revengerat | 88a0c5df4f8874254aedfe226c8e01756ac1ffc4d6e40360f70e42fc8fbe2b27

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AndroidEmulator.exe
Size

180KB
MD5

9e55624e81cc5bf9f40792a97c5e3c9b
SHA1

35379afa47748f022e4f23d5a499ea01e251a88b
SHA256

88a0c5df4f8874254aedfe226c8e01756ac1ffc4d6e40360f70e42fc8fbe2b27
SHA512

bac780817e166dc8203f35bd34da289b583b1cb27c26dbe38c70beb44d669949ab666ed16e6485554a2aed22a987cb5e1c6a3cf7d36d85d952d8a28808190caf
SSDEEP

3072:a3ZN9Ho17ad7R3zWwSHaqXQpZjl9SYtT22wjiAAAAAAARtvNEEEZTEEEEEEEEE1G:a3FH+7A7R3zWPHa5Tjn7R22wOAAAAAAP

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001400000001927a-308.dat	revengerat

Executes dropped EXE 3 IoCs

pid	Process
2056	system32.exe
1236	system32.exe
1580	system32.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdf = "C:\\Users\\Admin\\AppData\\Roaming\\system32.exe"	system32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
3	2.tcp.eu.ngrok.io
15	2.tcp.eu.ngrok.io
20	2.tcp.eu.ngrok.io
40	2.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2292	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	AndroidEmulator.exe
Token: SeDebugPrivilege	2056	system32.exe
Token: SeDebugPrivilege	1236	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2996	3056	AndroidEmulator.exe	31
PID 3056 wrote to memory of 2996	3056	AndroidEmulator.exe	31
PID 3056 wrote to memory of 2996	3056	AndroidEmulator.exe	31
PID 2996 wrote to memory of 2972	2996	vbc.exe	33
PID 2996 wrote to memory of 2972	2996	vbc.exe	33
PID 2996 wrote to memory of 2972	2996	vbc.exe	33
PID 3056 wrote to memory of 304	3056	AndroidEmulator.exe	34
PID 3056 wrote to memory of 304	3056	AndroidEmulator.exe	34
PID 3056 wrote to memory of 304	3056	AndroidEmulator.exe	34
PID 304 wrote to memory of 2684	304	vbc.exe	36
PID 304 wrote to memory of 2684	304	vbc.exe	36
PID 304 wrote to memory of 2684	304	vbc.exe	36
PID 3056 wrote to memory of 2228	3056	AndroidEmulator.exe	37
PID 3056 wrote to memory of 2228	3056	AndroidEmulator.exe	37
PID 3056 wrote to memory of 2228	3056	AndroidEmulator.exe	37
PID 2228 wrote to memory of 1084	2228	vbc.exe	39
PID 2228 wrote to memory of 1084	2228	vbc.exe	39
PID 2228 wrote to memory of 1084	2228	vbc.exe	39
PID 3056 wrote to memory of 568	3056	AndroidEmulator.exe	40
PID 3056 wrote to memory of 568	3056	AndroidEmulator.exe	40
PID 3056 wrote to memory of 568	3056	AndroidEmulator.exe	40
PID 568 wrote to memory of 264	568	vbc.exe	42
PID 568 wrote to memory of 264	568	vbc.exe	42
PID 568 wrote to memory of 264	568	vbc.exe	42
PID 3056 wrote to memory of 1992	3056	AndroidEmulator.exe	43
PID 3056 wrote to memory of 1992	3056	AndroidEmulator.exe	43
PID 3056 wrote to memory of 1992	3056	AndroidEmulator.exe	43
PID 1992 wrote to memory of 532	1992	vbc.exe	45
PID 1992 wrote to memory of 532	1992	vbc.exe	45
PID 1992 wrote to memory of 532	1992	vbc.exe	45
PID 3056 wrote to memory of 1820	3056	AndroidEmulator.exe	46
PID 3056 wrote to memory of 1820	3056	AndroidEmulator.exe	46
PID 3056 wrote to memory of 1820	3056	AndroidEmulator.exe	46
PID 1820 wrote to memory of 1640	1820	vbc.exe	48
PID 1820 wrote to memory of 1640	1820	vbc.exe	48
PID 1820 wrote to memory of 1640	1820	vbc.exe	48
PID 3056 wrote to memory of 2708	3056	AndroidEmulator.exe	49
PID 3056 wrote to memory of 2708	3056	AndroidEmulator.exe	49
PID 3056 wrote to memory of 2708	3056	AndroidEmulator.exe	49
PID 2708 wrote to memory of 2076	2708	vbc.exe	51
PID 2708 wrote to memory of 2076	2708	vbc.exe	51
PID 2708 wrote to memory of 2076	2708	vbc.exe	51
PID 3056 wrote to memory of 2412	3056	AndroidEmulator.exe	52
PID 3056 wrote to memory of 2412	3056	AndroidEmulator.exe	52
PID 3056 wrote to memory of 2412	3056	AndroidEmulator.exe	52
PID 2412 wrote to memory of 1520	2412	vbc.exe	54
PID 2412 wrote to memory of 1520	2412	vbc.exe	54
PID 2412 wrote to memory of 1520	2412	vbc.exe	54
PID 3056 wrote to memory of 1920	3056	AndroidEmulator.exe	55
PID 3056 wrote to memory of 1920	3056	AndroidEmulator.exe	55
PID 3056 wrote to memory of 1920	3056	AndroidEmulator.exe	55
PID 1920 wrote to memory of 3020	1920	vbc.exe	57
PID 1920 wrote to memory of 3020	1920	vbc.exe	57
PID 1920 wrote to memory of 3020	1920	vbc.exe	57
PID 3056 wrote to memory of 1996	3056	AndroidEmulator.exe	58
PID 3056 wrote to memory of 1996	3056	AndroidEmulator.exe	58
PID 3056 wrote to memory of 1996	3056	AndroidEmulator.exe	58
PID 1996 wrote to memory of 1912	1996	vbc.exe	60
PID 1996 wrote to memory of 1912	1996	vbc.exe	60
PID 1996 wrote to memory of 1912	1996	vbc.exe	60
PID 3056 wrote to memory of 1312	3056	AndroidEmulator.exe	61
PID 3056 wrote to memory of 1312	3056	AndroidEmulator.exe	61
PID 3056 wrote to memory of 1312	3056	AndroidEmulator.exe	61
PID 1312 wrote to memory of 908	1312	vbc.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AndroidEmulator.exe
"C:\Users\Admin\AppData\Local\Temp\AndroidEmulator.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3tieoag.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10.tmp"
    3⤵
    PID:2972
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjraxyhy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES149.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc139.tmp"
    3⤵
    PID:2684
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hczi8g_a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F4.tmp"
    3⤵
    PID:1084
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfjwptdc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc252.tmp"
    3⤵
    PID:264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jfqvmmnh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"
    3⤵
    PID:532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ym9xqin4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32C.tmp"
    3⤵
    PID:1640
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvckcziq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37A.tmp"
    3⤵
    PID:2076
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_a9ebwvz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E7.tmp"
    3⤵
    PID:1520
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0csirk35.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES446.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc445.tmp"
    3⤵
    PID:3020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3oclu2k.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A2.tmp"
    3⤵
    PID:1912
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfwnk9gy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES501.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc500.tmp"
    3⤵
    PID:908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wm6dq5br.cmdline"
  2⤵
  PID:708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54E.tmp"
    3⤵
    PID:1780
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\idgrpdzt.cmdline"
  2⤵
  PID:1732
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AC.tmp"
    3⤵
    PID:1616
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svlspgzy.cmdline"
  2⤵
  PID:2980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FA.tmp"
    3⤵
    PID:1612
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d0x_eic0.cmdline"
  2⤵
  PID:2540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES668.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc667.tmp"
    3⤵
    PID:2748
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lnhyitns.cmdline"
  2⤵
  PID:1968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A5.tmp"
    3⤵
    PID:2880
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\addskcfr.cmdline"
  2⤵
  PID:2884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES713.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc712.tmp"
    3⤵
    PID:488
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihrcejag.cmdline"
  2⤵
  PID:2852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES771.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc770.tmp"
    3⤵
    PID:2624
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lo3pmhb4.cmdline"
  2⤵
  PID:2728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CE.tmp"
    3⤵
    PID:1948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p7w83xvv.cmdline"
  2⤵
  PID:1824
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81C.tmp"
    3⤵
    PID:1756
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyjqmyun.cmdline"
  2⤵
  PID:1108
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc879.tmp"
    3⤵
    PID:264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cufjeioo.cmdline"
  2⤵
  PID:1908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D7.tmp"
    3⤵
    PID:2356
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgrgzfbz.cmdline"
  2⤵
  PID:2508
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES926.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc925.tmp"
    3⤵
    PID:2800
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cact-rdz.cmdline"
  2⤵
  PID:1980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES974.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc973.tmp"
    3⤵
    PID:1628
- C:\Users\Admin\AppData\Roaming\system32.exe
  "C:\Users\Admin\AppData\Roaming\system32.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\system32.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2292

C:\Windows\system32\taskeng.exe
taskeng.exe {692CED87-6A9D-4ED7-8130-8A22D5D42EF8} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:1828
- C:\Users\Admin\AppData\Roaming\system32.exe
  C:\Users\Admin\AppData\Roaming\system32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Users\Admin\AppData\Roaming\system32.exe
  C:\Users\Admin\AppData\Roaming\system32.exe
  2⤵
  - Executes dropped EXE
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Launchme\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
ce45fbf7c5fe46598627f56ab4b6c99c

SHA1
e0f344ec6aaaed70ecb1f40e74876316233c06b6

SHA256
68792990a84b5c3448ff99c952444ee0d02c1877cc3245e5ae7aa4023c2f2440

SHA512
f6929b1af23f4f960340cd0bc8158a861fa752f7acaeec47c2dc3829bce2367f5afc901f1ae358a1ccda02d8acb529487d36eedfeac1c793bfd49d6b4aad407a

Download Submit
C:\ProgramData\Launchme\vcredist2010_x64.log.ico

Filesize
4KB

MD5
e69bd49fffc2d6799ce66c2ae6db27bd

SHA1
6975a39f2ebfdab8ed2697d1708bc5d3e5353c0c

SHA256
33437d4fc42ab9380d430969c2d194e6737217ec838223392eb9690f0a79637a

SHA512
b9a931802f9adfefa61d15381873556afc8a605dacfe2703505394c24f1d6214183029c6d28c67b6cfdc79fac7961afe26e4cccdddd9c4d0461deee7a090f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0csirk35.0.vb

Filesize
381B

MD5
585b11b5f123156e34fef98efdaca8c5

SHA1
20b15d391e07a3db9fb881513b47ccf5ffac21a2

SHA256
18057bbfd104be0ed6c42ae1554533fba0ad17aba2c5c229eb5325baa1f6c260

SHA512
4bc92283c511fa21fb9cc7a495a7ec46746638e47b9456310dbc22442acc94b312dc9248840b48c6a48b1535b21274ab3f4122dd39bbdd921f4eeb5f18bb0f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\0csirk35.cmdline

Filesize
266B

MD5
8d13a3446e2266904c337392dc7fb2d1

SHA1
855444879b14cb1efe78692683531a288e574f15

SHA256
b1f7d8be5ced70742180ac62012884f48b9294eb39b6b99b757e7fc714db4abe

SHA512
2e21e6fde31efe3281c35d4c4ad46c74239679490ad6f58b7642e5a852fab8a96dc06ab7c5c4846644b3a5f7a149bd9a06ebbf7cbff3f318ae9b291d295fb82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11.tmp

Filesize
5KB

MD5
56883de0d0c412c53502666d957d2170

SHA1
86f415e1002cab2747093c3c124d3511fdb3f45a

SHA256
b2bdeb7a09d69575ffb44430ee0cb8ad44dfc64fd5dda48329f112b68ddeb9ed

SHA512
f2150db461a8ad4f8d4e2a940d6a423b642413be9826afdad84fbc7029603602a90180ced27ab1c6ba33821d27b4567b2263f4fe45f33ffe534f6326e33c9a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES149.tmp

Filesize
5KB

MD5
f41635a0d822e7bdcf8a0dcf0f7efc9e

SHA1
46e0191a10c7e778c269609eb327287d4400298b

SHA256
20866bbfaa51950dfe8b682d0d8a0ab59ab8be11e446d02a551ded2ea586dea4

SHA512
1184a9085b4408407ddb6399aacdf597371f24aa07470d2da57efbd27b968ae4ef66f5bc8e17db5d651f6b8827c2784c99826fe7436f34f425e63be46d7dd98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F5.tmp

Filesize
5KB

MD5
d02f45d6ff8e8f49432dcac929dd1387

SHA1
00ab21bac65e07b232d21a90714e67b09cc3752f

SHA256
2c476a87374f3284d1f5d50a21d16065e21c35b01050a8ebb46543e4927426e1

SHA512
d8b6f348301f45b0fb1b101ac5b48fe2396ade26a6bc196d5b083c2b4ddab50d1f32e96f5f7aa1327ef21cf3f54b50f98394ff2171ce0133bc7975632620190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES253.tmp

Filesize
5KB

MD5
0e5a959fd598af08140f7e63523c56b6

SHA1
3c56c005a4ee036f0fd0533131aa43f8f6c31579

SHA256
9d6bd732731a01a4357221f77b6cd9f33e48def4020bb06bf3b08e91bf10c762

SHA512
bf42df19a925bf17440f99c0ea4b49cbf125c0205697dd55230f4799f3d71e2ac99d17acc501882fb9a775635a0cbc2fa15ab53590751f2b6d5971706d8abd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp

Filesize
5KB

MD5
d23f4db33ee4fce04a326f1029af29aa

SHA1
8e206cfd311a952160f3a25753a573c519f7944f

SHA256
085a5af44deec9326c6f3200ebeb80c69c946cfaa7b6b848bd36dc91c97ea84f

SHA512
f2f9afc13411f331b96583ade423a2a151f41b18a6834fa14230f5266064db30229425f0e1d98d18e54f16f23af3822ef61737c9f6c282a820b43b6efe603be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32D.tmp

Filesize
5KB

MD5
890d5585ee288792425a8d9af7c2ee79

SHA1
3e060995b88cc0f5bec21451e97a9204bd70934a

SHA256
445614229008902dcd49a85ef8887d6adae0b3bd739233d419e8d521b90d9aa9

SHA512
ba77d76d108465d154dc1435c19ef0da7840250adcda1bdc2f62ae2289eac64d34f614b978ca7db4ca6a55022ce8ed8330eb225346d94adc681d46b2bc5d9d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES37B.tmp

Filesize
5KB

MD5
fdedb565523a2c8454898f772ae5f1ea

SHA1
96d4492fb7f21f68510192aa1716391f58ef1278

SHA256
a268fd01d587a6a7276f98235b023885d51d56018c72f357f0434a0702437a91

SHA512
d5fa44d2093016501c15a46fadef5ad593de2a73a9d40dac92058bb6271ad9d55b57303a30445dde818b7a571bf276888e5f69332435e4e33646cbd65f4cfdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E8.tmp

Filesize
5KB

MD5
d7214026ec04ed868a89ef2e3ff15eb1

SHA1
5fbe651412672753943312d672101d005d4f6dd6

SHA256
e9c9d9e493080b427a58aea05e52238df124142cd534647178fd94ef15954a9b

SHA512
335391eafbdd1b4d61e4d75958fa52aef7b0b7efc9a12e3250574befae616f105b79cc4d85cfa346ad30c35874c5db51839534c74f8d7d65d3e8719467f98eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES446.tmp

Filesize
5KB

MD5
d8785a18dbfdaab8a7b85898ec0bdd7f

SHA1
f3502f2572bf0db6b2f0bc657252464d7df99f65

SHA256
f16db871058d760a1c066e7b389328014ae1e1aae3327015a408a86ed74d79b1

SHA512
89bd919b398d469f8e415a18ce5bd69ec31e9b4f4ebc7c51f5af96bad443225d92ee93fb15b4e6360f3e8f11ef38fc69a807f4cf6015b80d510f4e05a5761ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A3.tmp

Filesize
5KB

MD5
e0bacb0028492f0b53f2c402630fd8c9

SHA1
59f511521664dcb518746de22925bc750b6718d2

SHA256
30ea4f98341281b9c68274d09e3022ca4d1bec2b34b9ac81ce9699642ad0399b

SHA512
39621a585ac11e01570482fe367ce18958995aad88b40fd3935bff709336172b30f7b309bc8973de3ef84e69ea5a8ab613020f1fbf6ae07b219ec23c188bf449

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES501.tmp

Filesize
5KB

MD5
842893eeb14252547702f8a45f789f07

SHA1
3ed08bbc6a64efe146b0a0a9d26073289eece233

SHA256
b6b9ba5039ce51c98ce4e349b41f130bd73bc8012ed484f0d45fc9350caa3186

SHA512
864eaed904b73d971c0a3ad87e870709913a14812dff0d2ab494ae3a8959c3395a6007fcff349980520a0fdd7eb86ad4a433ea00c2552ded790aa97bc1c9cdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54F.tmp

Filesize
5KB

MD5
50a2c7703b35d01fbe1288620af65210

SHA1
655a697545a5985f32469727c4837cce65666039

SHA256
ba7c57f61f51b8e86eaf54e8a7a847405e675fd35e2586c1e68c71c1c9959773

SHA512
33a7e6da0414a68ba70581108b74af2d5d6623dc9a153ddc106e568657f1e325eb2e77721295e03d3e1bca6a5f1c4da5d1818f8910576bd553be41c6eabb9805

Download Submit
C:\Users\Admin\AppData\Local\Temp\_a9ebwvz.0.vb

Filesize
382B

MD5
bcc8d51738006c58333df732f34f5ac9

SHA1
519db0699d028b9e61512c821e58b0517f30f6b6

SHA256
17d1e1bdaa458eee6f56f98d84d36d00c748e298ae6a7a237bed98f7430dd228

SHA512
2e659e39a4077d52d297973bfa9f808f9edb2091f629920225e87777cb06332f16c7a51c6dacc27e189a4286aabaf245bc2079dc5f2a8c84672faa6634c834a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_a9ebwvz.cmdline

Filesize
268B

MD5
fd08121cd075bfcc8735c8a56629f823

SHA1
1abda5c8503eef6497a597b1b3ea95c9f868907d

SHA256
86b0dbe7dd88b55867b97d181b0a9db5057d6e1aa5ca5c23b9396f67937c55b9

SHA512
76ea20a259b3a58f2c278905a8c581cfcbf0491efb6067a801fc24876c1ed24d3c740be68efe4396e61e3127518c273d8d5ae2a4c2038eb964374837367fe450

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvckcziq.0.vb

Filesize
379B

MD5
06b7dbf132b8c6dfd5d95368a26b5594

SHA1
ecee66e42a6db1b745d345853fb077b1a36030b8

SHA256
6578cb2a32d33ca2e91de2362a9d5ef5274ab715f97524de9a57a5e37920a816

SHA512
b0c97ab2877a30f815a0bdda1038629ccdc92017fd0f73a769de9d858601178ccb2ce81f059ca000867775aeda0502a9b6739cdedd2286d441a6877cc26f7676

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvckcziq.cmdline

Filesize
262B

MD5
40969e1b79f01b1574da1b5996b893b5

SHA1
faaa45a028eb113ee392c3df382b19f1b59977aa

SHA256
6d3ec032588fc94a8febb0fa918e2df3b7b85b985df0ae133accdd4b394d1ddd

SHA512
1a96c3730e659223b43cd137613957de34da81a98ea023016f0db3c34970915006f325e3dd11422a3be86d44f6cadff0f7ee625fa7559dddd7aa88309af7cf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hczi8g_a.0.vb

Filesize
375B

MD5
ec78c366bd4cb158277ce576d96a92ef

SHA1
893532126e629cd9af974afdc69849256a0f3246

SHA256
f56a514e4c02bc579d7a51631f40a5191028c767d2587ff401469131d400a5b5

SHA512
ea63dfead8c99859367d7e2676ec02bafa00e2b353bc34879c224e28374132f6258c996d3b9a44305838acf6a0aa773a87ce0636971c7d236deca8a1a4ce4d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hczi8g_a.cmdline

Filesize
254B

MD5
934a11b71ba86557a20142624f425082

SHA1
262a02ee9e9d96cfbbbd7d735573ec47af4261c1

SHA256
1834af0e3e135c5328cddf398e00c9d471d723306a80d67859ab2b9d4a20033e

SHA512
4da5f29833f13b8621f0b49764fdf28540fc35568b41c0235be90aa0b7a68c8c365e240cb29535a8dfb8e5950610e94f6580bea616185fc4774e219df1f094a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\idgrpdzt.0.vb

Filesize
381B

MD5
aff3b3059df4d030d3a602ded3ae70cf

SHA1
56f5cf2833c2f36ee17a5aa33e5bbe0a2f14c5a3

SHA256
c0d0d39013fd1a4207eb65e9a8ff40a699c2597828618e931b43aaef662b19bc

SHA512
cf1dca332b9f18bb552542622bf4dbdb75bbf534003a868ffb71ebaad3ab5d12b03f3bbadb7d7932521a1f5657c9d400745fd67806c2f447da458b460124a3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\idgrpdzt.cmdline

Filesize
266B

MD5
d8f987b7b6d4678e52fbcdd663a3b3ea

SHA1
cb22b81b71df2a7f7276a5b0de2f7c30c7ee8e7e

SHA256
210457e1e08fe403c27f5d580aad84294cbbfba58948065044a9a5a0f4d12153

SHA512
599489958bfc2453767a107b8b3efd10aab2d8955233f0a6f8d686759599550bdea78e528db4be7881a7da50cbf66a635dbe7fa2a0c9fd63806cc288c0bd7c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfqvmmnh.0.vb

Filesize
379B

MD5
86b30977d2097c93fb79cbce486ebdac

SHA1
332b8044489f13879d700ae668c2b07b037ecafe

SHA256
29463ebf57229d3ed0ed85a660d1babc744530a86dd313e25f5c3abeacfb515d

SHA512
bafbf1ddf102fddc494de0e384611112ca7507a1feb2f874c995042235772aba964e5d15fe1db2c4e133b361a3e89de7690903004e647edca8f573ee3033f30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfqvmmnh.cmdline

Filesize
262B

MD5
5bcd40e7e7f77adbed82474e87d280a2

SHA1
7496d39121cb1ce2b6172a0134f2a74732381bdf

SHA256
e71f8b9f98441e0d4618f6a38c61aded4397246f43331f9b63565495311366ef

SHA512
857782c1a12968cb9ee5364db678639bfb9b695f25ab7f9416247394ab2eb9e554ea9a6b6b501e4be9bb164175be04c42b7be177bd8da5c63dd30de4189f7b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3tieoag.0.vb

Filesize
375B

MD5
e71c81e15e4270170129c28b320a0bb2

SHA1
4640f2d2d2f47847bd9e0407f88ca0c441040c76

SHA256
1355b8c0ac0ec8732e2b1de75c7d48f1519852391caf430b0aab8723e461bbf9

SHA512
09e5ad32b28d3fdd2a50af86470613c777baa6e78421e65201cd69bab072a596c6f9dfd52d4de1f2c9119d3d694a160dc0c92622946f77b84f675af64b349015

Download Submit
C:\Users\Admin\AppData\Local\Temp\m3tieoag.cmdline

Filesize
254B

MD5
4bd4109803de1a97ccc755974c471bc7

SHA1
e3806bf54e1a55daad745dca43f0821fc7ee6ecd

SHA256
6c6e4221c3856c5f5a4d254c4d05ad6eac858239237cc868b500e7cfdb3b6802

SHA512
59cb6fc4ef596be96138d308ae910e977ec49332b3a38caa32f037f49668ac1394781ab4cb6a4b50e9fb8a57b4b5000013fef5f63852038df702b1640c361dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfjwptdc.0.vb

Filesize
361B

MD5
62a8d9c60af03d5e5326e7260eb3d15f

SHA1
124c378c316b9fec76307c7468d2695d0502e9b1

SHA256
839e9d331b064eac4bbbcbe3f147f6cf4734a59d90974f129c38b8e21b4a93d5

SHA512
3866867b8754b90aa8e2ed8cd41eae1721ae6b6098903272905096f8ba229d06404808dd9ce6cebdbc8a7dce3997113c55494632f279c10ed811cb8455fa4fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfjwptdc.cmdline

Filesize
225B

MD5
18ff4f5d8a7ebc2c730c875590201899

SHA1
32428b49de2a4e7bc078ab24979e9bfcdaf81b0b

SHA256
b3f70b66d412c8511682fc670661a13be7f24581d0e55e40bee17ee8abbcee1c

SHA512
bc1198d0ab81b8ec5b60f42c19753fe37068b3729234eb85e271ed12445e93b7002ddfa6649e59096e32e18712594fcc1e33485ae6a0dc2169030207f543778d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfwnk9gy.0.vb

Filesize
381B

MD5
7a97aaebc0cddbff1780ae5a236e69e4

SHA1
a60a98ffaf71bda311a4ab29a3dceb3e0484ddf2

SHA256
c97014c56bbe6b415d1c320eab3a094309233bda948fd51076ba3226a9d09794

SHA512
24687653a0cab80447b6f35173130fe3f1b993e14750ca60df6b736fdfdd16c5e7a970aa714ce7809736b61ae215b4efa7ccf06b89d356ce7ddf77019981c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfwnk9gy.cmdline

Filesize
266B

MD5
a1e9b0ca589810721c21a982ab6e92cd

SHA1
c946f4b88b13e7959ffc46cad8a414ecd89e7395

SHA256
f0db1e81efce78e23d0cc85854f02a43439c0abd575543a6eb097bd6ccb79c23

SHA512
fce3596ca4e354acbcf215fef1a6bf02b1f6add0adf6718cfb3f0a5fa04674839ac6d0e57c2b39b13305945543419106ffd45b32832999bc36836a2ae0c12e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc10.tmp

Filesize
5KB

MD5
a5cf00e70f60fd1d4b8bb33c45f4763e

SHA1
50ec536ba201d1664c092ca5bd1e7e3222540492

SHA256
99cd2d940e95b92ad762e873a1540e6851bcebeecd94e94bf1db3c5213c82a29

SHA512
4421a7fff2b792bde5fa908d726bc5b913db78c7094447fa69eb304d870f58141f275bef216049e1ff35e5a6d3aebd2394ab1bfaf7ffae85d1e0469436591295

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc139.tmp

Filesize
4KB

MD5
e9c8dbe39ab574abff7873801cd00dc3

SHA1
b81aff13588ec0855ea8ac41158a293122b9e4e5

SHA256
b5d5eda90733013f611157f98ff8834fc4e1a3d8ead864a0e8fc6de5a126233a

SHA512
8bdb4b4faff6a00b955ac36ba533199a43aefa421d068cae5814da93515da2d03a4d4113ddcf5876aed76b31b75177920c99c819496038df219084614c00090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1F4.tmp

Filesize
5KB

MD5
8f2093f746e789cc99afa6d5546b0d44

SHA1
2f4811bc3b1a7fb5b6820974b1f5cdb382c04cba

SHA256
bb0c3ce0c2be2be8b7e8cee78820b44212e71e911eb1275926b7c9b995a8d4f2

SHA512
4e2a29b786de2ecf3d31e02cbca40811de8636ab3d7559f061bc58616844dd51bbf8cd05172760e7df7fad9d830cfaae55884544a89f092b92d5fdea857216a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc252.tmp

Filesize
4KB

MD5
2bbe7a0d228441575664077eb84ec2d7

SHA1
fe35750763ee3f97cab239d3cac4eb4ba02aafab

SHA256
775bdcfccbdb0469398208185ca7da0d036f73e471b3d0f6de2d216f26a6cb22

SHA512
cae7f9dcf16f0be64a8bfbf3d99ea73ffbefc7d8f1a0f0de0ffe7c76d110da6fe9cb86ee3155f665a6168b9ae5094a8e4a913a6370a86a013ccb5fc7caa3a69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp

Filesize
5KB

MD5
ad1f2b2bfc0451a8554dbb2115cd91db

SHA1
dbc92827de48159802a4ae97bda1458040f93cc6

SHA256
ce82362f945de65e50d129ceb5a6ca47ec5aabde694704c0d082c8259ca79eef

SHA512
6065b0177bf127f2278c9bbef1b49087811de5e00966c916ea36c4200285d8d59d1748af99c3c5ed8688bdbea2f39e2df110d4021d801a2eef697bea1cbbb9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32C.tmp

Filesize
5KB

MD5
e7b00792b803b6230c274ce80fd8d777

SHA1
6577866d9822b7455a28dd275518e481d4053c53

SHA256
3fb55d652bf5e2c31e282e0eba9ab2e52b38b12ac042df66fdcba8002f0922c3

SHA512
71b068ca7913ba74afee76b25aaa2bf40765b718490789a1e292299edec2ef31f0c8045d8b4f7cdd39b8348f90cb359479ace16e0865bc31ce345ab4e7fb01a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc37A.tmp

Filesize
5KB

MD5
c4f96babf9ca815db7b3c1427aeeffcc

SHA1
5e1f1644fcdf8c8d50d58b87a8afea8b240c87aa

SHA256
c06c553c39510cbbd234b63701d4305f89e746c99ec33ad7faf4d8c0e2ac736b

SHA512
74d2f7b741f404c043289225f664e75dfbe8af2c35caab76123344c8082a50ccb024ef06dcbc997bcde3f56c777b40bd68cb19804c3b26e5804befcb1632ba24

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E7.tmp

Filesize
5KB

MD5
e2a9bffc2c538fc8e028243b2430d86f

SHA1
7bd2a89305dd2715aaaceeeef6e19ea689ba0db2

SHA256
8f9783012c39ca37caf6d17a0dd9fee56c4f30b2da26fc85277a8b5231ae49c5

SHA512
d7b001a32ea610028e1fbafd72342d5d4aaeda434b9ee7490e306dbc5f8931998048f8dd67e002d156e745e8bcb55edd59119e57f91fde7e1505b7ce1e28bae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc445.tmp

Filesize
5KB

MD5
98a71cf815a1acff897290c8548d2d7e

SHA1
cf67587f58776f930471c2ba8827292a6d9d2d04

SHA256
68f3caa42e9eca058fd75b06da9d058a662961872ae90501b7049d37db24c969

SHA512
587ebc9176108ebd855262d47d9c940b493b40fcc95e61f561a2bf85a40856d59a0a0ded9087b5b0d397b1a11c73b69a22d2f10392e32c921c6de2f044e9e540

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A2.tmp

Filesize
5KB

MD5
8a989a966ff8dfeb18bf564a3685dd41

SHA1
e24fcb110e6659c7bd17a65ce397d5091fc6058d

SHA256
3fff1b7f2c4a131309f2a25210bfc65f31a6509c3ce8c176756c30e5ad46b5b4

SHA512
98621c51a031dbdfee45f4785ff3336b0fa198a98a3e044487f0f2d7c7b4cd16332110f2ef82f33da3cf4925b2dc42173e3c984f39f6885a8f06cf3c3c6f6539

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc500.tmp

Filesize
5KB

MD5
7be012bbd7d9b0419c66303aefaa10a4

SHA1
757c8c9ba68d36abd5f819c647cfa917eed5b92a

SHA256
f5297501b46ac2b636e728ead6986efa401bdf7332181b43931c31f750366a1c

SHA512
c45ef1a8e2513d420ddc59cc22e89e37763319dcb186911da59a2c3bd35e20c481705ca30c934161a143ee236321edb2e312b2db6c95bacff65285c81bf04ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54E.tmp

Filesize
5KB

MD5
e183c31473d9d4f7c12bd608823a7cb0

SHA1
40efb266e69ad1f2a8dc24e2327a765b0dbdf2a0

SHA256
3182576f65803b4fce908141246605c1109a28f9d24c706251eb8ff0ea804583

SHA512
35a2a2f818d747e935e7916b4c258682bef2bacd9054afc6c20931c21fff2b6b6fa627e04fe9e08c85c1784832ae58f32cf866e43dba50cea11bd305315557ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5AC.tmp

Filesize
5KB

MD5
07d3829a0c20e36116d8a4db254e0f80

SHA1
4ff677aba2a15fa2157372ead32dbc854d744540

SHA256
339b1a430be1961c0fc659926afedeaef5f02accb93f5d6cadfab94062129cae

SHA512
be5c3b0cf5d519b501828b99b73dfabe98e8457b57d8bbe3ca0889408dbc01da62c1a4627ee071a5da71a65a8cac6435dfebf6e73abbca9a0e72e86adcd6ee16

Download Submit
C:\Users\Admin\AppData\Local\Temp\wm6dq5br.0.vb

Filesize
384B

MD5
5b71366bb23f2defc193e7bcf2e90dca

SHA1
b61dd3cea57713ac51b9738cd4d1eaa39fdb52a5

SHA256
bb434aef8ceb044c2f0b24260f09ce2b94c9623ba29f946f56acf1f378fd1d10

SHA512
91794fa3efd01ed0d6cdac9673f82582d7650140bfe51091ada07b8c38480719fc9b7dd956279dd27cec8922cac956ed0c9260056a5a4bdae54beecc5f87b678

Download Submit
C:\Users\Admin\AppData\Local\Temp\wm6dq5br.cmdline

Filesize
272B

MD5
b677048a775b0376b5037d3c7e7bf82e

SHA1
b84073f9a86555bb819e1487db5e60b3f7a020e1

SHA256
91d12b05fe273407a536cbc02d6a3da3d5984cdcc41624287b80a7da1a4ef13b

SHA512
47546be068a4f0fdc1036a4e5f4e24c946679a41d97ca979641690b388be1aeda1c4b1c19b8e3930ddd16c329b64932c97912104b2c6367dba91299cef4d521e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjraxyhy.0.vb

Filesize
361B

MD5
df33de033f398fcd306d76211314a95b

SHA1
058168c3c8979a8c17b55c7e14bcc7512afefd6c

SHA256
ec9fe03832ebac1f44dba756e941f5940d067d2eac41d1bd57565d2916cc878f

SHA512
342e59a035a3cf3f3118a9c600fb2d404baab4616bd4a363195f10b549b0b8768f1c908c5e3e42b576322d9b8f589e3a3f87c1a9ffeceee8a53f0e11a4e9af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjraxyhy.cmdline

Filesize
225B

MD5
16f73d4787115921714916344a458435

SHA1
5805c7f8822367f2e79c753a91dd4b8dc7e1d1bf

SHA256
5296841db6cb81c86613a5dca57929705477f95527dba9b577f18d65e7e4d432

SHA512
9fcc74deba2118928aac1472e89664dfcfb85c75697051d2130b87e29c330e3fd6965864c5981f2aea7d8fb6ece599fa9130bf300bec0ccd9b58a38e688b0393

Download Submit
C:\Users\Admin\AppData\Local\Temp\ym9xqin4.0.vb

Filesize
382B

MD5
11830d9901810ac37feae182199d6747

SHA1
053aba616fbbce6ce7d431c090a93ff58a40b11d

SHA256
5acdffe2ac084dbee11903f1a17071e8a54041164265dd05b5dc7ab331512b3c

SHA512
50ce63cd380f4f2d382b1b7461aac722a8d3d73035f12780b00827211e7fb56361fe3e1149a5c5ce8c2a213f1bc673cd198b1fbf95a259b4c158ca53c465644c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ym9xqin4.cmdline

Filesize
268B

MD5
9b9173da0ac914389bced04a5c92d940

SHA1
3065cabae6b5f2706219715d14232e97fe147d12

SHA256
ec7f2e6e5eef7f1007cd56db6fabbc1adf9303493bb80bf7d7b3d0235068a1f2

SHA512
cbea10a47a192516e06a0b474b2493ec47ecbaf8d16fc5607107ce8c951bbb9029d6b226d070b4a81db4c902f5c37fce9f605907d7dc011ae6a90a5150d9da2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3oclu2k.0.vb

Filesize
384B

MD5
06de48df76bee4a371c265db3c83a44c

SHA1
8562f43db854d1c9d15d963c29159aa360c1d72d

SHA256
58cefd93027f60897db8cf0b95a5b9672f0ad726bb1613822c65970147de5b0e

SHA512
022c24b5b4e45cca6d7d7c984c4c95646d178587ec670e0ce7c189b6172496096737eb8ac64cb9c774ea43032769083fa4629664aeaded168542c4be835689af

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3oclu2k.cmdline

Filesize
272B

MD5
32ce24dcd7ca2a8450257a2ef737238e

SHA1
c1591eb1db19f5f9dde8e0cd86008439ab2f9463

SHA256
58e936bd5c7f1cb5d42609d8965c0f525c82bdfc9ca2e9b589db8206e34a37ab

SHA512
fd221ae750add1fda02a3e64e7e1bb66a4c6722e590cd6caf2edae70359518abc2793e776a01fd31470973e9d3936afca1af46696b4c2e12b1134161b5caf3e3

Download Submit
C:\Users\Admin\AppData\Roaming\system32.exe

Filesize
180KB

MD5
9e55624e81cc5bf9f40792a97c5e3c9b

SHA1
35379afa47748f022e4f23d5a499ea01e251a88b

SHA256
88a0c5df4f8874254aedfe226c8e01756ac1ffc4d6e40360f70e42fc8fbe2b27

SHA512
bac780817e166dc8203f35bd34da289b583b1cb27c26dbe38c70beb44d669949ab666ed16e6485554a2aed22a987cb5e1c6a3cf7d36d85d952d8a28808190caf

Download Submit
memory/3056-0-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

Filesize
4KB

Download
memory/3056-3-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-1-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-305-0x000007FEF9300000-0x000007FEF9971000-memory.dmp

Filesize
6.4MB

Download
memory/3056-306-0x000007FEF8D00000-0x000007FEF910F000-memory.dmp

Filesize
4.1MB

Download
memory/3056-307-0x000007FEF8400000-0x000007FEF8C64000-memory.dmp

Filesize
8.4MB

Download
memory/3056-2-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-316-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-313-0x000007FEF9300000-0x000007FEF9971000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads