revengerat | faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Size

112KB
MD5

0515e47f61a95f9847545a75b876a2d5
SHA1

5ac29a22ca50833014fe050a9287d0ceb47604b3
SHA256

faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
SHA512

765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483
SSDEEP

3072:pqXvnRs4fz6MGG3TI9ujfdMdTCC8OH9J71z7p4Yp5sbY:p0nfzNTTfdMdTCC8OH9J71z7p4Y8b

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2188-6-0x0000000000560000-0x0000000000576000-memory.dmp	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe	IExploer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe	IExploer.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	IExploer.exe
2828	IExploer.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe"	IExploer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExploer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExploer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1640	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Token: SeDebugPrivilege	2936	IExploer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2936	2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	31
PID 2188 wrote to memory of 2936	2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	31
PID 2188 wrote to memory of 2936	2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	31
PID 2188 wrote to memory of 2936	2188	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	31
PID 2936 wrote to memory of 1640	2936	IExploer.exe	32
PID 2936 wrote to memory of 1640	2936	IExploer.exe	32
PID 2936 wrote to memory of 1640	2936	IExploer.exe	32
PID 2936 wrote to memory of 1640	2936	IExploer.exe	32
PID 2936 wrote to memory of 2988	2936	IExploer.exe	34
PID 2936 wrote to memory of 2988	2936	IExploer.exe	34
PID 2936 wrote to memory of 2988	2936	IExploer.exe	34
PID 2936 wrote to memory of 2988	2936	IExploer.exe	34
PID 2988 wrote to memory of 836	2988	vbc.exe	36
PID 2988 wrote to memory of 836	2988	vbc.exe	36
PID 2988 wrote to memory of 836	2988	vbc.exe	36
PID 2988 wrote to memory of 836	2988	vbc.exe	36
PID 2936 wrote to memory of 612	2936	IExploer.exe	37
PID 2936 wrote to memory of 612	2936	IExploer.exe	37
PID 2936 wrote to memory of 612	2936	IExploer.exe	37
PID 2936 wrote to memory of 612	2936	IExploer.exe	37
PID 612 wrote to memory of 1696	612	vbc.exe	39
PID 612 wrote to memory of 1696	612	vbc.exe	39
PID 612 wrote to memory of 1696	612	vbc.exe	39
PID 612 wrote to memory of 1696	612	vbc.exe	39
PID 2936 wrote to memory of 2484	2936	IExploer.exe	40
PID 2936 wrote to memory of 2484	2936	IExploer.exe	40
PID 2936 wrote to memory of 2484	2936	IExploer.exe	40
PID 2936 wrote to memory of 2484	2936	IExploer.exe	40
PID 2484 wrote to memory of 1700	2484	vbc.exe	42
PID 2484 wrote to memory of 1700	2484	vbc.exe	42
PID 2484 wrote to memory of 1700	2484	vbc.exe	42
PID 2484 wrote to memory of 1700	2484	vbc.exe	42
PID 2936 wrote to memory of 3032	2936	IExploer.exe	43
PID 2936 wrote to memory of 3032	2936	IExploer.exe	43
PID 2936 wrote to memory of 3032	2936	IExploer.exe	43
PID 2936 wrote to memory of 3032	2936	IExploer.exe	43
PID 3032 wrote to memory of 1752	3032	vbc.exe	45
PID 3032 wrote to memory of 1752	3032	vbc.exe	45
PID 3032 wrote to memory of 1752	3032	vbc.exe	45
PID 3032 wrote to memory of 1752	3032	vbc.exe	45
PID 2936 wrote to memory of 2328	2936	IExploer.exe	46
PID 2936 wrote to memory of 2328	2936	IExploer.exe	46
PID 2936 wrote to memory of 2328	2936	IExploer.exe	46
PID 2936 wrote to memory of 2328	2936	IExploer.exe	46
PID 2328 wrote to memory of 2036	2328	vbc.exe	48
PID 2328 wrote to memory of 2036	2328	vbc.exe	48
PID 2328 wrote to memory of 2036	2328	vbc.exe	48
PID 2328 wrote to memory of 2036	2328	vbc.exe	48
PID 2936 wrote to memory of 1432	2936	IExploer.exe	49
PID 2936 wrote to memory of 1432	2936	IExploer.exe	49
PID 2936 wrote to memory of 1432	2936	IExploer.exe	49
PID 2936 wrote to memory of 1432	2936	IExploer.exe	49
PID 1432 wrote to memory of 1100	1432	vbc.exe	51
PID 1432 wrote to memory of 1100	1432	vbc.exe	51
PID 1432 wrote to memory of 1100	1432	vbc.exe	51
PID 1432 wrote to memory of 1100	1432	vbc.exe	51
PID 2936 wrote to memory of 2312	2936	IExploer.exe	52
PID 2936 wrote to memory of 2312	2936	IExploer.exe	52
PID 2936 wrote to memory of 2312	2936	IExploer.exe	52
PID 2936 wrote to memory of 2312	2936	IExploer.exe	52
PID 2312 wrote to memory of 784	2312	vbc.exe	54
PID 2312 wrote to memory of 784	2312	vbc.exe	54
PID 2312 wrote to memory of 784	2312	vbc.exe	54
PID 2312 wrote to memory of 784	2312	vbc.exe	54

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\IExploer.exe
  "C:\Users\Admin\AppData\Roaming\IExploer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55EB9E97E90E47788EF770228FCF2F1F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES902F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBFE942D3BB457F90C9945C9242C4BF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES951E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:516

C:\Windows\system32\taskeng.exe
taskeng.exe {7D3DBFE6-5A9A-4375-BA4B-897514DD4680} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\IExploer.exe
  C:\Users\Admin\AppData\Roaming\IExploer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.0.vb

Filesize
294B

MD5
8cb296fa1be7192b0d2decd5c80d4d3c

SHA1
abb0eb97f148a73d043a94ba99a28dd8e5135c92

SHA256
0c7d4823361974120582428cf8181029f3fa0ed9ed385d44b8a45ba9e027ae91

SHA512
7a0fa788cc1c630fbe64cb0af812fe09b13d56844aaaf8cf47c2673bd63b4aaec26e28a0a11a95f749988c9e0cbec3f0d94a01665b6c11620ec032f570411218

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline

Filesize
199B

MD5
fa98244a4706289d626a1e43d5a55553

SHA1
95fd622b22d35c2abe3e93f7c4f53316e6835010

SHA256
b53ac795a44893f94045879de5182124700a7224b80ca94b68057d847cac2f4d

SHA512
d36c3b3feabc1959795e2b2899db201e54dccc71f9a54d8fcd83737b0a1471fbec2a8fdec5dfcfb0dc7ea242a0c848eda0716a223f201ab55848172bfe7d2277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp

Filesize
1KB

MD5
f1a9d50a3fc7bb782b880388f240fd7b

SHA1
812f8c9c03283e2d88430529462f4263b647edf9

SHA256
33c1d7f8c80fbd4fa46a82c0470085d49209b60b17c53858cabda1535445ace5

SHA512
69b70e2041d0e5218c1a7f41c81ec72dbb2e42d27d724268f37de5fe42e68208ee8c71f152d586b12113677e568085601566bc41f3b5ee4122338b185fb5a739

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp

Filesize
1KB

MD5
d3776ba23e54abcbad11ffdd68f93719

SHA1
2f3e66202d2a49026929a0be052a23ab81709660

SHA256
62fbc92e446ce5e10ae2e07c717cb265b67994a284707c6b290bf86ab6417c1a

SHA512
41d27c802ec285ca754da9f1e9ac77d5bdfcf2c9f608c7e71f256703d8a72a1e3c672b949e9f257bde6328a7816a5bd3aea8fe654dbaa3aea0a0308045cd52f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp

Filesize
1KB

MD5
c74638ecbad37dc281d6265c1d2ed875

SHA1
6a94237a72c5c41046f0d0ffde05c82915999854

SHA256
34a8931a6a3fd35aa94d96bad94a44d7fc01ae65c93b5f1a40240f325fd72caf

SHA512
fb9959f782751bb626a92512eee70368deb4d5a5df8e726db383fe4373827e940e5fada70b671a845f00f6b0cc6dfebe377a41aec7af26dc3ad31941e71d27a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp

Filesize
1KB

MD5
2e890aefe579a3e954699619e371ae9a

SHA1
62a72f1a95edad835a9ed69f758cf957d72c0ba4

SHA256
825afe9e33f543d66b05adb00e61db05ba7b0a7cc84aecd7b3ada8b36ccfb6c6

SHA512
ae174fdd1e86b466d248f72377774eec378e817382a75320d646706e5968eef68b797a42eebd361436fd7b98af9ce3f3223b838586b79d9daa3cbf3728f6e45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp

Filesize
1KB

MD5
98ac89254e8e0a6e0c5098a97f5b18a1

SHA1
e4a99aa9ec20e57ccd270633a9683959811c93b0

SHA256
90e9b752497ee11620289907b61ba5232bd041cf974f897bb02e4e571b5c8a4d

SHA512
c461a4c2f1cc7603f01176f8b868640b075fd637fff951bbc8b02e6dec48f4111f689c9f5f463b2218f7759d56836f764f9872343da6e818f52464816fd96b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES902F.tmp

Filesize
1KB

MD5
bed542cc869f90b13e58c78f542ef58e

SHA1
525ce6ab404a8ec9bdd8638842e025f708f07672

SHA256
fe6e850d553062e2e731baaef669013dd67540540ae08e62648a914e7ff60b54

SHA512
4af2c64ccab6dfa87bfa9fb4d4b390207c6fbd75582ba39983dfa700372169e20827b8aac227f1f13aea83b6228cfc3a5954ab65f74b4b0a11a8c1a4ec537ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp

Filesize
1KB

MD5
ea4fc10ddcc8d9854436e7090c25652c

SHA1
28a5ae6261f73133c27cf588b26cfef66a70711f

SHA256
11553348f722b12bf3c218ff11e268683ebcf885e76a40cda38e1beecef2692f

SHA512
3e9d021e9828e0c9a558bd03b835543ba09d860da267fded1b819388175524a0955b6e14a8fec39e971c78b0a8f5ab6cbea6921257f830d324b08c1f4b0b0822

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp

Filesize
1KB

MD5
517937816c295a9f1a5bd3a056e00f97

SHA1
e8336e4d9b0eb5227f747d162a91fc89d9900416

SHA256
e29ce04eb168f6e639d00e184ebaf678ae8da6826769eaa74045999702bd5db3

SHA512
0c82486ea60b6d63d5b7e93114c306256fb306fc686a76ab3df6e779151ded520ee6c26a95a2426cc2e1ad894647bf699185cd10b66f7ca1118dc8dffd00ab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp

Filesize
1KB

MD5
99baf8ccdaf541d65ecf2f3f8389537e

SHA1
8d34d648301c0c99842da3d4cbd36d12b3c29709

SHA256
52ed466991625ec6dc8eb06e22134410edf0896b12b2321f76eb4f5b00682ac4

SHA512
9c6222752973402403687dcfff2caccefae5fdbe65f74d100636a32b90b5dd54b743af598eb74c7c579826758ed7173ada599644166924d48ca3cb27e483503c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES951E.tmp

Filesize
1KB

MD5
8d1b9725dbf5d1a95cdd04689cc53eab

SHA1
06d0afa0e9f63688ffc4638b9166e2dc6022c045

SHA256
41e434c1226069b23c8a8ff1960762d5a216892b3a3b8c338ff9648585bca0da

SHA512
f0f6627a3117a5bcfb1443548791d46d6a763aba50336aeb8006c0160098e8321c8f3937b08384a3fe1691d31710442f07ab8abd4c4cb6830d4ff95509f2fab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.0.vb

Filesize
268B

MD5
e4a81f91139eceb4961c9a691825d976

SHA1
cf8deb4a997e8dcf89098934105585bc9011ea4f

SHA256
da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d

SHA512
b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline

Filesize
173B

MD5
dacfeda5a2b639669ddb77ca94ce9a5e

SHA1
47a9421c9aa30fc891e20e9b42369a09eac05b46

SHA256
b132275b4adb298bbdb8f4244ab664c4e53867c114c8bb46e30839dca6cabb2c

SHA512
056b11badf39eb4029d5122dfbf50c9c4f5c4136ab68104f2a5a9369becc3129c9c09b2cab47d8ff42e19461cc510fd803b3415755f6006154a7d1488168097e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.0.vb

Filesize
269B

MD5
861244d3b1a1da81ccf752f647194f17

SHA1
45488514e900d5a1114c5f01cc0c64ce4d815bfd

SHA256
91fe1cb5a0659fc6e916b23796f355a69381657ebb2775b846df5cc5ce74a2a1

SHA512
0b307e1222e69ca8948d1a64dd1ff2b41d654e4333fb5f49a324fb3a94395699a1b91e404f9c724e93aca00c13dbc1a61e2bc965f9478d4104b13c9b13d216e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline

Filesize
174B

MD5
74de7b3ec64ab7bbb889e0b6a590f9c3

SHA1
38a7f000f31f0878db64e09c5a1e72458ad677ab

SHA256
a90ada313823e73774446e7ae90d835f58f619302234cd707a4e1eff10c3bb94

SHA512
d318d7ecfcceacb1e8dcd98dbeb71f22c57985424761b963a73e92c87bb91cc63010356cf3dbadca1fc843617a03b9263b1159af3b8c462c6a80317ff3b2d085

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.0.vb

Filesize
277B

MD5
752ff9ad1e0d1ef8019b4effd2ce4104

SHA1
4e89f5b89854405bf14ca3aeff93808d0f6886ff

SHA256
ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61

SHA512
92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline

Filesize
182B

MD5
a6d387d3a75bde8b6fd71a1870d05996

SHA1
160d4d7a1f1bdc74210d6795b8e4be595a8ab1d7

SHA256
c7a701ac1e49ba497e0b3fc2024f81def0ed0fcbd012a92b03b4a82fd81f82c8

SHA512
926a8a7053149dbb1d73f5db8c19d391451e528cc472c68fa86efffc14a24ab374223a95893b8f1d23278117a728d83a16ece2fb24dc37680b2ea40241c4885a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.0.vb

Filesize
274B

MD5
6a8ebfe0dedfe1ad4ed8e6dec0ee501a

SHA1
0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2

SHA256
a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb

SHA512
6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline

Filesize
179B

MD5
7c56cd97f48471ba5052edaece4eb87d

SHA1
e635a8b2dbb2c574f6f9046faf4a6ce1fdc6432c

SHA256
163b3ad062ca0e6a52d639f64cb1d18c346fb9515ec7b44c95b28c2d43062e7b

SHA512
0e674d7c9aa9d6e2ffcba5d1df22eba8b5c0209397c913e640b21428daee2c9f778b0815d4e4400d31d7bb1a7fe71900f9e548619cce8a26a14ae968f124763b

Download Submit
C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.0.vb

Filesize
266B

MD5
48761fd7996409ad7ba9d662c66b11a1

SHA1
85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e

SHA256
b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f

SHA512
d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline

Filesize
171B

MD5
abfea2ee7daa69f567801dc9853aa2a4

SHA1
7d492c6fa7ad7ccfb5ba2e7d9c30b46e7efe3f1c

SHA256
845041b18081c8c56395c915cfebaf8bc622b7620b6372f3662f05affba75a84

SHA512
385b17d576c1e22276a01bc0217e756b64961d8a598e5a9ab8aede1605039ffff2216bc7b8dc86338b8e05e1106260d26a2df34d0923173e610380f616f03a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.0.vb

Filesize
275B

MD5
0af5b2967e1b54637a99c58cf00b0970

SHA1
bd01ec69ca515afbd66c34bd0d4bb4aef432f99b

SHA256
762fc2cd68f81c6dde6c27b318b66a28cc8af38202153694cf5164a9a238f3cd

SHA512
227c4c47df1ac338a14cc91df57cbab063249e2b0552e0042cbc2cb699c1da2cfedbf1bd9fd7ba5dd4d1deed11f83680f0bd8eae1c499dbe324a52e0b18b94b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline

Filesize
180B

MD5
7f3af5bf0d5f3001634cf9af13ae2ab4

SHA1
2752a1833b3e8fd9d6faa8b58943b3a85ac937c7

SHA256
6deed1f998630a56b5b4c4b39c497ddcb54a2313867c269a5da31981740d846f

SHA512
d63e3dac51a84c9662e8bc3d47da6c75a1364e4b3c46c6e53ffcb80787e480087550db07ff80be5f07b4dc478477a501aed87e79dcbdeb6092e5791cd5c5b21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP

Filesize
1KB

MD5
c3e495da66a1b628c1f3d67d511f5f30

SHA1
d487b081326a052a7b7057b1f039bbe262280479

SHA256
81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd

SHA512
c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP

Filesize
1KB

MD5
6592f9186211221a0a3afcf34a2dfa00

SHA1
bf3748b4ab03bdc65c242ad924653666cda3c5d9

SHA256
eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f

SHA512
f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP

Filesize
1KB

MD5
cee1aae40ed483284d3131b9a76eae59

SHA1
616bc1c7ea383b4f78305c4111a9816095f45b12

SHA256
bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35

SHA512
57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP

Filesize
1KB

MD5
4ffaef2181115a3647790b920aa31b31

SHA1
7f15eee57c8482252db8286ab782978747471899

SHA256
d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843

SHA512
501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP

Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP

Filesize
1KB

MD5
5be03705622d8432c727b2f54d2f8714

SHA1
d5fc067a15681b7defb145c6526331a359e6f84b

SHA256
763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f

SHA512
1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP

Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP

Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.0.vb

Filesize
273B

MD5
e89b3dbd703ab059fea51cdfc444a7a0

SHA1
121964fae53714459d4e78a69e1894f406b15f0b

SHA256
15d3532ee6c62319b7f46dd0790d6e4f29f7e6b8831cd2b52714a0cd72a52b7d

SHA512
b71ef2acd232f77bc376c80fa3fe15b00b0fdf3e67638c49b8ac2ef42b44668cccf58408e2990da0f2e349d03b9dfa02f1d56bde9a4d1819e8daec148cf9d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline

Filesize
178B

MD5
8e30e1f8a305b91cec6738847387fccb

SHA1
2a3536db80e35274b6c0c7487352b4840a35d6c2

SHA256
41d606cfae44f330d2c03c46eafae53d7bba652f1b767b6d1cc523926d9b87a8

SHA512
f34717c8f490cb9a6b29c7067523eef6eee1c62fa9ee877707cba42995ae1f050a2391dd155a153b2ba30bae41d7f163cb306c2df888a9c5cd7a9243da8ea05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.0.vb

Filesize
275B

MD5
56c0de9c4774ac5f1a5c7958e9787945

SHA1
cccb25583894e124c2208577b904fcadead6d729

SHA256
78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc

SHA512
3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline

Filesize
180B

MD5
46a7f6923ef6280df0ff5d293616d03c

SHA1
4762d981167c4a6e82d4ffca8841061e65f670f8

SHA256
2af77917ce704b3f11f8e9ebfee39db2d1c2347ab25266e1f25e9b963fed642a

SHA512
a62e130d7ad20def1e6899b9b0534dcec568175244c1a610f5d8e4d77a675032ab5959f3c6d0aa64f3a64f327228eaef0deb3fcf4fc252829280c27947dca25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.0.vb

Filesize
270B

MD5
3a3abdd0e264cd5f5e3306eec6d3f5f1

SHA1
e25cdd3241b49aeeed8ae14ce0ce3dbdbe69896f

SHA256
27756bcb336b00548dc71f5dda931f9dc077377c2087ef3d282cd70d13d1c381

SHA512
d75b50dc0429ea4747a2408faedee8631355230fcf5207b69db0fceeaedf2bcde304b95c3d0a1fdc9f1148dd280a725b8a7de028a928098215c4dc8b8abb2ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline

Filesize
175B

MD5
a674792855b046e9069b30859d0e4964

SHA1
eb00d02f97bc90645378d75bd04f8b421e304ee9

SHA256
52885699740cfa5ccf75284ac00031ab9bd6de3b1fc251c225fd51395609368d

SHA512
f427fba608dba5c892baf9d9645410097032d56f558887b9350ca1819a9d9fb78ee704327fe8c063ae34be3394cba22996c3ee6aa5d4e8a3ef478e78ee93a34d

Download Submit
\Users\Admin\AppData\Roaming\IExploer.exe

Filesize
112KB

MD5
0515e47f61a95f9847545a75b876a2d5

SHA1
5ac29a22ca50833014fe050a9287d0ceb47604b3

SHA256
faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05

SHA512
765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483

Download Submit
memory/2188-15-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-6-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/2188-5-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-4-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2188-3-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-2-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/2188-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x00000000010D0000-0x00000000010F4000-memory.dmp

Filesize
144KB

Download
memory/2936-17-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-14-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2936-16-0x0000000000B60000-0x0000000000B84000-memory.dmp

Filesize
144KB

Download
memory/2936-18-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads