revengerat | af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/RevengeRAT.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
SSDEEP

1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral27/files/0x000d0000000194e5-148.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	RegSvcs.exe
2248	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.ngrok.io
13	0.tcp.ngrok.io
19	0.tcp.ngrok.io
35	0.tcp.ngrok.io
37	0.tcp.ngrok.io

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 2248	1336	RevengeRAT.exe	30
PID 2248 set thread context of 1936	2248	RegSvcs.exe	31
PID 2960 set thread context of 1896	2960	svchost.exe	59
PID 1896 set thread context of 2112	1896	RegSvcs.exe	60

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	RevengeRAT.exe
Token: SeDebugPrivilege	2248	RegSvcs.exe
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeDebugPrivilege	1896	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 1336 wrote to memory of 2248	1336	RevengeRAT.exe	30
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 1936	2248	RegSvcs.exe	31
PID 2248 wrote to memory of 2600	2248	RegSvcs.exe	34
PID 2248 wrote to memory of 2600	2248	RegSvcs.exe	34
PID 2248 wrote to memory of 2600	2248	RegSvcs.exe	34
PID 2248 wrote to memory of 2600	2248	RegSvcs.exe	34
PID 2600 wrote to memory of 2088	2600	vbc.exe	36
PID 2600 wrote to memory of 2088	2600	vbc.exe	36
PID 2600 wrote to memory of 2088	2600	vbc.exe	36
PID 2600 wrote to memory of 2088	2600	vbc.exe	36
PID 2248 wrote to memory of 2060	2248	RegSvcs.exe	37
PID 2248 wrote to memory of 2060	2248	RegSvcs.exe	37
PID 2248 wrote to memory of 2060	2248	RegSvcs.exe	37
PID 2248 wrote to memory of 2060	2248	RegSvcs.exe	37
PID 2060 wrote to memory of 1740	2060	vbc.exe	39
PID 2060 wrote to memory of 1740	2060	vbc.exe	39
PID 2060 wrote to memory of 1740	2060	vbc.exe	39
PID 2060 wrote to memory of 1740	2060	vbc.exe	39
PID 2248 wrote to memory of 2276	2248	RegSvcs.exe	40
PID 2248 wrote to memory of 2276	2248	RegSvcs.exe	40
PID 2248 wrote to memory of 2276	2248	RegSvcs.exe	40
PID 2248 wrote to memory of 2276	2248	RegSvcs.exe	40
PID 2276 wrote to memory of 1384	2276	vbc.exe	42
PID 2276 wrote to memory of 1384	2276	vbc.exe	42
PID 2276 wrote to memory of 1384	2276	vbc.exe	42
PID 2276 wrote to memory of 1384	2276	vbc.exe	42
PID 2248 wrote to memory of 776	2248	RegSvcs.exe	43
PID 2248 wrote to memory of 776	2248	RegSvcs.exe	43
PID 2248 wrote to memory of 776	2248	RegSvcs.exe	43
PID 2248 wrote to memory of 776	2248	RegSvcs.exe	43
PID 776 wrote to memory of 2016	776	vbc.exe	45
PID 776 wrote to memory of 2016	776	vbc.exe	45
PID 776 wrote to memory of 2016	776	vbc.exe	45
PID 776 wrote to memory of 2016	776	vbc.exe	45
PID 2248 wrote to memory of 1848	2248	RegSvcs.exe	46
PID 2248 wrote to memory of 1848	2248	RegSvcs.exe	46
PID 2248 wrote to memory of 1848	2248	RegSvcs.exe	46
PID 2248 wrote to memory of 1848	2248	RegSvcs.exe	46
PID 1848 wrote to memory of 1696	1848	vbc.exe	48
PID 1848 wrote to memory of 1696	1848	vbc.exe	48
PID 1848 wrote to memory of 1696	1848	vbc.exe	48
PID 1848 wrote to memory of 1696	1848	vbc.exe	48
PID 2248 wrote to memory of 2932	2248	RegSvcs.exe	49

C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekxv3hmy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES761.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc760.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yzvxxb-i.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vaswzult.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldy6mhlu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc879.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khnpbvkt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gfqxwvqe.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES926.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc925.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nt9edpvt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc992.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfxbgccf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F0.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1104
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpti4tdp.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:304
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7CB.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_8wpo4w.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB868.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfgkd6ci.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB913.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB912.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdizh4cb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB980.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB97F.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r06syckh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9ED.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vkmuinsz.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:588
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA4A.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yf49zvki.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAD7.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjn0tmam.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB44.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ivxtv91h.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBA1.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bupxuikz.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBFF.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2472

C:\Windows\system32\taskeng.exe
taskeng.exe {A1C381B6-A2A7-4DC4-A15B-D72679A8D12E} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
014c6e264ca6a5a01e32f773323a6708

SHA1
fcff608f61dae673c89b4d21ca0fd56c8ec0c43e

SHA256
cf0b56f740e46f2c0803bccbc13552ba65d67744c84385fea08acf297930dbf1

SHA512
989e84acbb39e9f75030299cef15364776dca8f7dc8c23fe1eaea647f9d96d1c71fc2e23e8e49d25ff541aa47ca02143cd7a3ebd93f316d2f0abfb109631c718

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
2f2edce60550c310c25339948205fb6b

SHA1
3fa116a85dad60306037794d87866356fecc91f1

SHA256
19a7c94aebac04c515d546c227a9df2916529eaf5ba933d6831bf7841140303c

SHA512
1032594cb7255a13325851208acd9171a5306e1eb184975038879e6e8d87c37ba449082fb2189bd07c0f0544eee4377ff5e084e566f57396adebcbc373d0fb89

Download Submit
C:\MSOCache.exe

Filesize
7KB

MD5
6f61b51cba0ab519184e08bad8f7ce60

SHA1
01c2125252d44f703fea72fe429fe6e853b27ba9

SHA256
b05c8c172dc00c5653e2aa082b73cb4b942e93da67e2cca91fda476cbf47dc77

SHA512
86a09e3f0b3658e01800bf16de4f168c8ec1137cc5184a89a6f19296f1c66e4132563204e4730de76cace986de18cfe5bcacebb5ebd5d3c3dd06f6aba80590be

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
433df75be74ab2ed24c45b2887828af8

SHA1
c5ffd8bdfdb132565efd26f36d731cc78f936e11

SHA256
2d73ddac83bac8bb4a07fe416833c524c006a3b8ad82e9fad9ec5f7416e14847

SHA512
880eedd099f48d61d7a3045f65f5d172af3b4332b0c161c2a502374f419b7ef3332afa906a3703377a612ac366b329382484b5aac5cd3ad35c8440eff1f2be34

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
996ee554cb2edb1d92650d501cbbd27d

SHA1
51fd310fd78093de119fd79963c4de7a8690b509

SHA256
081e17f93b2bac20cdd6e3190f723cc03a63d46fcebaaa04b23759cc900dc4b2

SHA512
711bd1e3929ed617c6ad428946ddcb42737be1d9042ddb538e09f1871cc244e55e024d14ae27c731f4c354d3cab06423c4e5a8da4e5faec6bf54c4a0c8e58333

Download Submit
C:\Program Files.exe

Filesize
7KB

MD5
cc4bfc250782113d260fdc3100dc6899

SHA1
909adbcc9a723a1ba0a2b1914d36ec6b664a72d9

SHA256
56257e30428e8f83e8103b6a6a4c806216b42bf074e9ff57641fe0da2ed68cb5

SHA512
ba9a9b33247b82c1012fc1784076f979fc22d85f36c716677efa44e6699fa538ff840beedcde70a0819f169731be3ba3871b918844566cb8eaac4b16291778a1

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
250e9b026cf9cbc1f2573485f958e6aa

SHA1
3d2ae833d5b8b99700a6e5bdbb8288d4e0ff6e64

SHA256
7b026950c1bbf88248c873b1e20b785a62167dfbc50937fa8bd084d7fb1aa8f8

SHA512
48db92431359987767fd0170b74e20e337a1b07a7b60bf9893d77d1f69998b34c0edf710f6e4b729a32cd3691ea3109bf7d25ffc3ec815ee27ecba1d1687a732

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
8966ccf589f6ebdbceeeedf408924084

SHA1
4046aa264e31858385cd3ddaff727d30a4540373

SHA256
560133f63559b7e315d79dd6477c444949cc6810f4ceab7c95dd965e0d1eebbc

SHA512
339ad15a728fb19db459157238b97da7c60471e05c0e2a12434f866350a2b0cd928fa5f4272e1be7bbf06bca3b2ff57507340d7e8c160c01a8511c455007070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES761.tmp

Filesize
2KB

MD5
27a0f0ccd8848c6fa75d196471017471

SHA1
e93af8d050adfe262e0a72697916d983f0c4725a

SHA256
52e31f5b471805af421725bc5c09df1135b9864ec524a1bcda0217d541c5a957

SHA512
5405a44aba5a8b3634f5124299a95dd83b58002607a1850198b534f7a88319b122e8e38f54a8af18a8126a29ede236fcf5fc10126a920e28933b62862565a593

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BF.tmp

Filesize
2KB

MD5
c4746f573a25ccf433e3d7806148d3d5

SHA1
602127eae9983951388a4f72b182b7c7ecfa52ba

SHA256
b30adf60c002574a24585c0cd36115a552fb6f31dba568973853839891074dec

SHA512
cdbfaa023617e983b0cfff1de8dd173edba21ed83064727353e3be5e0645f36c9bb8941fff0f390aa4c82573d9faa76b08fd7b576d380328ad25ba9c4fc0fa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81D.tmp

Filesize
2KB

MD5
c91168bcecee36808fb1efdaec5dddc0

SHA1
85b1ed9f1c71efb06d71be7e834b535c973647a5

SHA256
5ef45752a2bae43a980f8d6048737bb3012a89dfbe4a4724383ac2ef71112bd5

SHA512
f502bd4db694e44d2421bb36595df21125d0ba63905e4221cb8b3ddeb58bf08cb61c7304ac14c302c119e2aead795b09eb0c3fb292e3221a93c4ef446bd5237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87A.tmp

Filesize
2KB

MD5
b4f5fd43a4a19cbc78e6d8f4797ab92c

SHA1
22f6dd5d831774e9ea09ec4718b22889803e40d1

SHA256
cd513ccb1203d8e7920d7d4e2c031f5ee58f2ea5fb5124a88ed2d0120e56c86c

SHA512
6eb1b2d71c14ff6aaa5ca27f77bb7cea8574a0ca3e03c7e2dc3adfe448d01cd117e40e9cb23d5aeeffa0751445af49903aca12a84522ca5badf45bede5da31eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C8.tmp

Filesize
2KB

MD5
947cf01cbd90318025d1bf88e838aede

SHA1
180f0fd4b7a9dc771650a17efc12bc7c05259027

SHA256
368445cfb470f0b265131468f2efd909528f9938238c07cf678298fe27256fc1

SHA512
ed2dd1f7f3e5ed791a83b6da6c3c9db1fa4a64f69078ecdbbcf62fdeb7b7c65a884b1da8f2a4b8efa6d16e057987bee8b38b2e97167b01c305bffed2c0d5df2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES926.tmp

Filesize
2KB

MD5
8d44d97aa46a68a5869247aa6c6baf81

SHA1
5d25c65ef7a7635dc54637925c8ea2a859476503

SHA256
6a079bbe52fb33d2707a98b604caf33b9c831cc1392002d60813902bdfaa39a0

SHA512
e816827b29561fdb9b5c7c4f0ff373cc151f70ecb5ad30d8b02d931abcea13c424cf5654a1dc4175e853d17c1c3da5a11a01c43f76dfe5cb1beb495d82d98a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES993.tmp

Filesize
2KB

MD5
ff1fd83bb35ac41ec84080fc7a824877

SHA1
3abb353973bec57fb4062495e417ab39de2b7643

SHA256
e0b8bf655f7bf9181041210692d8a4c0bb623f9e9ebeb193494c34ab3dc18e6f

SHA512
4c79a4571c971ac5e59605ff537102a288035fd9ef71ce41ccbd5bdef0f82af49fb512f180729fb2791b9224ed57bc4c8ace2f11f367faed2f27f2aed4f3de3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F1.tmp

Filesize
2KB

MD5
450eb7ddeb4b6407ef541f3100e2ecdd

SHA1
61b929ec6f6397f9c3e4a9ae611d346d3cc78248

SHA256
5beb9438e71790aa9bdf3ff4171ee77a9ffb5dc341506183dedc542dbb11f2c1

SHA512
58d2828d2226f81165eb6c9f2e4f9ef6742e5646938c66acd5deeb6a7ba4a98d74d97a2fa7250443319cb74a36a45480d798e9e8104cd1fd4a785160ec8164b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7CC.tmp

Filesize
1KB

MD5
8e18879d438aa0d1a6057f1b46543f4f

SHA1
d57dbb8f212d7034b6c0cf158c1600301fbd0162

SHA256
d4298a49f6913b718a2eb51991b1b56ca8dab78dd06eb5ead09637b66635a91e

SHA512
bdc30e171fef1ba154ca1db7ae3addf77e0b76ca941c78cc3abefe78022af8fe7f6865cb1134bbd5efa0da62df01eff27fd83ad337ee2d94be5e3377611f4feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB868.tmp

Filesize
1KB

MD5
c1c2d97871033078a06d878aaeb43fb7

SHA1
6878c0dced884e6497c2c12a2d0926cf790e5a4b

SHA256
dce1a09e9d87780198b32d31af7b3d1f89c5c579fd76728a96267afc2adc3d52

SHA512
2af1822414a6630a6bf3bae306b6375c8a633190bda94da3c7aae04a6d1f2ebc6eeec065fc388eabc26cd745a13bc14c85fbd253f08e941640f76beca12f5a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB913.tmp

Filesize
1KB

MD5
ed331bf3c8882bbeebd156da2e75f55e

SHA1
1fa36204c7403a77856d14dfd69e15a0be345738

SHA256
374b1a1d42d52dcda5017af4cd141a8576bbbc345883b7e3a0db192e67175ca4

SHA512
4d8da55dd07aa5769b75119f3d690cc9267522c9a4ef580939d4d891b06ac5c874c5e8d9a4405065a81840408a31503c279459e8b2fe1f331b183688054eed00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB980.tmp

Filesize
1KB

MD5
3e3a572bae44fb8767af193b28237093

SHA1
9bcde6a0d085542d4f004a9a4273213e126db17c

SHA256
26b8a1dac6f35de57bc110b0abdf972f7dbf42a49b6839d3dd39123a3fab4aba

SHA512
58aef3d2a701cc3d2afc5b15941984f75df304dc7159c85b83b9e1bb4b4f16ad9fc2c9597155c3a282c92c6c401fb8e85ea712cc1340b86bc654dc0b4ed62d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfgkd6ci.0.vb

Filesize
274B

MD5
6a3ad96b8b4a667fd62c568462ac2f44

SHA1
3ef4db2c88cba8cfd4f8e952bee24e32f118ac67

SHA256
67f5f128c35d676c5b30d0cfef78cacd5adee550c41717d842267767e92dceb7

SHA512
0de5858dce1bff2933c7957c42e13dca0bd1dd05844da5d844eae447ea9d444fa214153e9a75519316837d3d88f1f15af1a4c91abd3f70d80ff5ec03de20f08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfgkd6ci.cmdline

Filesize
165B

MD5
f56461100ec2f9efba318dbed14aad08

SHA1
8bb2bb49bb4172bbc4b6dc4e4c24c3ee452ee5fc

SHA256
b36669d1dc55f67b26b024e719404164d9a98a0a0bd45d03073f84040f9904d1

SHA512
7b86883a0705c213602c2982515bad3656401814654dc64079ce511a6d9ff0f74411659d5a623bfb04a9fc49f28736f02e0ffd093d0dde126809ce3f404c4c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekxv3hmy.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekxv3hmy.cmdline

Filesize
198B

MD5
ce3bf0c09610a523b02ad05be9cabe86

SHA1
d7a48ce468dd18133054b20ddbec0b66385f4cb0

SHA256
ffd5af7a1718a833f2bf0d39e139ac8bf8e969febab4f91bd414b3b9d1bf1df2

SHA512
b7e286c30f4edc119b6d5e2af376ad0527be8b6e00b45f0e3fe8d74d14882c4f85f1f1856f8a835988c596c7ff903691dd3f85f3c14bf47746079c9b2f9f88ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfqxwvqe.0.vb

Filesize
349B

MD5
a983e17fe05ca4e0cb4b37cd05d31792

SHA1
cc91ff79215a350a6a1f2bb4f039d894198e8421

SHA256
76bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef

SHA512
37400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfqxwvqe.cmdline

Filesize
205B

MD5
cc31057f862763624793f28e4cc8d6c5

SHA1
54c2a61a81a9964fa4c495a116a1a0f04c2d5bc5

SHA256
f58bb58698cf574a7280fd899c8d2691b5dae6581d9c630884ede7357f30261a

SHA512
ef719d5521586fab18defe4d72394e35f949ae43b7836cb509c4f39d673139fa379b0c56d28ddf3612979ec5218673d5df1df3774305bf6f6e96a8094617cdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\khnpbvkt.0.vb

Filesize
343B

MD5
af1c593c3767d1ecec784de8cb8822f1

SHA1
c23f04ada9933d842582fcac29c36e0d5cf19772

SHA256
2c35cc5d6dbf457bc7f906c65017252c9c1ddd8e6c0b4e5e672d7964046c8b83

SHA512
4f9ad765bcc561514a8c0c8dee92b9b1a0ebeb9ef630d90fb432d23d417d711230170b03c1aa0cfcc4e7e9e3efc93773a59d84fa3b91866abb03e8a3cbbf8a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\khnpbvkt.cmdline

Filesize
199B

MD5
b421a0248cf9c95bb99a4e6b0a896f49

SHA1
43166a27496474970d3db5c3eb90ffff768a227c

SHA256
3c9797267b4251cf8021e0cf30d9ac5bcea2182163c8c66efdf85b53d4682df6

SHA512
17a3b24508c550e3c056934ed9f3e70d81cd1db0278433e2db9fca08ab406b520f704baaacb4a6f3a4e9b4f9a6235d2760227db484443476ec7be4c6e9e438c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpti4tdp.0.vb

Filesize
271B

MD5
e7e907e232e10e9db26a6b794bee7db9

SHA1
f1c333b095d52a354ea143f75d8731e212a1ea77

SHA256
3f67c2c555b72a66e87847b90097e6f3264bb772a2e557c98d8cb3dcf344067f

SHA512
db4983c0aa04eb26f152385128cf7641ab6f313eb78bad281807b31fc307c108ff6233e1bce99587a581bb8f4d4c648e358cf01485386b0748a74c7490814fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpti4tdp.cmdline

Filesize
162B

MD5
08c6799eda26ff61fa15b29da09e79cc

SHA1
7f23e8513287b33c1119a9c7bd807d57daa3517f

SHA256
a3bd20e0d0dfdb90edb7b74ac8e0c88fec02af805bbcb2aea3fe5f415494dcac

SHA512
2c31bcfc7255684bcea4b0b102544524f0c756564e20610c2d20432dd3cbf7a33b74c6a577798df87ecfeecf717720ccf394fe684d594773fd99ca744931a197

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldy6mhlu.0.vb

Filesize
338B

MD5
7a354b496b9b397ebb14057eafede32f

SHA1
8970ca3895ca9472366e4fecc1f1d79ac1da78b8

SHA256
c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8

SHA512
ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldy6mhlu.cmdline

Filesize
194B

MD5
3e5c0614f039b6bf3dd00ff3423affc8

SHA1
17b3b2712b1688643ef4c74ea243a94818a4f1be

SHA256
1ab3e5d5e95d982f93dbfd67e0a25ee6668eed7520652c620568ad95c241ae4f

SHA512
8a84a8396fbd867c378ca3142dc64c74bbc1b43c332b422f6cbaab9042555dcf2c0a49efbfc590252e0b7d2b4c13b0796a446950fee8cffcfcf8f3ec1f748cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdizh4cb.0.vb

Filesize
278B

MD5
54fe1f3a2bc20bf4f961d5afbfb7192a

SHA1
a030ac1474214bc9bb5d236b2b293376055ffc06

SHA256
d0a9ae23e61c7accf1b378f3a36e22708274deba6aecdb5b6441ba7350b2a30c

SHA512
1fa075f4bdd027722b46a2fb89646dbd078cd9551f8024964a223ae5067b6593d64049356c3755f9141aa285d790b929259c5c5ce5105613aa2a56cf386909e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdizh4cb.cmdline

Filesize
169B

MD5
96a1dfa1bb2befa233fe934e7dc6acb6

SHA1
3eec273dcea29014e75977029ab98bc6bc069606

SHA256
2aca07cb58791526834711f0a8899beb74c054a11222afa576caede1da665ac9

SHA512
07cdbcd24d2a982fc3eb5aea077a938c329bbedd0fe676fab8a83f249ed3b0b87cc61051209196c3152d4e58828fd9ecedabab7d5461c3b56aed44d315c450a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfxbgccf.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfxbgccf.cmdline

Filesize
198B

MD5
63ea15dd5f9d777640586ee6f55adbe1

SHA1
fd0d27ac4262dcd27c0ef65ef1b268675e241772

SHA256
f03565e56260255d56e4e0f8be1c62da7e5abbd497e0c0d5854a4159b7ff5e0c

SHA512
f9fe9a8724b5802f12b5367c8c156d63d7cc42e023ea6f78bb65fb035c808279477aefe2fa871619605728d7fbdf187e30fb5c3c0031cb364d3635e8bb9e7879

Download Submit
C:\Users\Admin\AppData\Local\Temp\nt9edpvt.0.vb

Filesize
338B

MD5
2de37b6c25304214817c88f9ec6e9847

SHA1
74f77a317b1f9822d11094eb3fe1c71797bb878a

SHA256
a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a

SHA512
a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nt9edpvt.cmdline

Filesize
194B

MD5
5b5d3700d44813174a9ddded4ef0a6e5

SHA1
3c836aad2e5945a547655d4231b9d585eb83cb9b

SHA256
95c7240cd36f5b6c71409cd08c7d9b10a29308ecc384ceebd9fa9d103ce7f2d3

SHA512
4320df900e193ae09770725d1fe0cafb9107158742df163037ce4c1b7216b93d94115e450ced8c21be69b1633541a00669b3df072db22a655bae6ad82b3eb45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\q_8wpo4w.0.vb

Filesize
275B

MD5
69e659a7aae79c3dc4006595627be5f4

SHA1
203801113a93272883fea68ef3fed23bbcc7cc2b

SHA256
bfcad07a858d66ad73626273c04d0d0c44cae52aecf57cf974a06ca20b8cefcc

SHA512
8837ed95caed9460644d97d212aa653a02be98ec6dbd5be502ff14ed55e5fcfb03dec8055af04c7678ccafdca1c1853a4200ab863b0aae2948a158f5737f9a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q_8wpo4w.cmdline

Filesize
166B

MD5
f31f275f7aca48e0865cfbcecdf70a64

SHA1
e97b68bd5be456926ad17c2404197e45f4d08251

SHA256
f21d228c1063e1eae24b2e34a8991cbe0d1565df6fb6a473d1c347460f463d6a

SHA512
a068f10bef547f48c9454a2a603cc46f97135b9012224440a75ad4e60b159bf029dd5c95807a88163c5b688a8dba400179119ab1e1102b86d05b95fc383158a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\r06syckh.cmdline

Filesize
171B

MD5
59ec1841269778931a43024657948ea6

SHA1
22e230f4e1341729a74c75220e4e063fb858f9d1

SHA256
97a17a19f69c6080154246c5b03c93b956f869bd674e2a3b524ab72ac5d35165

SHA512
974fe461aa26327caa4583eec767e3e6619f563db6bd7deaee6976f5aa636d1f2c933c1d27f883994515abb162a3d44aa73a0ac10561ed5b255e08ba5744d469

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
59B

MD5
d602a61ee57bcc4830ebe29151bf628e

SHA1
5b36232a99544df60b27fc87cdf36817758ec659

SHA256
9e85433cd508542ae645092755f427204ac98bf3ac9f2e9260327ca1a4c1aa71

SHA512
07b0e326c405f0a0cd2a1810132859adeb13dfba126ab868394f0de2efc8f68fa04b607e3d25a7b5004cc5cb531a236ea224c699c86925a518ff6d486a56b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaswzult.0.vb

Filesize
338B

MD5
cf00e2904207f782fcc82ff2130a702e

SHA1
40779bd7caf240a81bdccd5ffc76c4ee5ffc3132

SHA256
4ab42f62f864c193321e2796aaf3f3305dbc5d19de173f967afd9bd1fbdb3036

SHA512
23803526fdc77f7ed78ff4e28a224ec76bc03ae2512f760a52c668b398407bbf995ece35a6c0e3d20b77668c1f390719e45303e8a1ef5623467f9b469d6a19ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaswzult.cmdline

Filesize
194B

MD5
92caaa3918bf4fd7d5a34a2b94f29691

SHA1
8d09e67bc72ffdcb8962fa8a539d097346b48135

SHA256
3b97c913cb20b9ea81455990474485e5a1f213ce017fee5d5ba6f6a989675a07

SHA512
cd43fe011bd6425a2308b461f7cf6f96017accbcf681bc196523e02297bc97e609f1ff9a1dcfc770edf23c10a630219beca7eded0a85d8a3adf3ea3869f85750

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc760.tmp

Filesize
1KB

MD5
2b06bfa022ad2c544022f71f3e718a14

SHA1
562bdce04ce13a0a548928cdbf9993669b028d98

SHA256
fe62caf48c2edd60e46b71c563220593a6e945e451716fcad64981d8bc716a9e

SHA512
386965330a97b8c31be4e5c0341a74ee99ad6ab4b8d7d85420c62fa49685842038159769c3109922008e7625b56703a1ee2a3555833a5c36abb27bf72cb0a024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BE.tmp

Filesize
1KB

MD5
e3f79cf00e9e3e25431b213a851527a9

SHA1
e25b90c7ebcbaded0c05bf4c6611accfd9f835f5

SHA256
4cd028dbc43bd7a791c50a4d4457ee1aca36989c9c50549f1a12b403decdf92a

SHA512
aec4bcd1cf977adae6131043f6592f2259fffd797650e7fff6f1dbb178077bf48ebe6bb33d160a06c12f723c5cefe413a47e6469338122bd1df0cde36ae3beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81C.tmp

Filesize
1KB

MD5
e6610cec3f7c06756681d9eaeb5da4d4

SHA1
e35b29ef99bd5c44378ca3f9f7290fa829aa4421

SHA256
cbc773035203d61408b58a2025b29d87c3c8b1768f86268024323fac3ec773b6

SHA512
d3b42b9d3ec38d1db8e6e1c411b93a6375801cff74b35a4d6b721ae66bef50d3b228468f8ecc1606d202230eab4bf1b3bc479fdaa946913e44b1b31f8a95ce89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc879.tmp

Filesize
1KB

MD5
7a8c9407053ef7c97a8e247cbb25465d

SHA1
68c80dff1ed7be9688c7343592f5044a4d019f5b

SHA256
6104793c9627206cb1e6ad3707a2a802dca93eab86751f5aa2ef34d3ce6bfd2c

SHA512
b8452d9dff4b6a82c9474615f1636f3b6aeec0353b509333eb058c2cf920f4817dbf6612784ff181eed9da87953f2a83ac1834e173b8a408f38b60f6098a35df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C7.tmp

Filesize
1KB

MD5
92094e5833a44d7a324bd9dca296787d

SHA1
522a1c458dfba6bcae7ae9eef71ea42c39d24b48

SHA256
cef0e5cad6a31028588591bf480b23c405392316979169187241362aeddc488c

SHA512
8ffb2adc9b8b05d049c3e95bb0b9b9568612a707e1be8837bad7b6d39979f7de3469b7e75a167ce3f4d09ce5d810c83e65ed18b4f8b636c63f716a241a9bea59

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc925.tmp

Filesize
1KB

MD5
326b4c5f058c0265477190cee21a9e52

SHA1
a1e735bf75abb28e4d570dd00815f5ba160a0949

SHA256
35a56342f38b2a03c9b9e90d3001b9c8cec5563b058e832070490e4b6807bfe8

SHA512
e8fbf3ee113b7e7f33d18b066c94abd42f8979b92931fffea154a4d03f164b1e386cd071cfc3ad572107b7590f28e7270237e309738be70f8d6454b8b538b7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc992.tmp

Filesize
1KB

MD5
d90f621c8891b94dfac9e4b031677402

SHA1
5e21c87ee001d39f841709ef65f18a791f642dbb

SHA256
f9952388af51fbcc83bb57379d950d9b7a310eb27ed8522c1c6f306740a55ebe

SHA512
f54ecb00b7d238f6679006df10a0167b10dcf95aa3c1265c76b76032b9954fd346263a1914a3ffb8818367178583132525da3ebc9a6b342f4021af93cab89d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F0.tmp

Filesize
1KB

MD5
419dd423ff2c0b8646b0411181d87464

SHA1
9adef6953ac7707fcfe8a584096f216936d790c1

SHA256
c7508c52f061c3893ee739dfc234990d0b4b4e7b20d692b27d0381637ff36fd9

SHA512
33addd18f25775dd0af6b81e0d058fba252b6ef328a9dcdc910464ef646c7c5702c6c9fc7284b0795196aab43e840da9a16ef868ae0138690e060eba7cc140eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7CB.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB912.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB97F.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzvxxb-i.0.vb

Filesize
352B

MD5
1830e137566529844ec4176432dbbabd

SHA1
34e0949bb3b0258f4b70cf50a1d78e124e0c62d9

SHA256
57f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf

SHA512
63080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzvxxb-i.cmdline

Filesize
208B

MD5
1ea51b33c5c165a992af31fa91f62773

SHA1
09f9c3171cf1d85c7e989f77f61cbeaf67985aab

SHA256
a6653a6061e2715bde6e96310fb445b6fc672e36ab508e88be7e5c2e7ca6016c

SHA512
417902f2154a5602508ac54ae683f94014ab30240e3a6b1b0d4c22657a23a2c6bf55c7a94818a4d83b39f172c407eafb75e47165be49c2b1115e4f9d8c9b2742

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
8d82193d6c4297428b5bcb9ffbf7fa6b

SHA1
77cfcbd6d9292a8d165d207cb9fe1eaf8ffd2619

SHA256
9d5e34699b3cf25d2f0b71ed8c0256c0efaac17a001f1410369e5db1e4437a8c

SHA512
dfa8e5dd710509c72ddf8073de50d1744b894c8b3a5457c4dd33e580a262b08f5ccc0bfd174586bcb85c9c8aab77d7f37f7d609fb407b0f3c44a0d411e314b05

Download Submit
memory/1336-1-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1336-8-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1336-0-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

Filesize
4KB

Download
memory/1336-13-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1896-172-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1896-170-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1896-167-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1936-33-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-34-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-35-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2112-184-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2112-188-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2112-191-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2248-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-37-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-14-0x0000000073F91000-0x0000000073F92000-memory.dmp

Filesize
4KB

Download
memory/2248-16-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-15-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-157-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2248-36-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads