revengerat | d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
Size

144KB
MD5

0371221c3aa1147d1009f0d0b1bf22e8
SHA1

5f33bcfe0070b7ac3b4d527103bb4a9385603de3
SHA256

d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3
SHA512

a42bb69676da8c267a8f5b472cbba1ba408a553f919d8536f0a4e8054da914b5aa34089744301acf9eb5d993881955dda478ee2c5b663a945c8aafccef1a9eab
SSDEEP

1536:8qJo6rUcu/rbPm8J+Ud+kR2qBa5z17gm6zG:8SRw+Ud+kRBBa5yjK

Score

10^/10

revengerat ⚡⚡ welcome ⚡⚡persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

⚡⚡ WELCOME ⚡⚡

xd.zapto.org:27730

Mutex

RV_MUTEX-aawrHJfWfhaRCl

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2184-6-0x0000000000A30000-0x0000000000A3A000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	Service Host Network Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	Service Host Network Service.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Network Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Service Host Network Service.exe"	Service Host Network Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
Token: SeDebugPrivilege	2148	Service Host Network Service.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2148	2184	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe	100
PID 2184 wrote to memory of 2148	2184	JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe	100
PID 2148 wrote to memory of 2804	2148	Service Host Network Service.exe	103
PID 2148 wrote to memory of 2804	2148	Service Host Network Service.exe	103
PID 2804 wrote to memory of 4612	2804	vbc.exe	105
PID 2804 wrote to memory of 4612	2804	vbc.exe	105
PID 2148 wrote to memory of 4724	2148	Service Host Network Service.exe	106
PID 2148 wrote to memory of 4724	2148	Service Host Network Service.exe	106
PID 4724 wrote to memory of 980	4724	vbc.exe	108
PID 4724 wrote to memory of 980	4724	vbc.exe	108
PID 2148 wrote to memory of 2660	2148	Service Host Network Service.exe	109
PID 2148 wrote to memory of 2660	2148	Service Host Network Service.exe	109
PID 2660 wrote to memory of 4360	2660	vbc.exe	111
PID 2660 wrote to memory of 4360	2660	vbc.exe	111
PID 2148 wrote to memory of 4048	2148	Service Host Network Service.exe	112
PID 2148 wrote to memory of 4048	2148	Service Host Network Service.exe	112
PID 4048 wrote to memory of 1428	4048	vbc.exe	114
PID 4048 wrote to memory of 1428	4048	vbc.exe	114
PID 2148 wrote to memory of 4376	2148	Service Host Network Service.exe	115
PID 2148 wrote to memory of 4376	2148	Service Host Network Service.exe	115
PID 4376 wrote to memory of 408	4376	vbc.exe	117
PID 4376 wrote to memory of 408	4376	vbc.exe	117
PID 2148 wrote to memory of 4404	2148	Service Host Network Service.exe	118
PID 2148 wrote to memory of 4404	2148	Service Host Network Service.exe	118
PID 4404 wrote to memory of 1148	4404	vbc.exe	120
PID 4404 wrote to memory of 1148	4404	vbc.exe	120
PID 2148 wrote to memory of 2524	2148	Service Host Network Service.exe	121
PID 2148 wrote to memory of 2524	2148	Service Host Network Service.exe	121
PID 2524 wrote to memory of 4732	2524	vbc.exe	123
PID 2524 wrote to memory of 4732	2524	vbc.exe	123
PID 2148 wrote to memory of 3160	2148	Service Host Network Service.exe	124
PID 2148 wrote to memory of 3160	2148	Service Host Network Service.exe	124
PID 3160 wrote to memory of 4168	3160	vbc.exe	126
PID 3160 wrote to memory of 4168	3160	vbc.exe	126
PID 2148 wrote to memory of 2504	2148	Service Host Network Service.exe	127
PID 2148 wrote to memory of 2504	2148	Service Host Network Service.exe	127
PID 2504 wrote to memory of 4288	2504	vbc.exe	129
PID 2504 wrote to memory of 4288	2504	vbc.exe	129
PID 2148 wrote to memory of 2664	2148	Service Host Network Service.exe	130
PID 2148 wrote to memory of 2664	2148	Service Host Network Service.exe	130
PID 2664 wrote to memory of 3884	2664	vbc.exe	132
PID 2664 wrote to memory of 3884	2664	vbc.exe	132
PID 2148 wrote to memory of 3652	2148	Service Host Network Service.exe	133
PID 2148 wrote to memory of 3652	2148	Service Host Network Service.exe	133
PID 3652 wrote to memory of 4368	3652	vbc.exe	135
PID 3652 wrote to memory of 4368	3652	vbc.exe	135

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0371221c3aa1147d1009f0d0b1bf22e8.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\83nr9zmb.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82D24B3E4C6A40E4828DDD6CB9238C5.TMP"
      4⤵
      PID:4612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sf_ra9xl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDDEACB77A814F2384C18C7BB1D9FB7C.TMP"
      4⤵
      PID:980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\64ahntys.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3426.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC6AC3CF352044B98AB35D77BE25A122.TMP"
      4⤵
      PID:4360
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ug8t6rms.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3493.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BDCC4DB74F8411686CFA693D078E6FE.TMP"
      4⤵
      PID:1428
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jwvrthi3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES356E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F736AB370154B0F86DFABDE3266F24.TMP"
      4⤵
      PID:408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvphi8vq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72CC06ECB2AB493CB55B75C4F8A958E.TMP"
      4⤵
      PID:1148
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wb5zgmgb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3629.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D3580BDE964E87B98557736DE87DA.TMP"
      4⤵
      PID:4732
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5jiipdqs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3687.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C8C9D917DEA4C06AA1A61D68B9CB4FE.TMP"
      4⤵
      PID:4168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mvlorybn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2870E4666BD4222BF84F2DFD08DFF4A.TMP"
      4⤵
      PID:4288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdgzbi17.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3723.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE57976DDC31D40C89FC3F195E8DE60C1.TMP"
      4⤵
      PID:3884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jiycme18.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3771.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc959AA14F10334D078DB5D13BF3BF5A94.TMP"
      4⤵
      PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5jiipdqs.0.vb

Filesize
294B

MD5
a6f6d5bed819117a37e2be89b8e63e03

SHA1
bbf25777cdb346f45c00fbb8b6fade9bee6590c7

SHA256
85f6f13ecb42d4415d8d5929d793e038c872bac973f2a4aea2e4ca4673b5fe86

SHA512
ce893699bf3d39131893d4768e4e881b286a8779b926dc5e1ff25df82a1d899d8ced3132a5b4d69acb14181a524da5467ae32c9f165d7093219ea865f4d8aff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5jiipdqs.cmdline

Filesize
164B

MD5
f925e9580a5bcc1f9e2d00d596de3f2b

SHA1
8b4fa01d9c90689423359e1a44dfe516de625556

SHA256
43db6f2236f65f587db0d2de7c395a7d2995ffa76ef88eccc08bb1c06977e8e3

SHA512
6720085ecd44de7c21880a3b35329787b29a33b0c5d089a2e5a8ef9a22809b56dd68c6f77a554ab2aa3835217d453caef5809b03a9b8223441e0a778b0bc460a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64ahntys.0.vb

Filesize
292B

MD5
b9e4856937e269e991b796c5b24a0090

SHA1
40c737da1a09ffd4577c274646a7bdc86502d748

SHA256
d3d91d78bac0f74467781d8dc2f6557e650b8f335c3f32a596586a6cec5fabec

SHA512
cf43fe987bf8d79dafac414c0d3ad3072f54a3181f788d905dab80d0851ccab8f636da8045e21219587ac7eefbe64d8bf1614568d0db0e416cd8ea235f82edfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\64ahntys.cmdline

Filesize
162B

MD5
4332838ddbb4cbf0956d311ff7b47d05

SHA1
44aafc24c82068e06b9eac4daf9dee9795032d1c

SHA256
a6a8e1bccb0380dabf766d2a8875400e8b1fac7e4853452ea88674143a4329dc

SHA512
73fa1c353ce72d2ce5f9d1ab2edc87b650cce75c75b218b700bb36e16b2fff7076cb59fc280af3ec781e1fb5d06a2367870e60b3bdf6a8d6672a1d7fa71b8e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\83nr9zmb.0.vb

Filesize
218B

MD5
fc21d1773763a696222c7777d0544e40

SHA1
3c46bb126cf95ca8b5a2e867a40e553414a5de00

SHA256
2ce35fd0b2c5aa514c88f61416dcc4fe37f6b449988a4b960620190ce8ca87d7

SHA512
8999e289375a037ba404d1f30d9ef2f33f6bb51ff61bb68845ac421acfa9aa934aca16acd545707d2f132f252c84dbaab1163bf9598879c5c1299751d3c452a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\83nr9zmb.cmdline

Filesize
216B

MD5
9cc5118635f08174cd203c6768d8bab5

SHA1
44acf59e018d1b9483e4b72fe6d2fb2653f417e3

SHA256
11846ad46cf10076b364f61c0b04737f85661bdf54ef0f1d6e2ecbce7e9ff26f

SHA512
4407642fce97ca309c359c8c4665d00da3c9fdea503e07c5608804e98799c14953d5f7e35acd7897d7e64a311df170c1d11a3657545ed9757b5b5eb203ef2f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32ED.tmp

Filesize
1KB

MD5
ad86826ad74765422ef23318d72b012b

SHA1
3b0a674d73859b5c81606e9ca6a6b62d67336dc6

SHA256
e4b34966193d98f993e41a7bcbab75856c9058677898e47a53896cf9dbdda678

SHA512
9498f0d44e136d1f51533c5cd7eb9e089ea25ff5e1220ec1ecbcbc72a5a70ee82ba6b9106a01426c86d5d16adb800a995fbc86d660166232da7ce70342a5d349

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33A9.tmp

Filesize
1KB

MD5
62f3ba90948c086cfed49f8187879442

SHA1
28d8c93eabd5a3c17d7325b2af7e114098af58ff

SHA256
c83dc1244aa97c2dd7bb9185b6ffdb589ffe6bd92d6ed03396ff7d60012663d0

SHA512
dc21f0724c5d4155b79ed78839568e58d7748eebc508cae3d18beb6145400c8dbf39cbdeb39c114ab5b1b92e4c197772df56d0eb1bb7eaefbd7330360343aa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3426.tmp

Filesize
1KB

MD5
f52f4a6ecdc0ef197bd7ae71636b1150

SHA1
b41d7b9b0744e5548ff05d10d49f6737ebc523dd

SHA256
9871d842b713797018964a1768886e158770f6f537671460a1408450a0e81250

SHA512
331b2576fb368d3cfeb95714061144d5926390171ebb2e7bc19877d632138dc65c053fdf0a318f25bf238d816ccc12d7d6e6a18a730a920b4eee950760e2f10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3493.tmp

Filesize
1KB

MD5
acb79d986b218932d25bdfb35686a25b

SHA1
8c34c09031e44063c315b49094bb8e38c86f025c

SHA256
e13655c69af2da5c29dcd366b6f4bd35867146b41a05779f2d42186dca4b80fc

SHA512
d1c57444ddaa1ba38adf269df333007f86811d30d84cedda91aa4e6242b177e8f6a4440ea5c28bc23d7434deb7be24374dc95241a4f1e0eeefe64b9cecdde19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES356E.tmp

Filesize
1KB

MD5
35182afd5d9e27400a7d7c4f7ca3c6ac

SHA1
7ee734307a0b1d437a93823b1656ffe11e7a8bf0

SHA256
a19fc5bd9c9e551652a9172ac3a1f8cb69e0764ce1841e23d0a76e1a4fed3564

SHA512
bd1f6ff9993f008bb86112622032c83ec8a51dc82b9b7aa081cf4162c43496753eb832bdbaa1464ab34b8a0c3c57c35d16703a4fcac9909f193440c3a0c8e670

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35CC.tmp

Filesize
1KB

MD5
6eadbaf035e0aa3803f4722bdd73470a

SHA1
9543f6fd6fc143b09c68b79ae872979150e670d5

SHA256
ce63378ce9978503a471a4fd41b7d2b8c8b9ce822ab780cf62aa0ecb6c8d3c2c

SHA512
2b5294a77a3104d2498f241cc200cf98a9c97bdfd9ad773ad038fcb6f3e4e86791662250422b62cc9190ff6beadc880edc84eee4874a087aab3c2c91c586f279

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3629.tmp

Filesize
1KB

MD5
310f24ccaf4f0c10b6f0284c549c8dc0

SHA1
af5c956ab9a9c895034f18dd7e30da8e380a0c1d

SHA256
688e7fb3b4966bc98320dda7c68a303dd56c6db03a0b21599b751a7151d2b335

SHA512
9de636ee6f50c2776978eda58dd293cf7dd84b68d0c7562e5d1b2bf14b9314a8daad4ac693597db2cfe4aa43ee3e23aea79d078064cf90a83c2c5a9aa61602ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3687.tmp

Filesize
1KB

MD5
fd9dcb6a3234ec564d9bbd8676e5e5f5

SHA1
66781fb5bf16e5e36bf0632f721f498818a6c909

SHA256
df6c3c26997b16d4dc87be01b1811807be81fafa6a8df0bf9cffa8922b7b2d40

SHA512
a484b1afa6ecd46139d6b9d5c359f4646eacc352f489fb3d33df393ccf2d008a16927d2ddf011b0f3616a1ac254efd051e83b74383cac2a3586e02673b6d238d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES36C6.tmp

Filesize
1KB

MD5
a073f2e16a4c40908106e1376a97a781

SHA1
b9f4b6cbde976150aa0a3a49790453b72ecad451

SHA256
bbd1dae57fd60b36dc73ac4a1e86cf887e491b47f223718704270a2b9ca50393

SHA512
45a3ee2a2ca714f7ef8fd4c5bbbb157625e70ec6e6c349a178278a5bd57d62bf70083e668238d2c787b275de8beb8bbb4a5b7e5080d1118d247ea0a6f51bc21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3723.tmp

Filesize
1KB

MD5
4a56d542734872a16ee358ac1cf13066

SHA1
3e9d115f39ecd03533a08446b1ae8920b2c7aeb2

SHA256
266f8f92023df3c569865bc00f6a663aa51e02be2bfce4e988ee13c460f0faaa

SHA512
2cc96e56de0082090d9e9997f8d16dcd31b4b4e6a252c50cf04557f3e72ddf4960147c5160634dc4c6d1786a2433db91273d95b321337ab6bb7f93975a35fdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3771.tmp

Filesize
1KB

MD5
4d5b2b4810b8c27872eef48a3c8dcf34

SHA1
c552ccd78422235af8492ce2f9039c1ded0cb4a2

SHA256
b0916352afcc57244aaa2ba2eda610439a63faf261a65427a25e261049cab25c

SHA512
1bb82ac707e52003343f3d24b03725d362cccf2694efe81555bc5b6c895e9579ebe2581fd6f0815b7b37d8ed35c3df78212ad85c241c3d6af4e9cb3590f16c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdgzbi17.0.vb

Filesize
301B

MD5
e4b9808f202806f8a586ac0fc7913b80

SHA1
bdd4224b28e5619c592a7011587e0e87bf6b3e92

SHA256
11ff8b3d62bf5e3e024520eb3659e4ef4f2a41e2a77256f170b5e9b049fadebf

SHA512
dd3f0e39b3f9b88a7f235b0417922d4c0190b1bc3855ed326b3a86c85a6d63dad61b2e3dcb8ae792b93b4c69fad1b3ef5313186025a0442271344ec7ae2164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdgzbi17.cmdline

Filesize
171B

MD5
c71771af5a5e82e5873fcbe25d0af0e9

SHA1
cd61733b0367990cbeeb202d05ce1dc092f0ca2a

SHA256
b812c45cb1bb804dd08f258e691e02a9a9f7ded08b9e9249f3ca312b4f452284

SHA512
86dae54b4219b658609728b33725adde2fa93b22654673e31b8ff1bdf2dd6f6c9c091bfc15c210fb851d5ea5277661b9fe3d4dcd340c48490477033f0ddf5b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiycme18.0.vb

Filesize
303B

MD5
6ba302d5bd05c3635068ab9ad6856f98

SHA1
381eeaa6e13513cef25ab2af4375cec6ae02dff5

SHA256
b3260fe36913c2bf10e77e73d23bd2a715d28a7144b5faaee68152ce4469289d

SHA512
81f6d7fdb7556ea789117a61d6dcf61a5b90c08b4fbd08fc5c0b89b02dfed44e07215e56f8f1b69a16afca72098a1e4c9365ba065554789d2b0effd16b1479e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiycme18.cmdline

Filesize
173B

MD5
7210d9ed267961bd0b0f2c6c9dddf374

SHA1
b717243bd532892b13a35d9aa67ff163fd4b095f

SHA256
84b42bd33bc6eddd2729100e880e8bff1a83193b20fc9d1718cdf1d4c020cf19

SHA512
1acc057c4011b2b2f9b0ad9ac4b77bcfffd4daeaa5f2b9165eb3a6f03c293bb514d0bac9eee752c3815289035fcdb106b72224d0e51b798e47f38602f37dc790

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwvrthi3.0.vb

Filesize
301B

MD5
47d95656f9388d5e4f6e1c602c48ca06

SHA1
ff56a474d3c674f22f915a9489e053ca833b8b2f

SHA256
0a563c904f9f4fb91d4decc420e76cad0a2f802451a1c10602b8b3117be8a301

SHA512
4a274648130b0d40bd368511cbfdc3e813ea847eb0b4fd7e919d6131a50a005afc6b9a2b112da396b7bc33382cc85a59509ae48131fae3bb8bc2bf514e6bf3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwvrthi3.cmdline

Filesize
171B

MD5
0b52737761a65788d18861572a2dc70c

SHA1
43ed200501b520729b7648364f7cd80a7075c29c

SHA256
dce52983a06dbfb287213e761ec18212a3eb00d4231edea73e0cc5b2706cd608

SHA512
d0f86c6854633093a9d854a98e05123aac3d1c003d91561b7b8f78d532a65906d2937c16cb0f7664e6d4c4569a18174394f42701c47fe8cac4b6c5fefeccbd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvlorybn.0.vb

Filesize
300B

MD5
2e1d49c27d6baa9b3ad357bc22a920a3

SHA1
c4315fc5c5330880b1700660cd31583b2de6a845

SHA256
5983931487c4a1f4b9f7d937b05a405212d2efc5bf18f04a638457a01683540d

SHA512
fca817d30cfd37b50a55318cfe072549043c75f9f82c83dd6700d4ba63a54be20d11bf46c48badf42072ffd5107ec2da21c6d9c2a4df0ffca2743ad5adf3f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvlorybn.cmdline

Filesize
170B

MD5
932d897a04e080441971a597f1c37c0b

SHA1
619fdd8da996b62e71a4b027799c5d4529c28086

SHA256
14ca52d431888d73cabd07663ab50fc91e2fe374b83fc25e5845128e7d045a53

SHA512
9d435cd7d1f1044cc702f5a48e883ae2b21e3a47041968841a3c41e5bcda61155b0afc0836cce61c1b9b9c948cff8de2deaeeeb42ca8577816b570e91d421466

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf_ra9xl.0.vb

Filesize
286B

MD5
e27ddcebf38139054a7eed42335b9d22

SHA1
16b4d7a12b3768219d4bfcd90cc5e0b65fe64149

SHA256
1e50f9d0a9432a9b1c5ef6bce47bc1f244b805285d407ffaa4b35997b882eee9

SHA512
89f4f3ea3052c813b5dbc01c8a6294bf02fa5d056c7e5b6232be0e42f727807b303e5f140b3e4bdf6a479f0786f28732fd361a944ae45c5d987414d342acce33

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf_ra9xl.cmdline

Filesize
156B

MD5
853e104b9ff8151cccfc4e375c9b6497

SHA1
be98c29242cfe5f91dc2336e8b957fecc2e4378f

SHA256
08610215bd64d75a75bbe28c236bc617c419f843fe102d4b76e21b0c89365a32

SHA512
7b133f376e0a304720772561cbae8d9f10b9d8b8d9f7031b0b3e71b9fa090d75cd7f4fcefb7217d80e289dbc12f540430286058d0dc86039e647e392e2d3193c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvphi8vq.0.vb

Filesize
302B

MD5
ffa9399faf40436a18e1b46f1c582cf0

SHA1
32e79f416b4ea766d957c705fd575ab3897319fd

SHA256
7ce30bb37dc992b8beebe64d4809a542ff2afe508ae5acdcc2c209e7968355ff

SHA512
dce5f551841910c5c0df0eb23a073d7823d84d2b3715543c204819b3d22c70b417cf205f338075f4a5309616c91c7d1691f0087cc2d4734329ccef6f675fba89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvphi8vq.cmdline

Filesize
172B

MD5
295d57143c30238410cb0a850602dc91

SHA1
0839bb63a9fcf062e3ded6566f1e58e48a7334ca

SHA256
9eff3186eb3a43ab83a84fafa05487d21103efe64247dfa58497ad9937c2e833

SHA512
2d52009b9cd0236b961f63148a90af8847e4396fccee7d49420d3d374e044574b82c816c68f3f28ebcecaf85c9e0ebb1e5d7555550f15f57ee3014ba30031186

Download Submit
C:\Users\Admin\AppData\Local\Temp\ug8t6rms.0.vb

Filesize
293B

MD5
61afc3d6c7eab9afad4846d782f01cf3

SHA1
5e7ee18f80f8ddec11099cc85965ad6e6484989c

SHA256
9acdcee56a2b861617def0fbd1aa32f4f2d221e6cea3ec90a56d412430b0b9cf

SHA512
4adbb7de0cb41f4e2209d163bdec06e527d8594300f83ed72b54d0e8910fa27c975db24e3d6c9ee4807df2f05e1ae9c7cf74b13ddd224dc78a4c115bf641044d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ug8t6rms.cmdline

Filesize
163B

MD5
3683a39e4c67bf4bccfc2b5920c795b5

SHA1
3c6e655b7e7d9138b5f4118ed4e558af82a9a756

SHA256
ec792052485a015cfbcea8e8cf30a01db2e823bc7475d2e8255bebebe64131b0

SHA512
54b3d3708b36a360df832e69471e535a20ca21592cab211841c2310f57908e5817cc99645f7ad5d70f149e6da3df4bb1fdf02557b02b14998d2184c1e82be18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D3580BDE964E87B98557736DE87DA.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BDCC4DB74F8411686CFA693D078E6FE.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc82D24B3E4C6A40E4828DDD6CB9238C5.TMP

Filesize
732B

MD5
d1ab5cd7b8edf473611603f7c0523c86

SHA1
9735a5ee3505c8d44491ff5fc329ad1de7926c81

SHA256
01a4da2c8dfc942b92d11f4e7ad7d2778cc897656ad6533078157042ffaf8ba9

SHA512
eeb2ef49281d2469e23340ddc195defa178a8aaed59147f0213904232bd09d8a46022eb16785e609589861082395dc7546ba0c2181418c421b959001922925c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc959AA14F10334D078DB5D13BF3BF5A94.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAC6AC3CF352044B98AB35D77BE25A122.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFDDEACB77A814F2384C18C7BB1D9FB7C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\wb5zgmgb.0.vb

Filesize
304B

MD5
fb01d8183f16b971831f9d37461beba2

SHA1
e348c4296dae9b97c4ec78deb8673b4bf8ef19cc

SHA256
15bca0d615bef793fce92cf2acb3063d9ecbdf766efb009473c555b22a59b348

SHA512
660ebc5639b71db5661b4af21cc8ecb6b471229753418241c618ce34f7707b64d56f0f16e8575381a0b01e8cde55731a104a35a34cba5c679c47043e8bb09f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wb5zgmgb.cmdline

Filesize
174B

MD5
aa666fd80e7ae8c50b0150d9a33a5453

SHA1
f68d2ee4d2ac2067014da46bf4b93650ed7432de

SHA256
0b0275f004eea77538f49871939eda83b53a61842d4275ecc5f06b41888abf04

SHA512
55d897cc0c1c4df9cb20ddc368f56ce36b21d98698f3d7927b3f08566b72fc13b77ddc2ce7ecbce341596bf4fb594645e4349ba4c74172583356526f88d60dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service Host Network Service.exe

Filesize
144KB

MD5
0371221c3aa1147d1009f0d0b1bf22e8

SHA1
5f33bcfe0070b7ac3b4d527103bb4a9385603de3

SHA256
d34a32b1c044553ab8b803f4370526f7a73d1cb519adcaec91b2c10efaa556b3

SHA512
a42bb69676da8c267a8f5b472cbba1ba408a553f919d8536f0a4e8054da914b5aa34089744301acf9eb5d993881955dda478ee2c5b663a945c8aafccef1a9eab

Download Submit
memory/2148-23-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2148-25-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2148-183-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2148-42-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2148-26-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2148-27-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2184-7-0x000000001CD80000-0x000000001D24E000-memory.dmp

Filesize
4.8MB

Download
memory/2184-9-0x00007FFD35F95000-0x00007FFD35F96000-memory.dmp

Filesize
4KB

Download
memory/2184-8-0x000000001B6A0000-0x000000001B702000-memory.dmp

Filesize
392KB

Download
memory/2184-10-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2184-6-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/2184-5-0x000000001BFA0000-0x000000001C4AE000-memory.dmp

Filesize
5.1MB

Download
memory/2184-4-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2184-3-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2184-2-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2184-24-0x00007FFD35CE0000-0x00007FFD36681000-memory.dmp

Filesize
9.6MB

Download
memory/2184-1-0x000000001B280000-0x000000001B326000-memory.dmp

Filesize
664KB

Download
memory/2184-0-0x00007FFD35F95000-0x00007FFD35F96000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads