fdcf959cc50ccba58b7aac0d845

SHA1
5ad29e81fad153cc6171ef38d8bdab3ff2d2dacf

SHA256
52c775a1160cbe12d07a495b3be62ab9e5c6f0b9bebe86c901df32d30f1ce02f

SHA512
93588cacbfef08ac937d163c7b4186cc1616503a90b55d0c089d3639c0ead9d6e412bc20082ebfe5743dbaaa9540078581d17a5c36ef2eee8eb6d8ebedbe03dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ymdxc5p.cmdline

Filesize
267B

MD5
2186f1afa83951e379a33038e3523a12

SHA1
9009a36d395cd8204dc97ecc54b9da5a828ceb68

SHA256
0dc2cc7cc03d86efc44a3462c5a2ad246bb42bd841b3fa066763b8dca3e2a0ab

SHA512
a72a62ed8f3ad59d61d11fa66ed04fa9b4937f02f1ccfd94b344d0a29005b56d91441d2ebc23ab45d40223dfd38da36c4cc50eeea3da1cc9e4ac37919d62f941

Download Submit
C:\Users\Admin\AppData\Local\Temp\34v2lytd.0.vb

Filesize
365B

MD5
24ac7b7dbfccefe4c44a8d03507e51ee

SHA1
f3c6fe2f007e753e488ee07fe496d0bd72981d54

SHA256
acfaf99af2c9c4439ba2091513608e30f4b6263551aeb6e1fffee346fe468507

SHA512
b8f0f99040b8842bb66b7616f9020921d2c43b052b169c410c08fe27888f27a049f516cfc20643aa68dfeaa62d0bc58a5f0a4edf4fa0b0153769e2bf5fac8e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34v2lytd.cmdline

Filesize
230B

MD5
3800e76b000637b4adbdefe8ced57de7

SHA1
375c58b7dae04f111ffd92121676dc9c9d40031b

SHA256
339cf20c98b8e40f58dc845fe393fd24e2b72cc165e54990718351fd76db481a

SHA512
dd612135a9fcac93b167b65c08b63afd878993bddfd53d0d098e900c857ff43a4ec699d86d6f209c41127fb389a9b323ce2788491483518e012c61c5c238501b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13A.tmp

Filesize
5KB

MD5
87351aceea337a5392f0a2f83e9d6bb5

SHA1
e8a563c61fd56ffe6463f8b5fb71bb9c905fd23a

SHA256
304591f75cc8fdcf1faba5adb1b02ccd77ffda0d6be9a13f7779ba764f81eb1b

SHA512
e4f92fc9baf2eab83204c7b1f996a5a7312b1142362ecefbb2283c0457bb855022706e6363be4aa411dbf31f27daed4666acb4ca02b100edcb51cab520410696

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES169.tmp

Filesize
5KB

MD5
2050118c1c91cfc4e426532254653997

SHA1
ab1f5360f642d72d812d7392011cfa0fbd251f14

SHA256
3e8ef4111f0dd63c74eacb624554aa344fd858971a2c25288634b719643ae94d

SHA512
dbbe6ca48346e45ed50b94237dffdb0cee9ef18402658809e91c23e2d054fcde982c995e523c9941ad483b647c83b7d7183eaa787d5a8e4cc8917985eb865aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A7.tmp

Filesize
5KB

MD5
4ab414f9ad2fb23d49b9057b40d2fb0d

SHA1
7c5c90ab6b6146c500536d87588f622a83147a69

SHA256
61c796a3d050ba74dadfb9113f73862722db290207651694f945bcd1866dc81d

SHA512
d3acbaf10cb6b5cf9493daac46cda54cfb53a094963de25da7c74a82e6b292e6e4935a113caa14da45d2ce1abbe0fa5d4543336fbcf3beabd0b95a106a9dbab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E5.tmp

Filesize
5KB

MD5
d558690bae5c1765dfd4f31edc232ea5

SHA1
1117f414cb249da07e4303db0c0a7f64db483f24

SHA256
a3037f7cbf8d36a62edd11e2bb94d9f8567fdf042de8ae5570fe6273fde9930a

SHA512
80ba17d9ff2e1b8299431359daf144a46d39ed41651b2cf06d633500af12a250a8bc7a86bc46945a303bdfbc4019b2db91e6520e95b775cad5c803e113fdf31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES214.tmp

Filesize
5KB

MD5
ce35c731dbccf4ae42fde3fdcaf1dd74

SHA1
354cf93ed1c25800e9a0fc53ec6f51ed90392541

SHA256
bdec0f25f4fe2b97fc4c4023b1260b45eb4cdf28f890c2eaf3057b16be8abbfa

SHA512
d515bcdb972e3704056752a530673f79fec0e0d56b7d106533e728c3b292b707bcff1d3c0b3d3b34f3f3694e2b42407bd06897ef674edbb8ffc456ba1a2fdbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES243.tmp

Filesize
5KB

MD5
6f039e8900733d37ee90dcfd7abc06d5

SHA1
ca6f0fec44ea649065962fe76d01f6837e36fb07

SHA256
8fa90c3cf908a2a264d2335dd528148699e758f7624ea3222d0b18c6eaa42959

SHA512
051dee7d76e27bc87cf79b303ba90bcd147ede765aa58f227f87795ec6e7ad52ca2a4e25bad496fde580ff2fbdd926b2a43edc6bfe29ba0a913fcc8037f9c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES281.tmp

Filesize
5KB

MD5
077b1c7af1592d29f841249529553d58

SHA1
d4a7471a431b10b6f42e096332c48b077670f64e

SHA256
9ed31cb1a6ba78d36f765a9013f086925c1b2f220d5446cb90b2aae62248cc3c

SHA512
d075a14ffcb054e0458b9db539ddc5ae472d3d78ec21fa7e790554146e3401c4f2e46058c0125f4d4eae055ff63aecfbb9b2b93b0646b63ccf4400d7b22b9fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B0.tmp

Filesize
5KB

MD5
23fea9385ed91a5581a3412a93b0aa05

SHA1
6f60cd8f59089d5e74347987c3aa0227e3a3043d

SHA256
5c8088b0705df92aac8670de3a70bfb7f29627961fb589147868ff9294be04ab

SHA512
4b061461abd5c8ad22c7390767f997d63c791fdd98a2ee5e9af1cb4be53f639059635b7465097d4d66cbde6a0c2bc986cf894347d33b2bb3daf6f99878348206

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EF.tmp

Filesize
5KB

MD5
f1bc90423c85bda957d90ca5c77ad884

SHA1
b615b2b7761c5d1cbe2a76e72ea7742c27c09386

SHA256
7afea1c720bf3668d96fbc88702bf1b1db5b922daac4e25e42036d5d8e831ee1

SHA512
df7f18d3470fbd8d044d3937e78781a6f9117b42d72855f58aedde841b72e1f645a621109ff178b8012db06d340250397b7e9ea95dcb44b5297846033ae1d328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32D.tmp

Filesize
5KB

MD5
452532fd67e01b62405039a2a024e08d

SHA1
5405edbdcfdd74e81b42699ee1a788292711c29d

SHA256
758ec9f0ced4b4bb8fb102cd438f5fb37dd196b8d3949843feea9aa7dd045fcb

SHA512
5c1caaf107714f9cbbb09b9de8c069a4b0e2bc69814f4de69f0258312ee1dbe49c31a2b92528e320506edb72d8725893827d081420a1c73e311fe909d9d2c9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E.tmp

Filesize
5KB

MD5
c6cfab46c781d32ad8caba496b2f36ee

SHA1
a9559a6cc46b1e0a8438cde2e8dfee38654825ff

SHA256
3cf5569091e25afb2f01acc2a2f3719abfcc620d7bdb8fabf44b8bc23f5adafc

SHA512
e1474c312093861278b20678873f28cf4418a95119e806887e3b3ed76c8bb8ba3bcb3e8d11bae762fc239df5a66012dd810a1020e3ef29966c3c688e5b442eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC.tmp

Filesize
5KB

MD5
e6fc1fcd280db977b23cabcd5acf7143

SHA1
ae61f7e663e9d0445354d13722b70096aab87b43

SHA256
6725e038527d844e126be7564b04181bd0627159ba05cd373efbb92dc183c697

SHA512
9bcce8d0c917d49264a03c0e4944c176012f992d1cf409f8b0fea84d7f37fbd0b5e446f17f1d76407aaf5142f56228c5e49bfdfef73ee59355c4e043112fd8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmusqvzu.0.vb

Filesize
379B

MD5
a235c5dccb6ecd642d6fd40a55bbfead

SHA1
703f2fa7a0ec5ddd193aa672b0265055f16e68a1

SHA256
22a09001a1d9e174b00e226cdeda2f6bbed071df9c2bcfa21dfb9bf51ec275bc

SHA512
04f61516173e672979728b5cb64155aa66f529ffc3069615b31bb30d2a87c44c90264b3a57fe7efeebd8c0d4558d4201a3973e6824d33dd32b662fc48b7d6f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmusqvzu.cmdline

Filesize
259B

MD5
363d369fb6433d9f34aebfb61fb0a9cc

SHA1
529cca318a76769f88fd71048c21a4a8083c58b5

SHA256
7279d02caa41bfb7a8d3df6225e066d8217fc8c751ecdbcf91b20e371dd4c9c0

SHA512
8094b53a43cced1cd90a216862499a1ff45d6fd2a5d497ca8cbcd73a4012deff19a3e2037c43db9a2ccaff07bce3bd397d05477ede6aaed05b2ec2b09cd87a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\bocwfinl.0.vb

Filesize
365B

MD5
a6c85a86110364cbb4f412fd5df34a57

SHA1
17073bc4d04a333526db235c19cfe4a6376f4d5d

SHA256
d376f00f3f158c49cbdc1f00f450a460b9b5e4e08df3d10d59f767cef05a147d

SHA512
d50414cdc46adab04c5b0b5f03227cf5e23a1d45e559e8cdc53719a5fb02d5ea0dcb9e86c6dba869daa830f4e86fbf5e91623ae00fd81632576b9e520fec9e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bocwfinl.cmdline

Filesize
230B

MD5
bf70e666f1493c1e042b88dcff9647f1

SHA1
88b58208f734f3d82aeafb707a3a82dc5a68499e

SHA256
e1e6ab01fe4e6a2077a9e1d6f1d3d7193201166194fd16e602ee1d1ab0065124

SHA512
e41601195694d73ad6c4c223b13cade733f0d87e2917063a8537b76ddd1f19bcf11a7504753083c45759e06ea94ca1f7fc0ddf99524a2b399ac6942a9096e103

Download Submit
C:\Users\Admin\AppData\Local\Temp\faebkov7.0.vb

Filesize
379B

MD5
e84a6e54fe0aafcb30c6af89eac57b03

SHA1
fbcfbd89d163183dca0599e2ca61ff64ec9e6791

SHA256
6a33259441751b2062d261b482a4830f51a1a09868c2d5691f18e66e20f1f3b4

SHA512
4ba956d564c0ebbedf32f0c927cdbdd631a6d4daeefdcc2e6901c43ffab4ea7300d3d3770061710fe2342acaedd6043741afd2daea2e457f9972059c43fdfdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\faebkov7.cmdline

Filesize
259B

MD5
322b081547a1f6bba062c00f1f718a11

SHA1
ee30f309b9347d3d29b896a9a683caef4d8f6436

SHA256
1fc39f1f092fafa369e8f01cc615326519b2c529f689db1dddfbff1aca6d0bb7

SHA512
e863abbf9abf7f093a681694913cc23dca74c2049ebe566603cdeaf40a38b105e2d0d4fe8ffe9622ef8a166b2065887dd5c1aa837a8a7677b50f9ffac43a3a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyrnsxlr.0.vb

Filesize
386B

MD5
430177fe6bd2527d25bdf1e0ec43df0f

SHA1
6a32587478782ecee057e3cfefd6c72f85933fd8

SHA256
21e450ef2e8340a91dfff0dd0a397a70ddb75ff19a94aae42702680f855aca4c

SHA512
144adac0adc61ead69ee8de945def37940e979342d18fd475f63d5c21f32fc6849476dcbcb7dba5d9f234cce333d590a21582c1c742fc659c8474506b447264e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyrnsxlr.cmdline

Filesize
273B

MD5
8bfade2cd113100848f7ffde466e56d7

SHA1
a255821b5fdc3651450fe638d832b50456c7cb7d

SHA256
fcd192eba135e500e7189741bedf1925b4e44d7ce59f446122395ba45c79dc5c

SHA512
fdd27ad0e55391bba3e624116aedb8b4b4328e1fff7ae9736a68d26b344ab6d80802b42bfaeeb313e33f88c8b2fe13cb9855b1553c5d62b35644a28857ec4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvv35xto.0.vb

Filesize
360B

MD5
78f7bbf1b22223b373cf3a5117c897f0

SHA1
2fe8ffb255c956555e1cbb64f2a4c2af8f33b2b0

SHA256
2dfb989fc0b1ff9afb4ec20e6e627475ad82c023bfc76b64de8834bf7947df92

SHA512
470c6c42ed5de636022aa4bbf96f689eb0e7b0a49402dccea774bf0080416b5134cd7dd7ea90b78faca1d94c41301aba9ac0f9cfc884418019f77028f4eb7156

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvv35xto.cmdline

Filesize
221B

MD5
fc7d1ae060293c326c3b1e9090cc59b7

SHA1
5cf9897dad68518f9638b4db3d978594abb1558d

SHA256
c965497a5aaaf9e8a2c9f2006fe7c79d0026894b4415cb78e74d988b8975331b

SHA512
3a2257dcbaa1558431e7190615f2dde3a74d09bbf46e9ab74c1fb9005e8c0ab02f791da983109d67112beb9ed7b9b72dc584e6028c7d1e99bed511affc02aa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\qplma_u9.0.vb

Filesize
385B

MD5
ba76dc5c25919ccf5afcea78c93e79e9

SHA1
00fcb0250fd83048464e6018e99fb176aa2236f6

SHA256
c2d6f6c8807f1048857b1cd6d204550bc5d6e71a21a9e504c0958a72bb2fa082

SHA512
6b78bac3070e34c66b668aa5196178b3c418aa0bd560b6ce70096dbcd65bfe19ac8ce29a1c7cb7c3078899e9ebfde98e4b59aaefcd2ec4e626e3cbab3e4e0da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qplma_u9.cmdline

Filesize
271B

MD5
4b560547f7068463286a3200fcd2fbaa

SHA1
8d162fad518966f3dcd0d0ebbbc42129a62d177a

SHA256
97e55b14d4f835193623f68a9703453a0aba205a748d10f732ce9c5b9afebf46

SHA512
13f92d73b36483d731813802c27bc8c1149f5f6cb32f6fe2703ac2ab182012dc4d00069c185227e2c35335e720c7db993ba53902993579284f13da79b7fd9a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sn_uxsea.0.vb

Filesize
386B

MD5
c8b42763728a19da64acc23a0241c389

SHA1
fdcfe998ae16d26feeb53a6f72973c6637e5427b

SHA256
e9de50903058a1be124180044307fcce890a8b87e661f09ac70ae4037edd7b00

SHA512
3af75eb89f53f56386465493b977f7cb9fd70b1e84c5238b26815eba93c83d50df407f570ee70f3777f42872808452be82307369eba0847b278a57e753352502

Download Submit
C:\Users\Admin\AppData\Local\Temp\sn_uxsea.cmdline

Filesize
273B

MD5
00c9289338feadbbc793639dadbf7909

SHA1
9f6295f9ad1791883105cc377fb06d05dec61ee9

SHA256
4c3c9bd29c17c477ee3a9694546cf8c6401d04101a86cef512c109b010d297d8

SHA512
e3fe0de977d8f53701ae93a681b5ee895b35fd347a9038797792cdee811077b5d6935a8c932c2fbb3a01530fcc002a19c3e0e90037a0a2d61163fbedd1ce5c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc129.tmp

Filesize
5KB

MD5
51cf604449841dbbed271a89f88d1b35

SHA1
3def316b79482ac362447b5058a72660defd7642

SHA256
b2c3241ccdb73893d093b68fd313bfc766ca146ea7a53a18ec86eb5ebaaaf05f

SHA512
927b3da83ea88ae2144bbe5e578064d38279d13a280840296d71969ec606562941ddccc02a1c88bbd879a6cbb1bb8fc96b867de6b573eef393c50493b1517e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc168.tmp

Filesize
4KB

MD5
0ce01fe9a8bdb51ef6f3d9982328fb67

SHA1
c5ce6c663bc28afdc7c34f34a5f1a30b81e56fe8

SHA256
0865da7864acadf97f5d4c1b4fc7e6b2416edc7c77f34867da05c07db2edc725

SHA512
12eaea34985386f1ab05bdd8339b2f05ead7ac90e2b74d2978d1bc55042e07c0df1f2d632dbc606f590d2d6a3e151d2b8f8df8a5581303e3bc477c83b686a4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1A6.tmp

Filesize
5KB

MD5
c0363f4de5533561a4e60b329c15b780

SHA1
964a0d8369999c145aba224b89a7e325cbe58195

SHA256
d737dc515af1561a0305f320206c5a7131ed993732532b42d5aab199d721d55c

SHA512
047651a6668c8860f16df759f1d88467d321fb248f1636c065d07485708f9a4dfc2d5ef2e444547b568bf1508af32468e8fd957d9d43bde5ce6dce609b03cd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E4.tmp

Filesize
5KB

MD5
2779025274e653d91f15a5bb268a4d6a

SHA1
dedba384ea888a7578a9776786e36b1838a5bc3f

SHA256
503cb614e6c24b7d0b95f8167bcc756a72f71820172ce7954049a76b1b47558c

SHA512
c20cea2a7be734dc3f4c29a136b82b31796ac1175d3fcc5ddffe580d45b366c5283cb4bd9b97c7bce59e34e4a772d428ff156d1e4b2066fbcea966625d983d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc213.tmp

Filesize
5KB

MD5
e87aa6ab4dc52e49421ef61f2baff5ad

SHA1
2433ae7ed92973dc80a252959e225fec22e877f4

SHA256
bca14056abc5d479a272be52b065e017f4ebceabbfb9eb10818542aa4d7a77d8

SHA512
0cc9b65530d7fd2e87ef2e5eaff3b8d0128be61ffe3c5814a96704f9654a7e6f849ed25123143b40f674d657527c5ff72b7efed0f277ec023e03cc70fe76e389

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc242.tmp

Filesize
5KB

MD5
ba4a48e55e2c2a0f4cf752e92404c534

SHA1
1270eae921013700a17f322465428a577603ddde

SHA256
6d26cebc24ce837a015b5ce6f455f1e84eff7b0a3325f0c558c02f7686cfc01d

SHA512
0c6f812e317b97d6c0f515c01f46e52f1773fb2bbe33516f89948660f77d18cdbac26153c8e34a517e43bc66358ebe1ec3dfcc14b67ce7151030561cad1ea16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc280.tmp

Filesize
4KB

MD5
81abb0794839ddd4d8817242c751a343

SHA1
7a9bc751f308cc4b693284464c2f6695d165d76c

SHA256
62c52824b3c72c355c5ca3a2746d8a83d4a9cf6b0ad58fbcc9d7de5de092cf3a

SHA512
d9bdd94d0fb550508c9c2e7eb59b42a2531f8d65b26fcaa89fad7da59e5a062e99c5dd4a59454c3da063bdc3efcdb9e5c06a305e5894c3400d7857b60a93c245

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2AF.tmp

Filesize
5KB

MD5
3cc631dd928cf356c71a29276d765755

SHA1
0687efcf46d9d3cd23ce611f9f9c4127410673f3

SHA256
26380e39062b717a85187b3ba2c2fb6e35a2c746822ea00b80d303aa10eeb67e

SHA512
953372a47c087f6adebc411359ab811a3514a9b8675712596bf6be665531c1fa75ac74e61053623ad90a655fa747683f624cf9e62bd7f40a26a89ca0d67699b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EE.tmp

Filesize
5KB

MD5
313ceab37c3bfdd8da26cf3a4a6e7426

SHA1
018350d95fbd36a4886c56846b12c8fe85bef554

SHA256
95b4fa6d71c291b6c0e357fc9b5fdf78ef3215184139396c0a6d8e63be1dcc1e

SHA512
186b52c1c68c050146433b20704b1273924ba87c41e21e73d4c727d1c26b046a5bb8b15b8d2df0f6278f3d9f8b68e670ccc039357682ed7f5b8ac86db78d8fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32C.tmp

Filesize
5KB

MD5
bf1ea5eddffa0a7145a98082e992e318

SHA1
028cf0d379ef417d0e1c78dcd8bd4540a98f5f2e

SHA256
98de55230c782588f385c8eaec7692e84f562e233c5cf5e2091707c5b1f3f102

SHA512
056bd73b4e6ed1a8a26ab2af468c13c1a821771271400073b8ab7ec98942ef456a912bb3b09561400f354ee7ff8ad105264d35ad624c5b037c7f5d007df82fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35B.tmp

Filesize
5KB

MD5
2968bbb08483c563f3d7cb44c8462bc7

SHA1
ab125a2127ff0d6aa1293d43ffbd22b2e48b548a

SHA256
cccc17ff1d416d11c9cf0f10dff5d56d9587091f30603822cb7ac508330cb14b

SHA512
a5564866c1650319bdc0ae4db343be2f196e8f6fb0691eb65926c48b4c7334bf6e7daae827c07cbc8cce32599a1eaa3805ed74242fe7c5e21af5ab745f383587

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D.tmp

Filesize
5KB

MD5
fbe55b949de42a69caa7adc6590e7d67

SHA1
3011c235bf6a7dc8418c78e85a33d6563d79dc82

SHA256
25710b1283960c92dcc22e3db8016c436890f09c53e884522d0e0ef0a8167734

SHA512
f8374cc3eb807a2d9a01a626f3371cb54dcd6367f49368d89488696aa02b2c4a4aef331b518bd3a47f85143fb2738878689328420d3ffe1f81839d08fd0ada73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB05B.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB.tmp

Filesize
4KB

MD5
79bf25ee64ca073d5791e42b30c9fcc1

SHA1
49c0677aa0dae7c8809061e33ea28812b52ca920

SHA256
ac2612d61907a92b12c86bfa3d4c9787129f44587938a964ccf9116481498cf3

SHA512
073e1cfafd09cd8b5215dd09eaf3aec2bbaa507415179f45bafe3b0c1d7fdd4d0645a321643024caecfaf6737e40dea92dc98886ba6cea20d337de21d8e25159

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf3kz7w-.0.vb

Filesize
388B

MD5
57a46766e5e60be821d5bc601fe158c9

SHA1
4d2fbd383e1df8ca289b5b312f09e9375a81bc6f

SHA256
7004e4b013c247d11c85d0998be9db8248fa6b0e0ffbd595c7f6561cf118a3a9

SHA512
4854754eae130b0f2ffda72f9347a2dbe55ef63fe8a6cdd0c0b23a128d5e08b79036fdeab3224e8b64dc03ad63c0a2193eef96799a837e9a5f8b977428678cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf3kz7w-.cmdline

Filesize
277B

MD5
c38cb425290e03da073af251fcf00e0c

SHA1
b3a80d59dfe070a1ffe92fd38dd98e0e9d30d7d7

SHA256
795dbdea78bbdee38991096f17bfcba0e527483ff3ae5ff0d6ecb7317fcc4d15

SHA512
4c558f0ad592c2a84467b1f9d65d24cc93d814c8201f6a57a1da7b6827cde05ea4a1a76f1eeb61ab50be0e8fd5e8e3f80756dfb3a5bcbb2644a27889c60fea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaq5qigl.0.vb

Filesize
388B

MD5
03caac8aca9591d8e06965974fdb3ad2

SHA1
03e0146ca59daba46b87cbbad9d0ee5090ef8b74

SHA256
0357dc37e2685782c4dc3e1cb86ec86a1d5a724b70110364d918a5d158c51bf9

SHA512
a6fd4476f53150ce90b7e5f374f08b1e4a7419bb26aa26ee6f7ff6f9663727ba884f41c4a6eafa185c1990b061f19e41a393d9370bdc8ee9691311f96e8cf5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaq5qigl.cmdline

Filesize
277B

MD5
9709b8ef41aeac7747473b07d50251f5

SHA1
a55be85c64ea1c983ef377fcc7b93dc16cabfe01

SHA256
5b54d6538df21fcb8f32d681ad36f5f040e41b1f4b7ae90161c09c25834d204d

SHA512
6bb2330c5410da74eb7075cfc9af853a3aa1fc12ce1f7ce830aaaa5bf59361485d79f916af62887a003bbd37dc2c64273f18f07c9eb6251732d1f279ccc5289d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxvy3uxv.0.vb

Filesize
385B

MD5
ac9a0647f3a528a07c967333a4897e56

SHA1
17f3ab3617f8599a0ef8a0a7f9a96b2c9a60713f

SHA256
fb17e5a2ec3b6df2a8ae742930a6f70bb34098d056b93eedfd0d4ae6966977de

SHA512
89ca5a6c7e1b16e1839a25c8b46a1a0d4b06b14b87029827f91044f78324f1973070121ef41e55ecd2aebd5318444dd16d976a681ac332bf7af7a30196352176

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxvy3uxv.cmdline

Filesize
271B

MD5
18c907df04d66f0b4474a58364da6c14

SHA1
82b63a44cf001a79fcc01b6ae47b46f0ba711a8a

SHA256
e2f3749f493b01b002bae76899556b19c57b926f845dc6074dccb4acd0908ecd

SHA512
dc3ceb8a1b241bebe2bd19da3024d941ce87c73dac699b91faf59a0bab56112c3e140cc2b01d3b2d6cbe8b7e7ce2332bd3bbb1697a2d2fca7b2da494018194cc

Download Submit
C:\Windows\System32\Systemt.exe

Filesize
108KB

MD5
fbdca5d8d0459e4f2c0a1a6f9870a000

SHA1
65ccc01b26739706066f7c5d8b52ef67e4830f89

SHA256
02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0

SHA512
0ab28167405d40634a6353f7ade8dc7a3ddf57920ac211568a8b44c75be5be108f4f8e6c15d512367542e3057f6bc690c65c1d67d38a073a46e8941e7c1cdf1d

Download Submit
memory/1984-5-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-1-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/1984-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-317-0x000007FEF9500000-0x000007FEF9B71000-memory.dmp

Filesize
6.4MB

Download
memory/1984-318-0x000007FEF8E40000-0x000007FEF924F000-memory.dmp

Filesize
4.1MB

Download
memory/1984-319-0x000007FEF85D0000-0x000007FEF8E34000-memory.dmp

Filesize
8.4MB

Download
memory/1984-3-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-323-0x000007FEF9500000-0x000007FEF9B71000-memory.dmp

Filesize
6.4MB

Download
memory/1984-326-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-0-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads