revengerat | d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
Size

144KB
MD5

0371221c3aa1147d1009f0d0b1bf22e8
SHA1

5f33bcfe0070b7ac3b4d527103bb4a9385603de3
SHA256

d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3
SHA512

a42bb69676da8c267a8f5b472cbba1ba408a553f919d8536f0a4e8054da914b5aa34089744301acf9eb5d993881955dda478ee2c5b663a945c8aafccef1a9eab
SSDEEP

1536:8qJo6rUcu/rbPm8J+Ud+kR2qBa5z17gm6zG:8SRw+Ud+kRBBa5yjK

Score

10^/10

revengerat ⚡⚡ welcome ⚡⚡persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

⚡⚡ WELCOME ⚡⚡

xd.zapto.org:27730

Mutex

RV_MUTEX-aawrHJfWfhaRCl

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2532-2-0x00000000007C0000-0x00000000007CA000-memory.dmp	revengerat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	Service Host Network Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	Service Host Network Service.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service Host Network Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Service Host Network Service.exe"	Service Host Network Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
Token: SeDebugPrivilege	2908	Service Host Network Service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2908	2532	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe	31
PID 2532 wrote to memory of 2908	2532	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe	31
PID 2532 wrote to memory of 2908	2532	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe	31
PID 2908 wrote to memory of 2000	2908	Service Host Network Service.exe	32
PID 2908 wrote to memory of 2000	2908	Service Host Network Service.exe	32
PID 2908 wrote to memory of 2000	2908	Service Host Network Service.exe	32
PID 2000 wrote to memory of 1744	2000	vbc.exe	34
PID 2000 wrote to memory of 1744	2000	vbc.exe	34
PID 2000 wrote to memory of 1744	2000	vbc.exe	34
PID 2908 wrote to memory of 1644	2908	Service Host Network Service.exe	35
PID 2908 wrote to memory of 1644	2908	Service Host Network Service.exe	35
PID 2908 wrote to memory of 1644	2908	Service Host Network Service.exe	35
PID 1644 wrote to memory of 3052	1644	vbc.exe	37
PID 1644 wrote to memory of 3052	1644	vbc.exe	37
PID 1644 wrote to memory of 3052	1644	vbc.exe	37
PID 2908 wrote to memory of 264	2908	Service Host Network Service.exe	38
PID 2908 wrote to memory of 264	2908	Service Host Network Service.exe	38
PID 2908 wrote to memory of 264	2908	Service Host Network Service.exe	38
PID 264 wrote to memory of 584	264	vbc.exe	40
PID 264 wrote to memory of 584	264	vbc.exe	40
PID 264 wrote to memory of 584	264	vbc.exe	40
PID 2908 wrote to memory of 288	2908	Service Host Network Service.exe	41
PID 2908 wrote to memory of 288	2908	Service Host Network Service.exe	41
PID 2908 wrote to memory of 288	2908	Service Host Network Service.exe	41
PID 288 wrote to memory of 856	288	vbc.exe	43
PID 288 wrote to memory of 856	288	vbc.exe	43
PID 288 wrote to memory of 856	288	vbc.exe	43
PID 2908 wrote to memory of 2460	2908	Service Host Network Service.exe	44
PID 2908 wrote to memory of 2460	2908	Service Host Network Service.exe	44
PID 2908 wrote to memory of 2460	2908	Service Host Network Service.exe	44
PID 2460 wrote to memory of 960	2460	vbc.exe	46
PID 2460 wrote to memory of 960	2460	vbc.exe	46
PID 2460 wrote to memory of 960	2460	vbc.exe	46
PID 2908 wrote to memory of 484	2908	Service Host Network Service.exe	47
PID 2908 wrote to memory of 484	2908	Service Host Network Service.exe	47
PID 2908 wrote to memory of 484	2908	Service Host Network Service.exe	47
PID 484 wrote to memory of 1544	484	vbc.exe	49
PID 484 wrote to memory of 1544	484	vbc.exe	49
PID 484 wrote to memory of 1544	484	vbc.exe	49
PID 2908 wrote to memory of 1292	2908	Service Host Network Service.exe	50
PID 2908 wrote to memory of 1292	2908	Service Host Network Service.exe	50
PID 2908 wrote to memory of 1292	2908	Service Host Network Service.exe	50
PID 1292 wrote to memory of 2244	1292	vbc.exe	52
PID 1292 wrote to memory of 2244	1292	vbc.exe	52
PID 1292 wrote to memory of 2244	1292	vbc.exe	52
PID 2908 wrote to memory of 3044	2908	Service Host Network Service.exe	53
PID 2908 wrote to memory of 3044	2908	Service Host Network Service.exe	53
PID 2908 wrote to memory of 3044	2908	Service Host Network Service.exe	53
PID 3044 wrote to memory of 2568	3044	vbc.exe	55
PID 3044 wrote to memory of 2568	3044	vbc.exe	55
PID 3044 wrote to memory of 2568	3044	vbc.exe	55
PID 2908 wrote to memory of 2496	2908	Service Host Network Service.exe	56
PID 2908 wrote to memory of 2496	2908	Service Host Network Service.exe	56
PID 2908 wrote to memory of 2496	2908	Service Host Network Service.exe	56
PID 2496 wrote to memory of 352	2496	vbc.exe	58
PID 2496 wrote to memory of 352	2496	vbc.exe	58
PID 2496 wrote to memory of 352	2496	vbc.exe	58
PID 2908 wrote to memory of 748	2908	Service Host Network Service.exe	59
PID 2908 wrote to memory of 748	2908	Service Host Network Service.exe	59
PID 2908 wrote to memory of 748	2908	Service Host Network Service.exe	59
PID 748 wrote to memory of 1708	748	vbc.exe	61
PID 748 wrote to memory of 1708	748	vbc.exe	61
PID 748 wrote to memory of 1708	748	vbc.exe	61
PID 2908 wrote to memory of 2384	2908	Service Host Network Service.exe	62

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d9niltd1.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3092.tmp"
      4⤵
      PID:1744
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9pooyszl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES314E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc314D.tmp"
      4⤵
      PID:3052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgt5rbyi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc319B.tmp"
      4⤵
      PID:584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\llvcmkoy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31DA.tmp"
      4⤵
      PID:856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\81alisme.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3229.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3228.tmp"
      4⤵
      PID:960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m1lh_kgb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3267.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3266.tmp"
      4⤵
      PID:1544
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agbv-i0a.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32B4.tmp"
      4⤵
      PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pf7y0gxn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3313.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3312.tmp"
      4⤵
      PID:2568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5en6rqea.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3351.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3350.tmp"
      4⤵
      PID:352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\roggizmj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES339F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc339E.tmp"
      4⤵
      PID:1708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-aj39yp4.cmdline"
    3⤵
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33DC.tmp"
      4⤵
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-aj39yp4.0.vb

Filesize
303B

MD5
6ba302d5bd05c3635068ab9ad6856f98

SHA1
381eeaa6e13513cef25ab2af4375cec6ae02dff5

SHA256
b3260fe36913c2bf10e77e73d23bd2a715d28a7144b5faaee68152ce4469289d

SHA512
81f6d7fdb7556ea789117a61d6dcf61a5b90c08b4fbd08fc5c0b89b02dfed44e07215e56f8f1b69a16afca72098a1e4c9365ba065554789d2b0effd16b1479e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\-aj39yp4.cmdline

Filesize
173B

MD5
0f773ee0d2332448c8b38199cc90b17f

SHA1
2f6e63ab217544b2095ddaa4ed9eede45e118024

SHA256
2944793038c67379c7ee2f60af170f853584da99632be92ad76f3dfb81322dc7

SHA512
68f9a9173b8ff99ab64881d7da80aa39d77a9f001f0bf194d32b23285e8dfabb3b01ac057e3c3184fc13c5398e258bb53a8682b01eb1c02fa50725df2a3fa5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5en6rqea.0.vb

Filesize
294B

MD5
a6f6d5bed819117a37e2be89b8e63e03

SHA1
bbf25777cdb346f45c00fbb8b6fade9bee6590c7

SHA256
85f6f13ecb42d4415d8d5929d793e038c872bac973f2a4aea2e4ca4673b5fe86

SHA512
ce893699bf3d39131893d4768e4e881b286a8779b926dc5e1ff25df82a1d899d8ced3132a5b4d69acb14181a524da5467ae32c9f165d7093219ea865f4d8aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5en6rqea.cmdline

Filesize
164B

MD5
ab4ed914b13a5091a604a8798a355b61

SHA1
c9e6f15c855d369be2147864bfa099b1a00cd757

SHA256
607491b59250ba920de788c17660e272ac4fda6e315e12129769719de9ffb24c

SHA512
573aa837310a0ef0112d75a0e495ebfe3faaaefdd5269e91f4a39063e300202c23f3b0ffbdc08cfa809755a6c52d0c178a62874753cba111f6ad06adce81b0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\81alisme.0.vb

Filesize
299B

MD5
26ce45481144b67e0042c36d11f274df

SHA1
dd5ba03fc84fd9f4532d04a299869c8973f30104

SHA256
71b8367c5b927588893a8973ef11042f6f64bb112575724c54e2d4ddb916e159

SHA512
b9e76efa1600fd7be284b57dd266dfc1ba2a4e3bc3298907df59c3649032b48128bc2704ede04d6d9931baa5157672fee8e337e8644701dc462c51750f2c3c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\81alisme.cmdline

Filesize
169B

MD5
66ce24ced6fcf2ccb54408f16203b575

SHA1
06beea4d5f0495cfdbd1edd9d3d8e591d99cd0d5

SHA256
b949467afb9bdd25e6bcb65c2e34a55b33233bedf3b7137ff44bc905f1ad1045

SHA512
18db8bea6dc61434da1fcb7bce3c8dd2c8a31566ed88d6c3e331f4879daf3df1550dcb7a805158fdb5be165329bf2b5fa4bab585009111a6c4f29c04136d4a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9pooyszl.0.vb

Filesize
292B

MD5
b9e4856937e269e991b796c5b24a0090

SHA1
40c737da1a09ffd4577c274646a7bdc86502d748

SHA256
d3d91d78bac0f74467781d8dc2f6557e650b8f335c3f32a596586a6cec5fabec

SHA512
cf43fe987bf8d79dafac414c0d3ad3072f54a3181f788d905dab80d0851ccab8f636da8045e21219587ac7eefbe64d8bf1614568d0db0e416cd8ea235f82edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9pooyszl.cmdline

Filesize
162B

MD5
04cc21628f460457f51a33d231692919

SHA1
c2deb022531a2bfdee2ee3947615936a1619a0ec

SHA256
efcbb9076ecd038e4e9e11c5a57759128a8e6fefb4d5a2419c209f701a9b6e6d

SHA512
2cd42594dc3921a71679804fc7e909404a7d9b94f3971f93bdd337a4d8812385620b321b078fc2f0265fe2ea703cfdf3752177216cff9eb3487b56cbc5a9ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp

Filesize
1KB

MD5
3aa89708c4bf86a3973933e5366761ae

SHA1
e6f5c11a0e6a013bf4e05ea52befbcbb07534eb8

SHA256
b5f9301e28a448996369c5aec84a70deef41a7b17c9101dcc85c83d0e9c9d9bd

SHA512
1a9e50bd22ee80145acaefe897c550597a46b3e2848a2d28457a18364976bfe9f72ec7ababf6f69d61505b38ac354f7ef79f08ce95d3302d2691802cffa4f173

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES314E.tmp

Filesize
1KB

MD5
7c21415811b84afd2cf4d78ebb71983b

SHA1
70795837e16a4c4bb18c7e1139a94c4e7bce3919

SHA256
8eba67003aec0bf79b4524562d95286b880021cb2f081be0a5b838c6ddfb3de9

SHA512
be944a5bb30bbf13428e15f83154bc047702f24db5acd589cb891066cfc60bafc6903bc9591a6c8d8e70a6dbe4dfe33b81c407ac759dcd46bbed1eb2f3d2f302

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES319C.tmp

Filesize
1KB

MD5
01de3d5a4f1913a0ce2da3202fa043b4

SHA1
7dd82a2f293317e0db90034813bcc19f2640356d

SHA256
6592270e9901f5404174b08c0e7cd8aeee64d3f5f0d073f74336b584fec9d2c5

SHA512
5b7d2129c713b53b04c9f3926c7502492eef5f7014c31e50eaaf78193e23d7ecf2c886d1aedb70c8255d6208134ac774a2da82db106f3ff6cf162c8d07dcc93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31DB.tmp

Filesize
1KB

MD5
a3a9fbb7301b1dd631a1be3618b0cfa0

SHA1
271463b1928d70eae2d98f70ae0c4971a46a04b6

SHA256
149a068fbf76794b86d96eccb62632e0d64db36e95bd3660d99474d8cff48a6e

SHA512
43e060460830cf76d0536060dba3fe18545d6f23f723c7ba3ab3ab09d96c5c5ae2bc669775e0f133151034eb7971cbc9166a6552443001da8c1670d6613033f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3229.tmp

Filesize
1KB

MD5
b1ef4f823c87d5fe85d610953cc94609

SHA1
49faa6f8660d282d26e20e79695651fc32a3ee58

SHA256
e40ded4f366362fd8283aa02ed9adf4a2d45d084d6f8d3e83b7b5d507ac1caa0

SHA512
5750c809490159f566fab46a64362997b1a80d9e96f418e2d17a3a263f7ef6f68eb04346e6c790af0eb1217f078a6e6c67a6c457e8b73daba373fd19f4206dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3267.tmp

Filesize
1KB

MD5
569e902852181af0b7084cb849d4cd78

SHA1
5f164193021dded9eb0a53a6a5d250ee30d64757

SHA256
aaeb5746fca55e3cfd6cfcd9577c64e8cd96d62b3b5dce771ac2ab2df7b9b813

SHA512
931a894acd1db9f39949b3e55cf887ab75d6c7bd56a16c0de573623ffdc66490aced3f2f6dc1a3f4b6acf2bc75e926ddc0553b5c5b2a0aaae9d2cfb1742100eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32B5.tmp

Filesize
1KB

MD5
85e14a63f49121cc99c06ba72d85e571

SHA1
5b9e04fa00d17fb13b5528795d0dd2721a3f5e90

SHA256
8788b0f4bffa2d58efd120d56e994696d034be4cfc7112cc2a7325b39fdccb9d

SHA512
82c239993d8249239f2fd1946bba6352aa1b672cbc06399f218c73141b490d3492665d1c636c58b5305b339282a8c52dc091062d9b1128635895a9186283564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3313.tmp

Filesize
1KB

MD5
c0b8055e0c1df64d2db4f403c8eaf8b5

SHA1
913016a94e6395853e89cc22ea76226863258f82

SHA256
320afbef5793214eb3ffba67f1b7dae054fc64f5b785369f19fcae0007efe1ef

SHA512
879446c987084f3f1bc274f38b3305b17d343dbc21a269d5f72af816211655e99c9447802331412bb7c9d79f5a812cc9c28aff3f059eb0203d804cbb5ab87bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3351.tmp

Filesize
1KB

MD5
adcd1fcd3de0c0f9f0d501a2d4bbe380

SHA1
878a530703886edc386bc4634ce00a178123b056

SHA256
6db116882365904dbe4c9ef43af007e18f98c19c54922614e9a104e3d0e71d67

SHA512
9fd240e48cfa15373387ddd8ebe07a24fc6b0aa99dee20526a17781f813f4bb4c239a15791ba6370c695583c48c51c0a4a187272b9da4f5fe0f0656ecf88229a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES339F.tmp

Filesize
1KB

MD5
662f5a536db012c675f31ce4a687ba2d

SHA1
351798b7e9bd52c3eaae630041191420202389fc

SHA256
160e1532b5057c46e655fdfd907db5c1e5cb2e3755d8e313810e4e9fcc6832eb

SHA512
fe6920ffb3199dd50852dd0ec3095841924d25a9b31b5561b0fdca53bb7e4ae6453d00a20e395c532d17e35570227e7128d0dbf85a337d885a930439819617bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33DD.tmp

Filesize
1KB

MD5
30297b00acef2c6d75b766643af4163a

SHA1
960a979439d81614fda987d4ea83dca5f845b4f9

SHA256
55ac169c117c24eed36fc2bc1271e8e28b039ec93625a8cba41594a5b0f74b33

SHA512
aa736c805b753a7495f0cb1b1f5ab9cf40b4ff95ea5de0b5d6d52ce0b04e58bfbc11c9ef126ab328c53300e9c07745522f2f27d2e655e1e605991758eccca255

Download Submit
C:\Users\Admin\AppData\Local\Temp\agbv-i0a.0.vb

Filesize
320B

MD5
32242d650f4cec440f6c9a5e534b68e8

SHA1
4651b9c10bfc9ec2f0d92f0cfb4f6e0b20a9ba56

SHA256
349d29acf1325984dca741c7698aafdc112184914d1ae160d5b4d9a63f04cbd1

SHA512
63b3691822df591aef118a890a7ba62cb916dd53ceab0c89ff63c7a335cbc783872b01adadfcd55b3afa66b484ed4a929115d290163a4cd7ff822112722e2cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agbv-i0a.cmdline

Filesize
190B

MD5
a0f38edb0db6685b609294c1064821fb

SHA1
02da9ea95aaeb3f9d1f1a888fdddd8e12252ddf7

SHA256
2895a7e281c952102663324cfd8200bae4a733c0b3ac18c917b65586dba35e72

SHA512
6fef76411fb028131812eb6ff5b92a1ddb3506dffbb99a232783df1bc49ec657d28a48d20c38bc0cb5e0bedd1f38954a717b071093f5e1c124aa175a1ee8b603

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgt5rbyi.0.vb

Filesize
296B

MD5
12dc4ad4df961225690e3061af146a4e

SHA1
beace4335cf4d4edc6ca03e9c26012161e8d5768

SHA256
a21ec5ea07b35980578deab02cb100371789ed576fa4e64372ea964ec6ad83f3

SHA512
9639355fcb927da1aaa2090a89e7b03b8e9e30acff4a94c8cc425ba7a0cced2e73f26da9786441d36921472909ebc8fd9194d064aab6369d69aa2a5bb1b328ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgt5rbyi.cmdline

Filesize
166B

MD5
7f232b738746e8e4e4129ec17f27b2bc

SHA1
daf3716e8c96c79677a0b2fde2d0df288f485ad3

SHA256
3315642568b4f843c5fcb4d9d03a750d9acf3a7e8f5fff934d91677bbd654eaf

SHA512
120a8e6da6db985aded55fa6ec772dde6514feedd1d1b98355d3743f6fd16b7a21270092274445ade441e02933ef48fb715fe3b637ed5af83771e6324e28cae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9niltd1.0.vb

Filesize
218B

MD5
fc21d1773763a696222c7777d0544e40

SHA1
3c46bb126cf95ca8b5a2e867a40e553414a5de00

SHA256
2ce35fd0b2c5aa514c88f61416dcc4fe37f6b449988a4b960620190ce8ca87d7

SHA512
8999e289375a037ba404d1f30d9ef2f33f6bb51ff61bb68845ac421acfa9aa934aca16acd545707d2f132f252c84dbaab1163bf9598879c5c1299751d3c452a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9niltd1.cmdline

Filesize
216B

MD5
a4a8570ba910cbab2179975da5c301d5

SHA1
898f29e67471c6250f3dcae1fd24d7a03eb501b3

SHA256
9d12776f574803342b5a08705603099a3d1a8873c686cac27004c3e201b651b9

SHA512
4c19a27cdb556c901ca169e39e04e9b727595e54cd918fbd55b631efbc56ae47c717cae4d6d54e77f79af6c5ead88444985bd74d74c087c4640c837c1fd3af1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\llvcmkoy.0.vb

Filesize
295B

MD5
9d1944edc78b53e3a116455f956496e0

SHA1
485a7d9db0f8f3a9ff4f0c06f7cf05c4e5f3f8ba

SHA256
e5c17bfb87f2bc373b15cc49995aaf46243315dcb01a8c96aa239b8bb2dc5396

SHA512
1b4c2cc662c5d8d239f35ef46c5a8a19ab524c4d4fa8f01c31a66768e885947f6ee6521d647f8bc86dc759abefea21c1585b56465c86721bc382b755d0fe0f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\llvcmkoy.cmdline

Filesize
165B

MD5
3e7aa4e5620862a9a737adce2ab9bab6

SHA1
111a029be0569dfd8cbadaa4f777a4f8868a1946

SHA256
73825ebf9e894d0db1ecd1e4b850a49623e9881bb58c28a4eae9d4c7aa2c532e

SHA512
a68763f75144c81e6029885bef6743c8562b4bbf237bc7b51204ecfc0293de8683ebc4a5a3a70030d1988f7f821841d8b4bedad1814daed7d9312440acf1a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1lh_kgb.0.vb

Filesize
301B

MD5
47d95656f9388d5e4f6e1c602c48ca06

SHA1
ff56a474d3c674f22f915a9489e053ca833b8b2f

SHA256
0a563c904f9f4fb91d4decc420e76cad0a2f802451a1c10602b8b3117be8a301

SHA512
4a274648130b0d40bd368511cbfdc3e813ea847eb0b4fd7e919d6131a50a005afc6b9a2b112da396b7bc33382cc85a59509ae48131fae3bb8bc2bf514e6bf3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1lh_kgb.cmdline

Filesize
171B

MD5
597c9457baec86f541f26bc59f4dd984

SHA1
c6bf8b383dc60c1ce31715bddb1aae4eb40dc378

SHA256
eb9e8578fbd91692ffdac7d8956e4f97826321674eae87b7068b6a2aae920962

SHA512
56813b0643321423e5cffa6e870fdc21f173257921651bfd88a025e2844e561f864ccd00bfe9c0fa8d79299859d768ecd33f89f805177936b38addac4149a8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\pf7y0gxn.0.vb

Filesize
301B

MD5
e5cc406501ad5a772171ba991146816c

SHA1
b8b814ef703b1457ac8b6d7f66a8ecb4a3b4ea2a

SHA256
419d09b1cd2db787164b9a48834800c87f07d2646809fdb35eba58fa881d73d3

SHA512
762256be14960dae2f09104f762a1c4be38afba4ad8ec662f68ade5a3f8411af944b0853b7de404401df69905daf38d30792fd1cd5fee529e4eae7fc126ab193

Download Submit
C:\Users\Admin\AppData\Local\Temp\pf7y0gxn.cmdline

Filesize
171B

MD5
ab5cfa437ed370a433f6d3b42b3a845f

SHA1
8609ee708a3eb16ba7b19f8dc14d930c479e0493

SHA256
00918f16af7b615e9ad7f9261edf80db4b8174245332e5a76726fb2622d4192d

SHA512
476311fabbb0aeb2e4687d4e8739c2b878d23354d446bea9776312c06c4ac025c3d5d418f05b2b7813f822d8dfa212eabb2d8fcd115f5458af74f7920e6b127c

Download Submit
C:\Users\Admin\AppData\Local\Temp\roggizmj.0.vb

Filesize
300B

MD5
2e1d49c27d6baa9b3ad357bc22a920a3

SHA1
c4315fc5c5330880b1700660cd31583b2de6a845

SHA256
5983931487c4a1f4b9f7d937b05a405212d2efc5bf18f04a638457a01683540d

SHA512
fca817d30cfd37b50a55318cfe072549043c75f9f82c83dd6700d4ba63a54be20d11bf46c48badf42072ffd5107ec2da21c6d9c2a4df0ffca2743ad5adf3f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\roggizmj.cmdline

Filesize
170B

MD5
c593cfc79aacae37585af747696e6443

SHA1
5d36be992f630d856dc1babad87311a849309762

SHA256
67e61dcc93fb12785d94bb087e22d0b9fb7ac9a53edca4c458f824cd636e2113

SHA512
6348ee724150d5412d7a875748b83052ab5757ad694fd35e26338072b8ba2ab78b1a16f2f5149a9e8f4d63b0e36e611993df72e8887922c5b7f195fb9de05b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3092.tmp

Filesize
732B

MD5
d1ab5cd7b8edf473611603f7c0523c86

SHA1
9735a5ee3505c8d44491ff5fc329ad1de7926c81

SHA256
01a4da2c8dfc942b92d11f4e7ad7d2778cc897656ad6533078157042ffaf8ba9

SHA512
eeb2ef49281d2469e23340ddc195defa178a8aaed59147f0213904232bd09d8a46022eb16785e609589861082395dc7546ba0c2181418c421b959001922925c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc314D.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc319B.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc31DA.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3228.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32B4.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3312.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3350.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc33DC.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe

Filesize
144KB

MD5
0371221c3aa1147d1009f0d0b1bf22e8

SHA1
5f33bcfe0070b7ac3b4d527103bb4a9385603de3

SHA256
d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3

SHA512
a42bb69676da8c267a8f5b472cbba1ba408a553f919d8536f0a4e8054da914b5aa34089744301acf9eb5d993881955dda478ee2c5b663a945c8aafccef1a9eab

Download Submit
memory/2532-4-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-5-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-0-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2532-3-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-2-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2532-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-1-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2908-13-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-14-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-15-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads