revengerat | faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Size

112KB
MD5

0515e47f61a95f9847545a75b876a2d5
SHA1

5ac29a22ca50833014fe050a9287d0ceb47604b3
SHA256

faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
SHA512

765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483
SSDEEP

3072:pqXvnRs4fz6MGG3TI9ujfdMdTCC8OH9J71z7p4Yp5sbY:p0nfzNTTfdMdTCC8OH9J71z7p4Y8b

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/2708-7-0x00000000010B0000-0x00000000010C6000-memory.dmp	revengerat
behavioral2/memory/3800-26-0x0000000002D80000-0x0000000002D96000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe	IExploer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe	IExploer.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	IExploer.exe
2608	IExploer.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe"	IExploer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExploer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExploer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
Token: SeDebugPrivilege	3800	IExploer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3800	2708	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	91
PID 2708 wrote to memory of 3800	2708	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	91
PID 2708 wrote to memory of 3800	2708	JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe	91
PID 3800 wrote to memory of 4832	3800	IExploer.exe	92
PID 3800 wrote to memory of 4832	3800	IExploer.exe	92
PID 3800 wrote to memory of 4832	3800	IExploer.exe	92
PID 3800 wrote to memory of 4612	3800	IExploer.exe	94
PID 3800 wrote to memory of 4612	3800	IExploer.exe	94
PID 3800 wrote to memory of 4612	3800	IExploer.exe	94
PID 4612 wrote to memory of 5064	4612	vbc.exe	96
PID 4612 wrote to memory of 5064	4612	vbc.exe	96
PID 4612 wrote to memory of 5064	4612	vbc.exe	96
PID 3800 wrote to memory of 3832	3800	IExploer.exe	97
PID 3800 wrote to memory of 3832	3800	IExploer.exe	97
PID 3800 wrote to memory of 3832	3800	IExploer.exe	97
PID 3832 wrote to memory of 4424	3832	vbc.exe	99
PID 3832 wrote to memory of 4424	3832	vbc.exe	99
PID 3832 wrote to memory of 4424	3832	vbc.exe	99
PID 3800 wrote to memory of 1912	3800	IExploer.exe	100
PID 3800 wrote to memory of 1912	3800	IExploer.exe	100
PID 3800 wrote to memory of 1912	3800	IExploer.exe	100
PID 1912 wrote to memory of 4452	1912	vbc.exe	102
PID 1912 wrote to memory of 4452	1912	vbc.exe	102
PID 1912 wrote to memory of 4452	1912	vbc.exe	102
PID 3800 wrote to memory of 3020	3800	IExploer.exe	103
PID 3800 wrote to memory of 3020	3800	IExploer.exe	103
PID 3800 wrote to memory of 3020	3800	IExploer.exe	103
PID 3020 wrote to memory of 3760	3020	vbc.exe	105
PID 3020 wrote to memory of 3760	3020	vbc.exe	105
PID 3020 wrote to memory of 3760	3020	vbc.exe	105
PID 3800 wrote to memory of 2280	3800	IExploer.exe	106
PID 3800 wrote to memory of 2280	3800	IExploer.exe	106
PID 3800 wrote to memory of 2280	3800	IExploer.exe	106
PID 2280 wrote to memory of 2752	2280	vbc.exe	108
PID 2280 wrote to memory of 2752	2280	vbc.exe	108
PID 2280 wrote to memory of 2752	2280	vbc.exe	108
PID 3800 wrote to memory of 3124	3800	IExploer.exe	109
PID 3800 wrote to memory of 3124	3800	IExploer.exe	109
PID 3800 wrote to memory of 3124	3800	IExploer.exe	109
PID 3124 wrote to memory of 3576	3124	vbc.exe	111
PID 3124 wrote to memory of 3576	3124	vbc.exe	111
PID 3124 wrote to memory of 3576	3124	vbc.exe	111
PID 3800 wrote to memory of 1972	3800	IExploer.exe	112
PID 3800 wrote to memory of 1972	3800	IExploer.exe	112
PID 3800 wrote to memory of 1972	3800	IExploer.exe	112
PID 1972 wrote to memory of 1644	1972	vbc.exe	114
PID 1972 wrote to memory of 1644	1972	vbc.exe	114
PID 1972 wrote to memory of 1644	1972	vbc.exe	114
PID 3800 wrote to memory of 1196	3800	IExploer.exe	115
PID 3800 wrote to memory of 1196	3800	IExploer.exe	115
PID 3800 wrote to memory of 1196	3800	IExploer.exe	115
PID 1196 wrote to memory of 3668	1196	vbc.exe	117
PID 1196 wrote to memory of 3668	1196	vbc.exe	117
PID 1196 wrote to memory of 3668	1196	vbc.exe	117
PID 3800 wrote to memory of 3536	3800	IExploer.exe	118
PID 3800 wrote to memory of 3536	3800	IExploer.exe	118
PID 3800 wrote to memory of 3536	3800	IExploer.exe	118
PID 3536 wrote to memory of 3724	3536	vbc.exe	120
PID 3536 wrote to memory of 3724	3536	vbc.exe	120
PID 3536 wrote to memory of 3724	3536	vbc.exe	120
PID 3800 wrote to memory of 5080	3800	IExploer.exe	121
PID 3800 wrote to memory of 5080	3800	IExploer.exe	121
PID 3800 wrote to memory of 5080	3800	IExploer.exe	121
PID 5080 wrote to memory of 3784	5080	vbc.exe	123

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\IExploer.exe
  "C:\Users\Admin\AppData\Roaming\IExploer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2987.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B7769D2734C4DE293A2253C6FA93676.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FB5AA5B27444F59DF645CC7C151D48.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF8BA6463E044F76B75378107BC99D92.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc988282C3759746F9ADD7BD82BB3D3650.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA78101168F2842EBA82D7CDFBBC2A8DD.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3784

C:\Users\Admin\AppData\Roaming\IExploer.exe
C:\Users\Admin\AppData\Roaming\IExploer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.0.vb

Filesize
260B

MD5
38dbc4ca76e82ddf244df032aa6ac614

SHA1
10691c5e41281e06b85423a023ca24c1ba084e18

SHA256
0381ad144884bd9880c264f34467813a1a1b5ea7ab62c0cb3b82481bf2baa1f9

SHA512
0aad470787c0aaf54d456446b7a4420b4e672b814ef94c5dc3316e9f7fdafc2aacd645c28c810f0f94295565f6456fd2b124e4ec72671689bd3af20b456811d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline

Filesize
165B

MD5
0564648e8098537c660ec47947667f07

SHA1
b727963e9bbee912a0dd3048c5b57f3ff5b965a5

SHA256
df2eaeb02a6eb7abb6349e63de65a0436d198e58acec0580df5d9f9b81720781

SHA512
61b6b62084863b1ddef46191bf6979a1e2abe6d218e87680698489b7326c590c66182264122ff9dfe0e0d9434246c31ec4536bdf48fe386242b7a53ec59fec0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2987.tmp

Filesize
1KB

MD5
0843ddcca603783db36238bb60329300

SHA1
db6fe40e1eec6b16c29355508973c53e9b03286c

SHA256
2f1c211c87c3f6c8df3039cb011bed255f77887481976102486124b6c74516bd

SHA512
408fd16e1816d28269874536a5c20a44acb63662ad12158b1b16c50d8c756214676076de7deaccbf7246b4f6289116d41523c1df51a383a1b1f723e18458e139

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp

Filesize
1KB

MD5
07386e70caffe2c47b141626dcce1380

SHA1
55bd153c2a063238cb32f4abcf65f78e409a3e7c

SHA256
642bbeeb1a32744bbe072ea763c82e0ab97e2f185f8ba0f1c4338d590f736281

SHA512
1c51e2ae671daba6312523c559fa792604cfe1bc3690268782f06d5d2dcdddcd2a0d815aaedbaecd0e255018a3609d54a2b89fbf023893d8f6bb5d2ae83083ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp

Filesize
1KB

MD5
7f48f900a147a69fd55b4bdd13c91a75

SHA1
6c1c4d926f3a2232183c13d90b4ed5c617c076bf

SHA256
4bafa1730c76fe5be8c9e5ccd54e9114d1e18c977c22131d3e6d384b1a10a885

SHA512
83ba8a532e407ffeb980f7a589cc8801d66c7921807a498de49fcd843fe665e6c46913e313be0516b6ef86bbb351a0c3271d1e48a4c6ed7fb5b0c42dd89658de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp

Filesize
1KB

MD5
70a270e687e05831f95bb474dd68c954

SHA1
3e87077daff88f57ec2e56ffb6e98c34728ca829

SHA256
a2a0c904fed58782175c251c1d09bcb3762f8df933074d142210c9c6297a2417

SHA512
0c78d0d59e6b3160811b51fd349605b134a4863b00b2f5553f6a6c2ec12ddab4dd069d4f59762a85ca3d556bfda6c26e067929aa4f14ce80d7a5347e1fddd36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp

Filesize
1KB

MD5
aa4e0cf02c19a966b77ffe8398382aca

SHA1
0fee0b5d080c16e4af74d3aaa557e108fd01ea7b

SHA256
0e3fbd38bf06cecff66fa82a402c5ecede0ca5068578f23180a15250b8d0a73d

SHA512
b2fead35a6b38b011d4769c2349de884f848e9cb79ac2ad98385643343df17a3f8ea5e3b0e2d84b497846e78f513d1bcdfba79096386f0ac3237af609c31588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp

Filesize
1KB

MD5
9441995c54a8dd6caba9666b3a16c04c

SHA1
7d604933c0917621e8a9f364a77a8a01a82856b9

SHA256
7b9a98baf3a1382c46b670993af2f10fbe11c01e8aed8d2318330d8d574b23ac

SHA512
b8553850bacf071cad906d51414307237770f0d5e81c6a7470dee84e81186b67eff58a81fcd823144ab61f9e3136826e6cba87ab1bb229f0127715428100aa57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp

Filesize
1KB

MD5
8d04b20d8aa3649309f5cc3dbff6fa7c

SHA1
c6502b550e0dd1f88be2c48eb6016f140bf6e21a

SHA256
557f834e0c1cf2e39b6a24c4f6382ca9b8615b0a1927fd5ce5c0b1bd9bf83531

SHA512
81ba22a7369aa92735a54118f1affd9efc0542617dc5b082b09570e9198f8dbc0d4d330f12164558d226c8d5d4dc848f174eff57e67941bb8351541d12fe0c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp

Filesize
1KB

MD5
89710dbba03325f057cb08d3866eb57b

SHA1
f99c5936a891fe1f97f51f223e76f7f00d20a229

SHA256
633f9cc61c4a5165edab5fd92bd184ddc13b549e069229fe8e5450d5cc963f1f

SHA512
98aaa27ffd2e6cb52241a3d44a0c3288146c4064165dbf62a8d79d8879ad5e82b5df38d60e9155b5b75835c2b25f9b6b318a55dbc5bfeff0b25c46f2270ad4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp

Filesize
1KB

MD5
fc2918a4335a9674b0c0762d9817db45

SHA1
1f6d49eb69ef6b1fa39067c39f4bb6828ecc49ad

SHA256
1d9d7502a86f6e56f51ca03848bbb31fa1388cc736158e461153f0b92eae88c8

SHA512
9f1812c0859a1e868a3be427c0b5c23c1b02509f67f737fd22d5d082e7af9c0115aea53bb96bec45b28c3df76d2b8a0769d68df9057ea48ba2afcde4fed314be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp

Filesize
1KB

MD5
7a1083d73d5cc46bad7e589a283f8e58

SHA1
312b344bc80872cad23556547fc5265643e955c9

SHA256
dbc9e186dde3cc8f6381ad7275d3c08871e971961740349690424bd5169e7708

SHA512
65af097b5124d09bcac8f0fb70e364f33fd247bea55a4441af73d50dca44253863257f764bf63822d8c53cb4b5f952b642c43c81db0444c92e0f6f9a8c3a3281

Download Submit
C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.0.vb

Filesize
278B

MD5
fd15db08477ef28ef9e28f42d8a3f9e4

SHA1
500ce5b0507ed8e5e37ec32f9ee7b92e53f338ca

SHA256
e9559b091d6ea8b7a5e35e14c3b715eec1ba8c566356755c6946592b1adc4f0c

SHA512
c2c3c170a9007178d7257441a4e70a946f04a13c2825a733570429499e1a83d74e7d54f1266b059bc333a3290e4731da2ae1e759232ffa24358e87510e61f92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline

Filesize
183B

MD5
59d43a2cd2298df22ad47132f95959c9

SHA1
93fe16347a79a8b95fd9cd6a1021a8c03fba42c1

SHA256
eec2e756a7e4c75ad0106ce9388994788e04e44c8255cd37e9281399c6758536

SHA512
8b4698c16e85f272862c71563b6cac821d1cac3ab6126d6b62a4ecb3fc9b0863c5a008c375282e2a821784749f5720b21c331583ee1fb36ded0b8240ca6a08b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.0.vb

Filesize
277B

MD5
752ff9ad1e0d1ef8019b4effd2ce4104

SHA1
4e89f5b89854405bf14ca3aeff93808d0f6886ff

SHA256
ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61

SHA512
92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline

Filesize
182B

MD5
258080497e3b327a28232b894cbf69ac

SHA1
65ea722a63320b732f9d33c5a978d8ba7297afb6

SHA256
4760efed61e4a7f8f3a6cc312b67abc25e496d6fc567eea8071dff0b156d4393

SHA512
508dc74be8de2365de25abe3ba293f0828f8d33e409c50fd4245d42178f00f8849313f6def2fefbf405e34b009c8867ee78114aadb14c395a425f8c6dbe82b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.0.vb

Filesize
266B

MD5
48761fd7996409ad7ba9d662c66b11a1

SHA1
85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e

SHA256
b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f

SHA512
d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline

Filesize
171B

MD5
38b14a56db98f1d5f67322184a7f5e0f

SHA1
d34e409d442eb3a4c75c70d96d2a466b03c82caf

SHA256
228a7c776562c7eefbd2011d436ad42d448fd6c28dfd7ed7939b35e77418759f

SHA512
f05ce0dd5347ffe5d78014b901c2feff16997cb1d967342934a58207add4e46358a14cc9aa28b1bfea266b45c7e13e99bad0d8f802be2bbb68696b62aa1348f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.0.vb

Filesize
267B

MD5
496f2570e4b0140bea4afccee7c6d9c9

SHA1
e498334997ef90c3ed30b7f843bf19308294502f

SHA256
4f2e6fc6fd4e5f9ebb2f7c40af2ea22296afc6b598ace3d63408b520860a3987

SHA512
7c6c2ec4ba1b39c11039c5059e84138d12442b2e4cf320b0c661722d7b9299c0428cd7cf5be653d03e08d474793603719be3e19ec06df37736fb874b25f1e152

Download Submit
C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline

Filesize
172B

MD5
7d11bfec45533ae83420cab58fab5eb2

SHA1
4d4bd7a517f46da5653fd8a4f085d241896dfe51

SHA256
137d6f1d5e051d53b198442a04db9aac42e7761478f493a298f554c495028b6c

SHA512
05cf9206cdb07c4fd4f51ea348c74c38f4658ecda447c4eb261176653e01d20256ecd2a9f481c69cdc99235ff16377c15424702e53ac657806f46c703c07f1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.0.vb

Filesize
276B

MD5
c93b22a4d581838b655288b8323fd2f0

SHA1
459f13d24417453d2d52fc2b392743e7eb093aa1

SHA256
2e92fbafb930ff1a853156b4cd190853bc16c606ca8a8b6775adb634e3274deb

SHA512
ae1e31d23796cff336d80340abd81c35a3d6ee5aa27485783dd822885273b07477ca0390fc62c526f45ba633e6876ee63f603ff2d5846a60b2a6f6c52cf6e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline

Filesize
181B

MD5
247743599a15e3b36f7416f56617b09d

SHA1
0d67fa124198e836ec155085b261f1b216db4c5e

SHA256
3e9537051b0f0905e5a5fed54ac45f8854e062070aa536d82e06140ae9fa7f27

SHA512
4642ff4999038349fa00140bd7b626243e6ac25c6e8cf8b4f0e48ffe8144862b873403b0b6f2128e393cfc6e26529012326e3eef777eb44674112619d52414b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.0.vb

Filesize
268B

MD5
e4a81f91139eceb4961c9a691825d976

SHA1
cf8deb4a997e8dcf89098934105585bc9011ea4f

SHA256
da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d

SHA512
b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline

Filesize
173B

MD5
e50ec7a70dc55664b349ffa9bf2f6e57

SHA1
6e5d9316c26f894d582b3920d2b3e3f1b7aaed51

SHA256
aef67a29cc30c97493f209711865291b12b1176b36160db64e6d286c6e79a80e

SHA512
0e6de9226f444e19f1c794f961b10443fabcefb2ca508941716fe860f74af598b7700b8827966c2b305f1efe153026ac2e3e5de855e41c7311a65acf49d75e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.0.vb

Filesize
275B

MD5
56c0de9c4774ac5f1a5c7958e9787945

SHA1
cccb25583894e124c2208577b904fcadead6d729

SHA256
78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc

SHA512
3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline

Filesize
180B

MD5
fcc7c9c196a3d18c538c8f966ef19aa9

SHA1
fe01589b82f7440553f4e62fccd0f6cf02c06520

SHA256
2188e4a6cbd16fa57aa0281f5d175cf6b591313cc8c432d7934d70e73bea8834

SHA512
57aaa024289d87ac5ca0bf31bca5f2a9e8b783c91285833ccf75ca4c82a967c39abddc9319f3e04d8f84f80749208119d12842bb99e4ff9ef54d4ae786aa6133

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.0.vb

Filesize
274B

MD5
6a8ebfe0dedfe1ad4ed8e6dec0ee501a

SHA1
0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2

SHA256
a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb

SHA512
6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline

Filesize
179B

MD5
c3d980ab4e4ac10a2dba244166224138

SHA1
5e88f70853bbaec33b89529251f422614b5b7839

SHA256
7d324733fd2a0b92ae63baf084f9445fa6a33653c3cf741ba09c7280821a2d99

SHA512
d8819d0ac0f092903c2200b54b6c0b76ec6b39a9df2399567a78210878b0abf8271ee1833bd5d030c9e6a119699f5a4cec7be3312252d657a97c30a63ba2fab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP

Filesize
1KB

MD5
efa86d1097e3356b4f7173a380c71c68

SHA1
f5940b67a6a5f561ff6454929eff2fb03df8b382

SHA256
8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67

SHA512
c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP

Filesize
1KB

MD5
32060b25f1b853322f55b00e646349eb

SHA1
3f48939a11387738bbdaaecf03302bf210653b11

SHA256
49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c

SHA512
db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP

Filesize
1KB

MD5
24218d2d116d5c470e34a5da0f5ee7c3

SHA1
b6546a2bdb8ce0b664100214b63371cc75187132

SHA256
0604323dfcee505a3199d0029fbbd0ae4768a59dc14ca8fc75b6ea3b3c850063

SHA512
7c08cd603e78c633c8e9eba12094d92d32238b565caa15b96f7d554eae67e4556aba9aaad544e0eb5803519428c8987a404b4a680917be4e00ae82a9d8e7cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP

Filesize
1KB

MD5
369b17d06cfd628bfe04b3f677d21526

SHA1
b9d23c0dc5467f73fe2331eb584bd0c40b129d0e

SHA256
e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7

SHA512
00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP

Filesize
1KB

MD5
d7d9f8d1ac18d21666caab1c2340838a

SHA1
a33791468a096f2ecd0b9d46a3550879ddb20b6b

SHA256
5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce

SHA512
2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.0.vb

Filesize
275B

MD5
fd696a66111590060e88ef6e836e2859

SHA1
1b26c0e1c28aac0b68132693f0980c5f25dc5900

SHA256
15c3515777f353c39c64cc969f1e01c57045903930bddb92fd79dbd14d188ffb

SHA512
c15c0b93a5a002ea6db1b7c83869c747617b838e2f76fdb11d574653118ac6fbcbf0ed7960da70269e0293fd248a2299b240b1955da7e955b4844ac10085e6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline

Filesize
180B

MD5
06991807dfe047f1343ebe3a241224a5

SHA1
3afb7aa88861fc37977534198e3af2ec7daf61b2

SHA256
1e705f9a61edf2b1171a0e6c074f2af2639862349c665421600271e3a3e6a7a0

SHA512
3a745b4e516e47c73de35257cb29356291b872d951c865bb46e712a958ff235e6ec11c3ef740ba836d0e6fa6e0fe2f814e944c70b637f80bcf5f1fe381710d91

Download Submit
C:\Users\Admin\AppData\Roaming\IExploer.exe

Filesize
112KB

MD5
0515e47f61a95f9847545a75b876a2d5

SHA1
5ac29a22ca50833014fe050a9287d0ceb47604b3

SHA256
faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05

SHA512
765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483

Download Submit
memory/2708-23-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2708-5-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2708-7-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/2708-9-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/2708-6-0x000000000AA90000-0x000000000AB2C000-memory.dmp

Filesize
624KB

Download
memory/2708-1-0x00000000009B0000-0x00000000009D4000-memory.dmp

Filesize
144KB

Download
memory/2708-0-0x000000007535E000-0x000000007535F000-memory.dmp

Filesize
4KB

Download
memory/2708-8-0x000000000B0E0000-0x000000000B684000-memory.dmp

Filesize
5.6MB

Download
memory/2708-2-0x00000000010A0000-0x00000000010A6000-memory.dmp

Filesize
24KB

Download
memory/2708-3-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2708-4-0x000000007535E000-0x000000007535F000-memory.dmp

Filesize
4KB

Download
memory/3800-25-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3800-24-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3800-26-0x0000000002D80000-0x0000000002D96000-memory.dmp

Filesize
88KB

Download
memory/3800-21-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads