revengerat | 68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe
Size

3.6MB
MD5

559a0f99f9f896e2c54a8e565592966b
SHA1

0cd2f8dcfe72649b04c1508aa900cfd4f8f13460
SHA256

68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c
SHA512

6349d566f1df3eace2975b193cab125e54480a0e145e456e8972c25de412458d0380d6d79630d7fffb9d6112dfa1d6669550d26dae61884b08da1e283248d7cb
SSDEEP

98304:7Y323PnLFoz1zTLE/J8WySsKBmeEMLM2yTP+OXwacX:2QPLS2yjKMCMxb7ghX

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000b000000023b91-12.dat	revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	taskngr.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft IntelliPoint.exe	vbc.exe

Executes dropped EXE 3 IoCs

pid	Process
740	taskngr.exe
1396	6993793.exe
4544	taskngr.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaintResource = "C:\\Users\\Admin\\Documents\\taskngr.exe"	taskngr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
41	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4344	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe
Token: SeDebugPrivilege	740	taskngr.exe
Token: SeDebugPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: SeDebugPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe
Token: 33	1396	6993793.exe
Token: SeIncBasePriorityPrivilege	1396	6993793.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 740	1356	68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe	100
PID 1356 wrote to memory of 740	1356	68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe	100
PID 740 wrote to memory of 2384	740	taskngr.exe	102
PID 740 wrote to memory of 2384	740	taskngr.exe	102
PID 2384 wrote to memory of 208	2384	vbc.exe	104
PID 2384 wrote to memory of 208	2384	vbc.exe	104
PID 740 wrote to memory of 4344	740	taskngr.exe	105
PID 740 wrote to memory of 4344	740	taskngr.exe	105
PID 740 wrote to memory of 1396	740	taskngr.exe	107
PID 740 wrote to memory of 1396	740	taskngr.exe	107
PID 740 wrote to memory of 2916	740	taskngr.exe	108
PID 740 wrote to memory of 2916	740	taskngr.exe	108
PID 2916 wrote to memory of 1836	2916	vbc.exe	110
PID 2916 wrote to memory of 1836	2916	vbc.exe	110
PID 740 wrote to memory of 3048	740	taskngr.exe	111
PID 740 wrote to memory of 3048	740	taskngr.exe	111
PID 3048 wrote to memory of 5036	3048	vbc.exe	113
PID 3048 wrote to memory of 5036	3048	vbc.exe	113
PID 740 wrote to memory of 2220	740	taskngr.exe	114
PID 740 wrote to memory of 2220	740	taskngr.exe	114
PID 2220 wrote to memory of 3204	2220	vbc.exe	116
PID 2220 wrote to memory of 3204	2220	vbc.exe	116
PID 740 wrote to memory of 2112	740	taskngr.exe	117
PID 740 wrote to memory of 2112	740	taskngr.exe	117
PID 2112 wrote to memory of 3896	2112	vbc.exe	120
PID 2112 wrote to memory of 3896	2112	vbc.exe	120
PID 740 wrote to memory of 64	740	taskngr.exe	121
PID 740 wrote to memory of 64	740	taskngr.exe	121
PID 64 wrote to memory of 1628	64	vbc.exe	123
PID 64 wrote to memory of 1628	64	vbc.exe	123
PID 740 wrote to memory of 4868	740	taskngr.exe	124
PID 740 wrote to memory of 4868	740	taskngr.exe	124
PID 4868 wrote to memory of 2720	4868	vbc.exe	126
PID 4868 wrote to memory of 2720	4868	vbc.exe	126
PID 740 wrote to memory of 1744	740	taskngr.exe	127
PID 740 wrote to memory of 1744	740	taskngr.exe	127
PID 1744 wrote to memory of 3216	1744	vbc.exe	129
PID 1744 wrote to memory of 3216	1744	vbc.exe	129
PID 740 wrote to memory of 4492	740	taskngr.exe	130
PID 740 wrote to memory of 4492	740	taskngr.exe	130
PID 4492 wrote to memory of 1672	4492	vbc.exe	132
PID 4492 wrote to memory of 1672	4492	vbc.exe	132
PID 740 wrote to memory of 772	740	taskngr.exe	133
PID 740 wrote to memory of 772	740	taskngr.exe	133
PID 772 wrote to memory of 2524	772	vbc.exe	135
PID 772 wrote to memory of 2524	772	vbc.exe	135
PID 740 wrote to memory of 3092	740	taskngr.exe	136
PID 740 wrote to memory of 3092	740	taskngr.exe	136
PID 3092 wrote to memory of 3580	3092	vbc.exe	138
PID 3092 wrote to memory of 3580	3092	vbc.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe
"C:\Users\Admin\AppData\Local\Temp\68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\Documents\taskngr.exe
  "C:\Users\Admin\Documents\taskngr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddqrkdbw.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9277.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF7F78386D2C48BABD52B26182E0F090.TMP"
      4⤵
      PID:208
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "WindowsTable" /tr "C:\Users\Admin\Documents\taskngr.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\6993793.exe
    "C:\Users\Admin\AppData\Local\Temp\6993793.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z-vhldcd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0597AB25B9A434C98E763BCAB8B84F.TMP"
      4⤵
      PID:1836
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzpxgbzt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9584.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16EDD9DA4E334D94999F5282140B17E.TMP"
      4⤵
      PID:5036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxyli19n.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES966F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED6D01FD2ED46B09FABEE731EAF363E.TMP"
      4⤵
      PID:3204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5fdsvv2f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES971B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD861245AA5294F2884963FBA735D5B94.TMP"
      4⤵
      PID:3896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvebyoaa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34B69ED6024A95A7FC63E01AA539C3.TMP"
      4⤵
      PID:1628
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2-lwcko.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8520E85F90544CD9FA52075A3F0BF98.TMP"
      4⤵
      PID:2720
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmwu1ygx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20BD2B6AF55D4F699DBCF8F14F9CFF2.TMP"
      4⤵
      PID:3216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fmleyvxh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5F1908F1CEB4F088362CCA8669FD24A.TMP"
      4⤵
      PID:1672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpxdzjjo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D54.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3376AFCAD24D4AD28A81DD441FFE379.TMP"
      4⤵
      PID:2524
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgqxgiuy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C2648CA9171450786CE9655BC8390E4.TMP"
      4⤵
      PID:3580

C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
1⤵
- Executes dropped EXE
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5fdsvv2f.0.vb

Filesize
286B

MD5
d7e819e5c304049739e7f2a9e6b58c70

SHA1
fda2f4074c92a643c5784d3f1f873e95e08aad94

SHA256
9203d9523aa99b6d117664d6dd5e7400b9db5d0b637d961687ed5cefba4585b5

SHA512
c86b23c403736baaa8158dad0fb2b60d04632a5a293518a0f99c1c9c548aac20dea0791082b477f2eedbd89ca10257347794b3236ba24c08628535ef79776389

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fdsvv2f.cmdline

Filesize
171B

MD5
6821ae4a0dc328fec5517622d6011df1

SHA1
6bf9129fbca193fa5058861dd4d02b6cf4de2aca

SHA256
1fc0087679670a7c9250ca7c16f034fd571d8154b1b0f191089c73b7165c2070

SHA512
607e8524c729f795cc4d3f00745c8b8b27fa50b5a95dc431f9ffdce840c7c8ceecb8aa6380455df83b67c04b5d772d9141c4a97f15226d64fae14c6776b2d20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6993793.exe

Filesize
1.9MB

MD5
c4394fb4daaf350cdbf5303d812e917e

SHA1
6a780c9f1c15e555b72640299b9c10e7927252f6

SHA256
0ac3387b6e0283c972722c2a6664ee23ac5ba10640d18b827e8732f5c57e7d2c

SHA512
585664a31ac2131efde439468f98c53423588348019edb3c767ffc9bb6a8a881959fd1f4a30d623a0e6a4cc02d180a146b37bef8679b55b111f46d2fb8fb82e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9277.tmp

Filesize
1KB

MD5
86705e26cb8822ed6b8f437dbc60c5e1

SHA1
d7dd50cf7c2a51183b4374e9f9f4ee016e8a55e6

SHA256
1682a298db761783bb705b1fd50e4b78f7c058d48d050d04b2b42e7d78d3de62

SHA512
9e5924798110c74be6ef6bac7ec94193aec4244b395f7e0daf5ced61002b4e67d777da1ec2c83952eb0dbe710c12d006ad93d47bed73f904576c18bed8b1c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94B9.tmp

Filesize
1KB

MD5
533af5f3bff74feb388994cadc58a402

SHA1
282506a5eb2da9d82f196eaed38d0a984b6da9ab

SHA256
bff3db36d88b58cd403508749a76d891ca9bd1956f4b87ad6087f31f4dba37af

SHA512
273fc36ef8ac0b130cc3b70ae1d2ef7e23c33cadc0d5808fe521fba958ed4afef6b7c9e7a0f1a2853e3a40925f170e89e233ecfa7be6358a6500347c144c825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9584.tmp

Filesize
1KB

MD5
fdce1331027cf2718ce97be1e5199096

SHA1
4fa2f66c3ff26df9c50a99eff52b37ca9d37872c

SHA256
ce89aa4c089a8e536df8e6143f65021190ac835728d63a83556342a76397aee7

SHA512
9befe812caedfaea6524fb2aea3d6182edbecd6685432cda1224c89c4cead462c09d7698d7aae39d02fb64b79578a4c315a18ddacc815f4b8f0b8bd86e4bc7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES966F.tmp

Filesize
1KB

MD5
0bc656194f1e622b9808ec11e56628c5

SHA1
0433ebb79bc6355401ee45b3835c27bcfefd09ef

SHA256
6772437b9da6461566226de9f03071dcd80e7ac167d97909fa1603368ec0400b

SHA512
0766b637d2025619005aaf274298dae430b7431c584dff0dd641c29ba1b167c9a5a6fc80be4aadde9c107003f683e5d03cb6f9fc88769a9b45c7547455ba480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES971B.tmp

Filesize
1KB

MD5
45fc33ad3aafc6d4b6105a39320d8539

SHA1
b9f1aeff7c950c79721103bb5afede2b5f1a2ff0

SHA256
0deb7d20bb413fa2af9d61e540dc3e5727b358de596ad27ee93e1116a321dbb3

SHA512
190158846c7e65c3caefd97cf3b2cf111505491c4adc36b15bedaacf0d15372b75ebc81de3600af0c5e5aaf90dedcb3798db26eca675f5cea203d7dcde9f4141

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97F5.tmp

Filesize
1KB

MD5
a523731e939ebdcffd8ce145927542f7

SHA1
4c6ad70bceb8636e63682dfde8db7c5ea2eabff9

SHA256
1aaa198052dc0e3bce433a649f2fcc618a2ce1ae41d749a07c06f842bcbd102c

SHA512
631b2ffa3806ce1713bb45e0de91675e2fa4526f88e45110586847bacc542168914615444a0438989bcbe2ff457b9f1db19cea7b8bd2477ab32c323bf5784f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98EF.tmp

Filesize
1KB

MD5
feeacf6dc6775cb8277b6ed5cae61ede

SHA1
b102e2bb04fa3c8fc5d43e71c0eaa16828a557c1

SHA256
1987113eaa2165fa262b4d4e17398737c9f22c8ff9efea8c8b9b6c4e459ff380

SHA512
4fbdc15eddcc13033ccf1d274a635e1a7d18ee8636309b3ad5e52f14f6bde973168c16f217558f5859c8fcb71df33d2ede379d64be93ba395f2ba9daf9e407c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9AD4.tmp

Filesize
1KB

MD5
7f7f0c4168ea930c9ddf3ad1bdf6bd87

SHA1
9eedd3ae3e645ce439ddb6763c480d01d8bafff5

SHA256
8c5bd421ee98dc5e908a7e641f5fe765f01a56e47a777dc4aff11247ca4dff2d

SHA512
811546c74e3495aa54bf64d687671f6b19da8bb4501dcdda4bfd5e0689e6b5486f8bfcfdca00d12dfb54c492878fbcc7d561c79b92649a35ddddaaa16a396177

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp

Filesize
1KB

MD5
77ca4d345e56ee05ca43b0ad189142f3

SHA1
cf1907984405446c76633c5d8b48f32198c4ef78

SHA256
e7633e36838225bfbdd0fc83657b90bd60da5567b0af3e9304256237348e4536

SHA512
a83df6c57f3194e37f9e134898401ac7f0a901c30c533960ded240f270228fc18d356f41b6a853f4308c397bdd193b95caf5f25e2d7ec1f2076a552c6d1a602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D54.tmp

Filesize
1KB

MD5
034e07a2be74190dca2fe1c1185e6e71

SHA1
911ed27e47f65056f5556948dd5827524bff0bf3

SHA256
11cf2f00222f6036dc8a852759be511572314423326f5d0758cee8912ac23aaa

SHA512
281f01992a3e061ddc0be03d98443688bef71eebf5ae9ed5f78041b43dd893a94b1a8b9c2fcfdb0e87e0260077c50abfb0f386425beb9ba873e14355a62f8816

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F19.tmp

Filesize
1KB

MD5
d3cd1cad4661f8b78c4325961dd6daa9

SHA1
434844eea110889cd5aa44e25e13f6cac234a7d8

SHA256
b145e9ac57d20c29d601b2e859e1ea1f7af94f41bbf24f415cd70ed105be6e4f

SHA512
da85fe2e5fc6d9b00fe8cf1eb6dab3e5686bfcb26cac9ab4788e8bed180a664e268ac60d3915327229e17f3a112bb7ea9525d126deb9b81d7412070ffbfe3404

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqrkdbw.0.vb

Filesize
146B

MD5
cdaa26fe88bf2e9296843cac186f0f8a

SHA1
a8f9769fe277bfc5e2dd2f9c3db2921020cafe10

SHA256
5e610bb330f79e0ebfa2078f9d408db2e4f4e8c4e644057183419f40ab7736ed

SHA512
df18dd6e421bd9f18445b1c50aacd651956f44939249aaee9a1078855329ca0e7e92965da9b059555f55901c49e81b400e755111bc7d360e75dbf658872a4d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqrkdbw.cmdline

Filesize
210B

MD5
e61ed2601fe541a4156ede9f5c25e2bf

SHA1
8eabcd27677c0981ab659aa8e574f8778874cc0e

SHA256
ae439ef27b00ee7562ae956e07a35a2926b55c9931a3479ae54c37f3f4605969

SHA512
12b38501040c17443eda3f0333585accc818b658a55f53aa9f18d10239633ab92c5b55bf9e00a74c948e3c5b3c562e0c63b3b0f8e902226efdd7502649996b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgqxgiuy.0.vb

Filesize
288B

MD5
d2bbf198a5efe2d0c53eb7302c6b2a25

SHA1
adf8a6092bcde5738aea72861cbdd90409c6f3ee

SHA256
44a8b749b445cbf5e18647d40d430113341c37c5ab943f3287dd9660e5052a62

SHA512
bcecf3e7ae6c12e412136b740024824a8f8d13c5e897822b7a8ba5ea7171a6336f1e3621d6e1c35cf341c849523ac7f008c50093614369d610fbde1b7739213b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgqxgiuy.cmdline

Filesize
173B

MD5
dac447eb034abd9fe3f9bcbe2b7661a2

SHA1
6c168825531da1f7c76ea2ba8570f8fbf460a04f

SHA256
871081f7a64382668824ecd46faacc0d968a99710dfd14f2b9e000e5d9b2b83e

SHA512
8727b4f53819208ed2ec5f090ea935c623140ddf571c37177c59439d2c307655bb47422a3f68d1442cc16d224228c1e8c2204e2c5ad6eb37e5e61838070ca0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmleyvxh.0.vb

Filesize
279B

MD5
f7414480c14ed927b96983a454b45ad4

SHA1
f0b9701777b2643e03165a5e3932fab15fa054bf

SHA256
21344d6b94d6f9460b875f7120934f8a230418719f6b6951baf423c6244e6fd8

SHA512
645a18383cea2f1107b2d0dda0c04b059f0385fc77a6da837a9bd180df410fc34534df4f595d766b030cfae3c9c696e2400a6d4abd0852e6a2120e1859876145

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmleyvxh.cmdline

Filesize
164B

MD5
0c3b1a83436da908b27a29276570310c

SHA1
8c499cf090eef7663dd38f1b46dc73bc73706234

SHA256
8427022e3cba15fe0a204f37df16bae23fde4a974ea37f97095511404121622e

SHA512
2032e031290ff16793b89ddd2160f34fd7eb01d097b5020c0234525d47e76b50e18b8f26327253e4017745194776a25aca20e965a6e7f9dfbfec4a7b13f49c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvebyoaa.0.vb

Filesize
287B

MD5
f2a05fa49c8095ff3f83411bb53ae404

SHA1
c10cb9190ba92948f8ea2d1ae451e4636ceaae71

SHA256
c85d0c3445ba49732c88da6e6bc80c5fd63e7a5b4c809e38d46dfa091c223dbf

SHA512
edabc2a63a332b835c39b6523e7ecf633d752f4f08fa8fd1603a72f17aa05438c483af25fed6e388f1372ac61bdc0271856c7d7d3c46730f1e776b1e4f016171

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvebyoaa.cmdline

Filesize
172B

MD5
11665fc786de4a3f2549136574122f00

SHA1
4696894774947883acdf48195dbaa5eb7cd8b763

SHA256
e806d80750238750cce2dc567bfa5ffd1a714c3e1f4686b78e552e3cc18febbe

SHA512
2f80579075e44a05d96dbaeb41047b42a8d537d40239724611c66aadfcdb839ff99213a7514bf48acb4e1467aca7d5ffab0d1e6f24b307677abd6dc336e05c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxyli19n.0.vb

Filesize
278B

MD5
11b3e4db71f1d3b4dbe885207d37d4f9

SHA1
0327e0916daf2feac8163a6e85a91577c26614d2

SHA256
0398a89f8df4b496ee06b6f34c4608cca0ac29fa7adf7d20db57f3d3d60754f1

SHA512
b56f4b83fff06bd2f8437aa89679850dc9b9ac257cf78e7c0cc33651dda5589ce221945abf8cc705e739633a420e5cc7941393847d72d22b171a1cbefa12eadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxyli19n.cmdline

Filesize
163B

MD5
b3b13de5fcb70ec59accd5ef9ad85d86

SHA1
60c298f09f66a0939ca6bf7f370e1a76daa0f233

SHA256
85812dd871279fabc9c3554d1ed59aebd465911bc55008a82ff4d8deb0e8ae56

SHA512
3b26a19d04e3126b88720a917b01a9da61420171ac1d8f14e529585f9a884b598207aed3cce2058db0e3b279ae47cf159fc862a24a609acb4ecc4bcbec475548

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzpxgbzt.0.vb

Filesize
277B

MD5
e5761189550be412d3d6f7251a2b5da4

SHA1
14667e3906bd1f52416e5d3b0857a7fc3bdeabad

SHA256
eb3bb3a3e609603c7391d28e05a6c2c63a7b863730cc1a577cae7a6d46a31eb4

SHA512
1c4f974158a5536b862d5cda56079001626809fd1655cb74daccd93edf2bb83becc69d92737732c893fb8541350896e1642f98355359622af17c9562c7f77355

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzpxgbzt.cmdline

Filesize
162B

MD5
523afdcd86286501e9c389e4273e86e1

SHA1
1f212a45c9d317ec3c56aee45c44b6fca18f40ee

SHA256
77b2ef60f3a5af867003ce2c524f6beb49987600abf0d1eb5de6b6be1a44566c

SHA512
801ad1751b4924b4cca66acf6b05a3043657697aeecd690752a9b1d650add3d3a102260d8e109c9fb525841a9155cedd0ab02b1a224ebbce59c5fabd167a88c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2-lwcko.0.vb

Filesize
286B

MD5
a3149c23cdfcefa52372f731551ac7ac

SHA1
b033408b73e3986d342c530d3a748e95e7648c78

SHA256
3ec44e5500f18ecfda3187c48af050342802dfa950230fbe96cdb6b4b4a0ec3c

SHA512
3bd71c4b417bc2a6d60f5d858823ae0f72b8983094825c0f09d253d802e6a8dd5de847e70ef1a765824eac2b82b2d73a4855d08dc172fde7fd716e5871d085ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2-lwcko.cmdline

Filesize
171B

MD5
a06a759acbba385820c9e356ab52498b

SHA1
440538ac11e7cd4f9da03559a7c326e5f1345350

SHA256
316a40f47e6ec4216f3706cb76f69e507acfd3da0f88643b828859bdd51976a4

SHA512
930b3d8167f3bf1a80a7fa90417d5e94ff37709212b0c2e9c31c620877410a6c541351a53519110e6d0283eda4a5ef33aa33685811aa567a347a265fec827998

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16EDD9DA4E334D94999F5282140B17E.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc20BD2B6AF55D4F699DBCF8F14F9CFF2.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C2648CA9171450786CE9655BC8390E4.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF7F78386D2C48BABD52B26182E0F090.TMP

Filesize
708B

MD5
253ac3eb8d80354190d7be9278727b6b

SHA1
bba447681cb11f36c316a2ae223fc94e056e66bb

SHA256
2cff523b286303dd0773ace801595a2bdca962861d59b620bdd953f966655251

SHA512
eb5bc537fcd1fb4713d51662d75993646fb8c2684f1bb0078fee3697c271650d1498fd1c201f2bd9759b0e18239627d72e1a46c141655fe7b4919e0cbe871bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE0597AB25B9A434C98E763BCAB8B84F.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED6D01FD2ED46B09FABEE731EAF363E.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmwu1ygx.0.vb

Filesize
289B

MD5
c5b9d8d6365919b42a26adea6001fca4

SHA1
f4d7a2d623be4c22363daffe70e4d1b40b33b775

SHA256
cbad8217cc2df744da6830c565b2c19993dac461dccadef167af3b62229d95b8

SHA512
3bed75479d2beac4d5526cc598d2a7b58c09d1e05212c9705f96913d1100edcc6b46189a6c5a0e615cd73e1cf9751efc11d3598de3db088b8372425c72ec2497

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmwu1ygx.cmdline

Filesize
174B

MD5
f1a633811ca99ead74817ccb10e260ec

SHA1
96100d9bb8965a19363e51b0d8dd627b2f29ebdc

SHA256
a2c14b48228c58d62ecada2966f5b103329d6e92057ea78c6546bc79c936bee8

SHA512
2de1c124cc8c9b14b73c1ed143bdba68ed0562fb663e954b7bca26bbd8b62034ab2878086a6fc2c735f3310b49b3b6af5eba534c5f43fe897708f9ec2ececac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\z-vhldcd.0.vb

Filesize
271B

MD5
f4df20e7a7eab798062c060b3af91607

SHA1
3c503186d0aaa6c5307d8c0757efc75d84a74051

SHA256
11c8faa798c33d98f1d85092cc52ffe7c6779ac9514573ab5ee8f693ddd7a2ce

SHA512
c5741e1e170ad450b763bfb715709579abf216ff920db4b0004502c7207ec4f97940e8a9a4ccb5850a90dad89315fde80b9674792cb7e0f4b5e4b48cf7f9023f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z-vhldcd.cmdline

Filesize
156B

MD5
e2adb96ce66bba8e7702bceb34b29aab

SHA1
053e73b6c17a8105f1a6517533339e84e5bf7351

SHA256
086b5b5219fa1a722f023d61a4c5636b913616eeb9d6ccc57e24ca0d8ce1e228

SHA512
6e2427c00e05666416ad08fbab0329adf8c6dbf9a436147d7aec02036bd64389348228bd3b73b67844080917fcccd7522dc8fb2a1e1ffc27a6e67062b6b288ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpxdzjjo.0.vb

Filesize
285B

MD5
36dec6c894af5ba982846e27dce1da21

SHA1
553bf67b97d9150b99ccd8e950c381f21dd4a43c

SHA256
7a9414b12f9628abf0a42999e4c954ec5151f719ec34812a7b18824e7994ffec

SHA512
821d6c5f565761f837bc97b94830a7d55bb6796ba531078195ebaaeee6b050d88a8e97fb45138277ae3d09da3c8ae36d28a80643425c57e69afc28222b01b1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpxdzjjo.cmdline

Filesize
170B

MD5
b1361ddc507b19def01a02b1b4e5497a

SHA1
369a293658a330e6b781bf3b0b5132dc3d3445ca

SHA256
a15d46036517fc56504c898f599c46cfc1a6ffc02232bd0dd2602cf37821f3aa

SHA512
a6da5822343038ec2b654e9cc7746c96384bd12a51d22c386f638298f290d342c21c973c9e1c2ded74f0f3b63a49cc169eb6b543fe171932dddc9d0f74635967

Download Submit
C:\Users\Admin\Documents\taskngr.exe

Filesize
3.6MB

MD5
559a0f99f9f896e2c54a8e565592966b

SHA1
0cd2f8dcfe72649b04c1508aa900cfd4f8f13460

SHA256
68ce3565bb806ee7bbda7256c0270333f069f6677850c9ec2511404602643f1c

SHA512
6349d566f1df3eace2975b193cab125e54480a0e145e456e8972c25de412458d0380d6d79630d7fffb9d6112dfa1d6669550d26dae61884b08da1e283248d7cb

Download Submit
memory/740-21-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/740-24-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/740-22-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/740-23-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/1356-6-0x00007FFB42D25000-0x00007FFB42D26000-memory.dmp

Filesize
4KB

Download
memory/1356-7-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/1356-20-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/1356-5-0x000000001CA10000-0x000000001CA72000-memory.dmp

Filesize
392KB

Download
memory/1356-4-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/1356-3-0x000000001BEA0000-0x000000001BF46000-memory.dmp

Filesize
664KB

Download
memory/1356-2-0x00007FFB42A70000-0x00007FFB43411000-memory.dmp

Filesize
9.6MB

Download
memory/1356-0-0x00007FFB42D25000-0x00007FFB42D26000-memory.dmp

Filesize
4KB

Download
memory/1356-1-0x000000001C460000-0x000000001C92E000-memory.dmp

Filesize
4.8MB

Download
memory/1396-50-0x0000000000C40000-0x0000000000E2A000-memory.dmp

Filesize
1.9MB

Download
memory/1396-98-0x000000001CAC0000-0x000000001CAFC000-memory.dmp

Filesize
240KB

Download
memory/1396-97-0x000000001CA60000-0x000000001CA72000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads