revengerat | af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/RevengeRAT.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
SSDEEP

1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral28/files/0x000f000000023c05-104.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	svchost.exe
2796	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
89	0.tcp.ngrok.io
8	0.tcp.ngrok.io
34	0.tcp.ngrok.io
56	0.tcp.ngrok.io
71	0.tcp.ngrok.io

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 3364	1872	RevengeRAT.exe	89
PID 3364 set thread context of 3236	3364	RegSvcs.exe	91
PID 1952 set thread context of 3372	1952	svchost.exe	123
PID 3372 set thread context of 3684	3372	RegSvcs.exe	124
PID 2796 set thread context of 4200	2796	svchost.exe	166
PID 4200 set thread context of 1932	4200	RegSvcs.exe	167

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	RevengeRAT.exe
Token: SeDebugPrivilege	3364	RegSvcs.exe
Token: SeDebugPrivilege	1952	svchost.exe
Token: SeDebugPrivilege	3372	RegSvcs.exe
Token: SeDebugPrivilege	2796	svchost.exe
Token: SeDebugPrivilege	4200	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 1872 wrote to memory of 3364	1872	RevengeRAT.exe	89
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3236	3364	RegSvcs.exe	91
PID 3364 wrote to memory of 3936	3364	RegSvcs.exe	100
PID 3364 wrote to memory of 3936	3364	RegSvcs.exe	100
PID 3364 wrote to memory of 3936	3364	RegSvcs.exe	100
PID 3936 wrote to memory of 868	3936	vbc.exe	102
PID 3936 wrote to memory of 868	3936	vbc.exe	102
PID 3936 wrote to memory of 868	3936	vbc.exe	102
PID 3364 wrote to memory of 1240	3364	RegSvcs.exe	103
PID 3364 wrote to memory of 1240	3364	RegSvcs.exe	103
PID 3364 wrote to memory of 1240	3364	RegSvcs.exe	103
PID 1240 wrote to memory of 4812	1240	vbc.exe	105
PID 1240 wrote to memory of 4812	1240	vbc.exe	105
PID 1240 wrote to memory of 4812	1240	vbc.exe	105
PID 3364 wrote to memory of 5104	3364	RegSvcs.exe	106
PID 3364 wrote to memory of 5104	3364	RegSvcs.exe	106
PID 3364 wrote to memory of 5104	3364	RegSvcs.exe	106
PID 5104 wrote to memory of 2576	5104	vbc.exe	108
PID 5104 wrote to memory of 2576	5104	vbc.exe	108
PID 5104 wrote to memory of 2576	5104	vbc.exe	108
PID 3364 wrote to memory of 4112	3364	RegSvcs.exe	109
PID 3364 wrote to memory of 4112	3364	RegSvcs.exe	109
PID 3364 wrote to memory of 4112	3364	RegSvcs.exe	109
PID 4112 wrote to memory of 2352	4112	vbc.exe	111
PID 4112 wrote to memory of 2352	4112	vbc.exe	111
PID 4112 wrote to memory of 2352	4112	vbc.exe	111
PID 3364 wrote to memory of 1904	3364	RegSvcs.exe	112
PID 3364 wrote to memory of 1904	3364	RegSvcs.exe	112
PID 3364 wrote to memory of 1904	3364	RegSvcs.exe	112
PID 1904 wrote to memory of 2316	1904	vbc.exe	114
PID 1904 wrote to memory of 2316	1904	vbc.exe	114
PID 1904 wrote to memory of 2316	1904	vbc.exe	114
PID 3364 wrote to memory of 2176	3364	RegSvcs.exe	115
PID 3364 wrote to memory of 2176	3364	RegSvcs.exe	115
PID 3364 wrote to memory of 2176	3364	RegSvcs.exe	115
PID 2176 wrote to memory of 2056	2176	vbc.exe	117
PID 2176 wrote to memory of 2056	2176	vbc.exe	117
PID 2176 wrote to memory of 2056	2176	vbc.exe	117
PID 3364 wrote to memory of 1952	3364	RegSvcs.exe	122
PID 3364 wrote to memory of 1952	3364	RegSvcs.exe	122
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 1952 wrote to memory of 3372	1952	svchost.exe	123
PID 3372 wrote to memory of 3684	3372	RegSvcs.exe	124
PID 3372 wrote to memory of 3684	3372	RegSvcs.exe	124
PID 3372 wrote to memory of 3684	3372	RegSvcs.exe	124
PID 3372 wrote to memory of 3684	3372	RegSvcs.exe	124

C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxf4j2uv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC144A02FBF490CB5961E61BAB8CBC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\roxgrbxo.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A978499569D4109943B87AC9311BD58.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\29avsu_m.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc326DCD7D443449C1AB7E995A5CAA45A3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrm2gd7j.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26D9BE7AA2C40C699C091AEDBE690E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wepyfasb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF4DE0E945FA411189D9FE8223D6AC50.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lss8btv4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50C61A1DA95D4BF1A9886F26E3A411E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\112-l5c4.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD36558E537524D269460F97321B462E3.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrwmgwus.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9379A136C3A1417B958567245DAF6D6B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4xg_0_h.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64CA1DBC9B6641AD9D811B40C794647.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdl5wwdh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51F264F8F62549EB9B2A145D8830A49F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scpv_8dg.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF037.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D8461B21FFB473BBF5EADE0E1739013.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x_358vi0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F30C54E24758A9B0CAFF76E51E7E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_qlboheb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF150.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc537B3D0E8F384948935A4A8871ABF0F1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pehreysq.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc889EB60A311E4A33B0356D2FAD4ED5B6.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3faxqe4l.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC52CCFD2C7240D9BA41EB2458836218.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ceukth8y.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9233D3A6465B428CB366B536CE81C157.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2332

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
2c0eb0643c0a1fd4cb65ec880defbcc0

SHA1
d74916623ac93579d361d1bca8123a49898c551b

SHA256
a1ad13fd5c11b116eaedd32ca612779efe2d0938b92055d879e354b9b640bae7

SHA512
1fb45064b58a0cee55ff6b21acfe18abb899360841843e3179b16d63c3b2a1f369ef03a20e1c4f80aa71d3ccbf2d96b87954a4d008caea2be70b95a30046933c

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
90fef6d04e7e54e40aef61994f954d08

SHA1
2a43273806a9a16155b8da5050a9de6ce8236cbb

SHA256
595e1ebe1a5c41293dde5c24dd73f4d6c298d0d56c4a89bff55e7662bf6eefd9

SHA512
60b431f8133d0c63d8b0e7cfed03c578dc88e8b25425078a192986550edc7bb47c72b9f7267d1631499f0c9e92499383704cf1e61153f15dd7b6342df3ec953d

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
11faa6cc5581eefe82b45ff628f94be5

SHA1
46aefb4e2027231dea4b8d1ba8d862db38900278

SHA256
78493777d686a101089fff3ee40fe83712f06f0e7d9f76b65bcad61edf49734c

SHA512
686ff22b53aeda34ff52d0cffe302e57b475cb317d9f9eed0a335e80c31d173909377dfcb4e0d03fb4a8b8351bf686dae91c3fa7a9ea71ff154d919550ef414c

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
542d01fcf8a674307031a00b1e4a36e7

SHA1
9d16156ac104402d8cc7cc43034dde6f92e8571a

SHA256
49a5fd7d4be872e398085f6bcec130d52cb3eb0cbbe8dd760ac52f5ffebdea15

SHA512
3a3d76df62da0d27f5e2315898cdfe7866d89e64da6f9bb136ee25803511c5829cfa3a83db2c62403a1ad25f39a74e23b3ce4ba578e2d89f539e7f30dacc0c4f

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
a81f89b9ce05d4c8dfc91325f54ba45b

SHA1
81c87bbd3bcf935b25423b3da4bef330164f617e

SHA256
7316b56625b28e947ca00d8c2c21a4a450589e500f44635d5dbf41a541561468

SHA512
cc5fe9fa66e9598db97db21caddd4f5168cddbc7c76b04077815ebbc827371424e7636c80e888411a5c677c315e8224c1906364b8550e8a5feb33d803bf000cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\112-l5c4.0.vb

Filesize
265B

MD5
61d2dde4b46edcabeaa9a64f5666a648

SHA1
bcde23b9c97af1ef107d00fe5040a6987cd09443

SHA256
75ea06634452131433c11c1dc3852137093d037ff662e12a2cfede5644579629

SHA512
b5212b642ad7b56cb4c99c62a020159ef121a25fcedc99a1326941a29556e23d4908a32fceb1f3be88d2991264c9b360e6aeae07fb63804f7ef0c8aa04a5a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\112-l5c4.cmdline

Filesize
156B

MD5
1906ed4f4163028633f916add562ff48

SHA1
9da37939d95eb40e44d8c73415baaef64233e09b

SHA256
b092ff593b02457ad915b6d375a7ec8fe7348895add6341c7ea62fbedac42401

SHA512
965266013ad24601c982895a6e740ec00add0f832b1f5213ffc657958830f5d9ba32c96e498de1affaca6d2983e5a2b7e58519c6d1acfd6769ab8f3addf05db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\29avsu_m.0.vb

Filesize
338B

MD5
7a354b496b9b397ebb14057eafede32f

SHA1
8970ca3895ca9472366e4fecc1f1d79ac1da78b8

SHA256
c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8

SHA512
ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\29avsu_m.cmdline

Filesize
194B

MD5
5a260f980aa54f4a4dd4db83e4c62feb

SHA1
03ddfba2ddd190e65971d840ce97ce5c9fb62914

SHA256
5d1639e3d2e34647740eaa2997de1ae7be16304a73b177bc59df944c6f1983f5

SHA512
4abeff4c3d901ed002a4506d31ef1a4a1bb1a6f605410bb7d7646c0144ef5482b6f1db092e2ef3455a23043d29fa3d7d2632afe197d1ba7672cca552aee007ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B20.tmp

Filesize
2KB

MD5
e825c5543268620074d0f7f42489e7f2

SHA1
e2dac0b39e905d77bbe5e225a5718bce5d4be4b7

SHA256
ec1d3be40735c45c80f8e558262b904f972c5e878bd383b6a58d40134ac95b88

SHA512
66b17a33e9802b993feaa25b274141276d56e6036d3a6fa27aad0d775ccf239610d441264858f49562f5f34fd60c57ba6a9ee37ce8c6d37c5f74a991250b0711

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp

Filesize
2KB

MD5
b7e5e0c2edd0ae6f5bad89e15e447938

SHA1
12ee3e6599065480f2615c8d2ff07af768735175

SHA256
f6484e8e4c0d52167588aa4c392d2275de85f68342f7c1c3f89ba567401f9830

SHA512
74d147f826684f9b3554864d92d8f094c04b1c6791748e1802ebb7bfcc3e05d7501d2445a66c105d40daf32ec68d248623056434b26edf8eae415c1888411dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C0A.tmp

Filesize
2KB

MD5
92637192039d8cd4efc94510070d43d2

SHA1
65c0e394dfbe19b7552b452ba016d089242fb3a5

SHA256
4b433ba31f0c58db36f84d48f91359cd22d1d2f3b22dcfcf3faa5a018ef659cf

SHA512
2f0827aa8899452f8c77425413db5801d032fd1e3ec30d11d85e16f917d4c7d2495d1bc96d93aa47b5d5873c9bb84384c9f5abfe71f27827814cc5ef8bb4c3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CF4.tmp

Filesize
2KB

MD5
5c82bbcd9497b2dad90d79f16a21583f

SHA1
b7b388416bffd0392c7fe5ef4a8f33784bf13ab1

SHA256
d665fd12634ec123c0fa3109ce1ba9c8edf05b4146ff2050611a70896b1259ba

SHA512
5be6a34cd99cffc9f3f5d60548ad21731fb908f03a47f60547cc96f7928a76c4f2386fccf617b0092eafa30b27e4941037511fc4eb56dad241396eed3377f61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D71.tmp

Filesize
2KB

MD5
299d8105f79eb846212f422224ce3e2a

SHA1
0ee301cf7361529016a083a738756b385cfa1542

SHA256
c5735e5c7fb9e5b5e2192bce444259663d3dd225858a2bc4c92ac11e5f302984

SHA512
1d5b12c1b78d80c7b3a09e220bc707c36b0d02d4eb16c40d11f1ab00fc28a9cace03c0b3ddb8fd0b5447efc51627839fe7d693dbed1caed6bf6ae5f826c745d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE43.tmp

Filesize
1KB

MD5
f324dc4a6d859e3c7f0514dd27b406df

SHA1
7eb1859a513dd530417a5e38f7950df47eef7f28

SHA256
9137e9e5cfdc94c4cd7531390e875d18da80038532b37c6476d48bb8ec23cb4b

SHA512
cfe2d9b03e472a8e4d274a6bceda47a6e2250383904d2f7b8264d569f8ab72f20c3f281a4457329419e793de24682d0751c9dc148488f762d93a5d3e69d904b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEEC0.tmp

Filesize
1KB

MD5
ab2610ad4ab85b8a6c4b981577a19c11

SHA1
72ebc629f4d54d0a1e96e9308e019baf2f59a9e3

SHA256
ec7f60042cad7338a60bb75827ebf722403ca86b14651c7089c014b4b8c256cb

SHA512
9efb3cb1e37127f2a9e33fc7cb98be1ff94a7d83ab332c7cce7bcd81c07dfa27a9b7bd0440b20a304add4d76f657ec0fb313015036f261240f48671937f1a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF1E.tmp

Filesize
1KB

MD5
19d7ab53b461752a3013e794552037db

SHA1
2828efa5b8fb094ad9a7a8db8bc07218ce828258

SHA256
dbb518b0a9d20ff9f636eef7a61c64b30b760cc84de63802ade2d6edbdabc5e6

SHA512
3741a316f474ef88a7e7c176dd4e291cf8766a47f6c9b4621a8629f34ec75472595779cf8aae3bb141e84c0738140d69b4bb9ff8ebcd8692024b2a261c642e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF9B.tmp

Filesize
1KB

MD5
0b8363accc93e8f94e02073079dd5d6f

SHA1
b5b4ec1b33b91cbef8ecfe5593843ff234205438

SHA256
cc48933b50689dc0d18ae800109ea70e8e189a1e5679e351898f472c35a54c6b

SHA512
123cadfebee076cf40790479286ecfa7aeebcfab666ca348ec6ce400dbdc2d154e9b33bc717f1441115627befdbde9d6f14b0cca3b277cc86dac3d2650389581

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF037.tmp

Filesize
1KB

MD5
ad01bd21b6ab2c3423a2e23b5a0e3f5a

SHA1
5f42ec398dba71ee3b37f21d2fe8b85fd162dc99

SHA256
ae59b7e4d4d67000cb5674d570fef77491c1bc91252c5c1f9e378e924fc2f1e5

SHA512
b8db5f76884653bd9e4c836a518b4b252dc6f0a8f537d39ae4d60e5224c1ed05aa8e837a8b9079b280275713f9b9981942fc8b116c7cd499e5627de45e591bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0B4.tmp

Filesize
1KB

MD5
930a324c85f15b165faa115e8a3d7b25

SHA1
914131e17330ab253c3f44e4d9509e46b43b67b8

SHA256
798afb354043d757c0ea0fb7ffbe10c0453f914fe038c62ba03beacba7728c60

SHA512
570b8b51844c7d717652cac3eec6f7b0491625df98bb3d8bf42966e1f3f16f56d2c936c82bd72c872686dc52a274ea2d859144430b86c865ea4a8838f21fc6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF150.tmp

Filesize
1KB

MD5
0418dd6458de92ec4e60def56a0e9f8e

SHA1
449e77c462ad6101d9d6e3b798fa68b96cea09eb

SHA256
64bb8080396c7ce455759727e75a695e5abcd504b32d51a8303ce08a5a9df6a3

SHA512
c7f22aa3a5f4d13c6ccbdcd66982c44b0107e7dcf68a3545ad9d374e29b213fe69d342128f1bd97994bf3f875531b67ce2183f5c55127da6b3380583a4384f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_qlboheb.0.vb

Filesize
283B

MD5
3e4e9235ce3ee5cc3dcfd2ae0094cad1

SHA1
9361befb9e40acdc08da7937055885fc0809e93b

SHA256
5f6cffb6892b34e718287ec29358945ea1fe8bda8b42f8704ec21a5c839a458e

SHA512
3bd6e12ef0574d260484848dd4b240849d7ea579244c1b56bab2068f3a5e6ae3f43d84febc86f6915ac455d0ecba964bdac075d6dfca656e2a60824aaa6d92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_qlboheb.cmdline

Filesize
174B

MD5
3eb95483064841085c62855c18d53d35

SHA1
05a4a60ba5088fde42528412256ea011016ddaa0

SHA256
5a01ded5aa0e050f22ee0ed27265c07bb3c0133d6fe11d3bd9fcd66e9ae664de

SHA512
9296e6c9060a6b7a4b49eb3b69870ce6c65d4a69c9792ec31a57ac58219e2dc777aba970b829e0dc1969899066f45461de5048c2f6f4ab589f46415bac1f83ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\lss8btv4.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\lss8btv4.cmdline

Filesize
198B

MD5
8c03a3479b0e3f2717d58d85202afd22

SHA1
c12b6dcae59c4880bcb1c020863ac207c9ea2130

SHA256
ac6138ac4e27a4d4e43801291c560e9c3cee44b4788f9b7d14d2026c4e459d8a

SHA512
0f9748532d86770a6124d7848c1b5fccc99da8b51dc5fec50f776c0b6b5bc9f897ec5f5ef075bb507ff1abb78af4650d5a2e1862e1384a0bee34148deef0bb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrwmgwus.0.vb

Filesize
271B

MD5
e7e907e232e10e9db26a6b794bee7db9

SHA1
f1c333b095d52a354ea143f75d8731e212a1ea77

SHA256
3f67c2c555b72a66e87847b90097e6f3264bb772a2e557c98d8cb3dcf344067f

SHA512
db4983c0aa04eb26f152385128cf7641ab6f313eb78bad281807b31fc307c108ff6233e1bce99587a581bb8f4d4c648e358cf01485386b0748a74c7490814fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrwmgwus.cmdline

Filesize
162B

MD5
816e3ba4a387599cd0a0b1ab44b438aa

SHA1
7ab300737eb4262ad86d24493dde1cd10fe436f8

SHA256
ebd7ecdcc5362d92abbd397814e2f424eff8cf876e57a07840d1de548c41fdac

SHA512
9c46e06ac6257e26cc4c56a5fb5425d353b2efdae49c3ee38217996798b798ae8a08c6615e16d8b23e3625a89466e561190007e9fe2b059c72d3ceed30246cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrm2gd7j.0.vb

Filesize
349B

MD5
a983e17fe05ca4e0cb4b37cd05d31792

SHA1
cc91ff79215a350a6a1f2bb4f039d894198e8421

SHA256
76bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef

SHA512
37400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrm2gd7j.cmdline

Filesize
205B

MD5
05539fe692b5a8ba9d8cf2caf0c33035

SHA1
15b346dc5d8d4e55e8f20736469417fcddcdf396

SHA256
ad4d94938dedfae53e13f0a3655a14e72730013ad0eb0247575fada85e7855f7

SHA512
156c69d3c97574434527af24072e2c8b6e380d90a3a49a5522a7fe02a9e619aeb9860635dd7bb8151148ad3669f28bcc199b724075e0e82c9cf2e467ca7425d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxf4j2uv.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxf4j2uv.cmdline

Filesize
198B

MD5
70ddd878fcfa7ecc9536cfcecc0807df

SHA1
ee7343426f5459acaa6c46c3999b9f63190dd81c

SHA256
40d8161c1e1063cb83a238e738f319ccc4c4dc292ee4ecefc12151b4f6fe96da

SHA512
bcb0c6dd0f1816b376bfc8ebb3c13cf8116fcdaa8f4209cf0e8f506630cc8aae238ad77fbdc5f769bc6ec1f21b4cf7512cbc31c230f4731c09573929cb7d5423

Download Submit
C:\Users\Admin\AppData\Local\Temp\pehreysq.0.vb

Filesize
273B

MD5
dbea023d7387685a4ea8a6daaf8cb8bb

SHA1
d298ff197f99a6a03a888bd15b91d4114032259e

SHA256
ec8e3bd19def9c26d695e0ad3db42646d5ec3109ff08f20d61e18131ca5bf2f8

SHA512
63b6ed1a9e8a211f6b215ddafab4e5d28028d7866d3ed5f41bffdbf2802798834f3a6a8dccac396046ca703274f22dbc658826698ea11ae80db16c87f93c9d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\pehreysq.cmdline

Filesize
164B

MD5
64b41bf91db9a99a179e69cda882cfe4

SHA1
3595f3c08e10961d64db88a11ffa3bbf93fac1d6

SHA256
f3e4c961c1b942cbc70e09d2d01b00b21f5d1dab62b3e92e8bc439f79845cf9e

SHA512
317708eaf74400e4ef06a0256e4bf592e289d1b79ec36757725689471e6551a4ced7e9f06e5b020072ca66674fb50041d067b9dce78e80eae6b9d08a6447ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxgrbxo.0.vb

Filesize
352B

MD5
1830e137566529844ec4176432dbbabd

SHA1
34e0949bb3b0258f4b70cf50a1d78e124e0c62d9

SHA256
57f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf

SHA512
63080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxgrbxo.cmdline

Filesize
208B

MD5
888f34b77ebabbaefecc1e6b46a7d0ab

SHA1
0d3866852a405f065214f1741cb1616b2d6f9f1c

SHA256
c3e6f1328ae95add4d3ff9d02b8f2585c3239a89281a6dbb37ce716037a1b1c9

SHA512
aab2f209ca75322f78cd17237c87785fbea28d6891f294b17a15a81d9ac0496a973788287f6979c1e5da396497924e55f0e8d6c3d630b35c7ec945c0210af32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scpv_8dg.0.vb

Filesize
281B

MD5
e74b78fa9f340aa84ea9521425d20721

SHA1
9ae5c680b046a29675c1d8e26513ca1bc4f6bdd2

SHA256
90447f9b09a6d9481a0cf4c14918e742b91822f8b28c0abc247a746fc83de10d

SHA512
7c16a47d4ff390f681e840aec30761788ac07e0dfd6c68c8cd84cf52f1d30d293fc03fe4644c54bd92a84ea2d652156c04fe2bc80e33eea2ec387bc1fb875341

Download Submit
C:\Users\Admin\AppData\Local\Temp\scpv_8dg.cmdline

Filesize
172B

MD5
6446f73ff8e8a8bc1eead6a90f51aa7e

SHA1
7d3caff54046ed0eee40262a15e52faa9e6dae91

SHA256
0b866ff3366cee2b792a571b7acd75200e2f30db1cec8f4a46c6396ecc46557c

SHA512
60b9be87743add532fa5ee04953c6ea2e4c023a28e76a34805365baeb409862b156652b3e679d1f1e6281f4afc03c4ba2eee34e8eca713361f7348f6b6de9717

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
59B

MD5
d602a61ee57bcc4830ebe29151bf628e

SHA1
5b36232a99544df60b27fc87cdf36817758ec659

SHA256
9e85433cd508542ae645092755f427204ac98bf3ac9f2e9260327ca1a4c1aa71

SHA512
07b0e326c405f0a0cd2a1810132859adeb13dfba126ab868394f0de2efc8f68fa04b607e3d25a7b5004cc5cb531a236ea224c699c86925a518ff6d486a56b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A978499569D4109943B87AC9311BD58.TMP

Filesize
1KB

MD5
2b1c797dc7d98302d160cad8a48bb569

SHA1
d21abffaad078bf1001bdacbdbfc415712e4aa5b

SHA256
e8e832364befd892bf3b4e354cbf450777ed6c8ed4ab53e4da6b19b07c537a67

SHA512
61d97fc46fd371d92a6c52034452cc3ab40342bf8e2ca789c49f8e59b7c01af3b84af612769bd0042800f9786448f9d1d38f1047116f1720eb2672d45ee7a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc326DCD7D443449C1AB7E995A5CAA45A3.TMP

Filesize
1KB

MD5
ac7ce09218c8db7141245000895721cd

SHA1
212dfde15a3c423c390340fa58daa63d428e70d7

SHA256
7dea12ce0d65a04a31703cb278cdb111b323cbea6d50f2240658532249f7a008

SHA512
bf6b19efd3e73cc9001a5ed141356cfc2b8d71a201f0e7dd3b7467ae5c74c392690c13c30bf476f83db31e0779657ba7f7fe602557cf5c7448d7d120883534eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc50C61A1DA95D4BF1A9886F26E3A411E.TMP

Filesize
1KB

MD5
6b07ad6409d5b9840e49b087724652b0

SHA1
480ed8da114083a3e7a1d0da123ff59b09856221

SHA256
cbe03dd1171ca217848e8ecc1f7d3761c65ce87b7bda41e8577aa8cd4249bbc8

SHA512
aa9cc80fbc2b0ad58cfa6e144605f028d09485480b0fc13121ba95af214c799108cc44f3c4ca4f7244b21c2ddbcb915960b1e8e8168d2f0fac388b81c574e6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc537B3D0E8F384948935A4A8871ABF0F1.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64CA1DBC9B6641AD9D811B40C794647.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9379A136C3A1417B958567245DAF6D6B.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC144A02FBF490CB5961E61BAB8CBC.TMP

Filesize
1KB

MD5
296769437d2c28cc41fed36299d07d25

SHA1
51dae71c6541c0959647011fc3d13e3b7aeed44a

SHA256
53fa144580b0a916400aa8fd12b6300e90d5c7176736e2f535b5bbf26acfb574

SHA512
ab373a03ff1be8d612e1989fb8457d1d47286459587ba59bc20400ecd3edcfd77c959ea08913bc2f09746354de1e5737697b6a28dd548d77fce9f46a91eee392

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF4DE0E945FA411189D9FE8223D6AC50.TMP

Filesize
1KB

MD5
82d466e70a06fd97e70b4c05c8511539

SHA1
6d3a0408a6f3eed89af0a27d8383ae39a3cb70e7

SHA256
5b8f8fa56de36074d2161897f719823caade1619af318f4911d9b851ddb1d871

SHA512
d1a9b28d0d7524dfc1b080c2d560dc13ede802245bdbc042fe12d22707071d4d21c767c6d62733e6868d164968312c24b88954c324bb81fc76ba38c0b106dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD36558E537524D269460F97321B462E3.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdl5wwdh.0.vb

Filesize
280B

MD5
24f16281edbb494caa9395e5f321fb4a

SHA1
5905c6be6149bf3f915e0acebc610851811b121d

SHA256
9c8bca52e106eefeb17387bd6fefe7341f280d7dafde8998bfd11486d5c0b8b8

SHA512
c606b756f0f5fc669f885d7125873e2145ef8bdc9c05c813795594efa76095cc428cd494cf151df622af199c89108b2992cae121fad77fd954c717528dbfb875

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdl5wwdh.cmdline

Filesize
171B

MD5
8c35a4f962fe1bb59deaca9475e48beb

SHA1
d0474811cd3a162631e38c2c08a24d6d026108d8

SHA256
39f1b47da491e1f70f69860caf079c80205d092ec226f11944eabb571e9f56e9

SHA512
44b00eeac7e9a82a31de1992a676a7a5d2e446421477b2fc21197688606f6133a0fabc8860fa650ce55e4b8242a2b985017a6dff9278c48a6114d143a5a99ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wepyfasb.0.vb

Filesize
338B

MD5
2de37b6c25304214817c88f9ec6e9847

SHA1
74f77a317b1f9822d11094eb3fe1c71797bb878a

SHA256
a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a

SHA512
a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\wepyfasb.cmdline

Filesize
194B

MD5
c8b269067571f3610623e5c597a17c28

SHA1
8a502e64bd74e10e5e28c5638204c0d50bfd1d68

SHA256
23a13bb74d2db7ef78b677e24060b9839d247646e5bfaed30d03b5390c9742da

SHA512
c5ebd464d42058c0b10f4fead71fedc7a536f547c8831cca93e487706ed5534b6ad426a28a461e160b8b7e699d1f63142843f7c36fdd58cf2855a2d1704c27f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x_358vi0.0.vb

Filesize
280B

MD5
b77a186995634af20ce8b006671fecfe

SHA1
4ecf62cbf48d0f6ecd011cec5c09cbb128b0e653

SHA256
d5a80c6859c4c155f89cdc76f0092bf009f7311fa5e4352993fb6eea0ff00df6

SHA512
bcdb2e73b7d369e0c8f3d12fd955e76f777a22137f3c813c39346458982405780db77a15afa46fdf5cf282ee06ae6c85f3350e89d4ed410b34a7e869bc250927

Download Submit
C:\Users\Admin\AppData\Local\Temp\x_358vi0.cmdline

Filesize
171B

MD5
4f95d4a9be8176188d69cd12f152c4c0

SHA1
494ac4a360a1605583b6464ab86e62136d530e0e

SHA256
74da78d925db87b7af7810f4c6a1600541826a96c54d814cd9d8ae6de1db03c1

SHA512
46b8cfb6748d96d3f05e02f0297538845ae61133f98a206c2759bfd8a7cc597711cfb766c025e1a9fe705a4668b6bf52c7d1f8fd335ea1042524ad694138a195

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4xg_0_h.0.vb

Filesize
272B

MD5
adba28f3832cd1602a6a4dc994a1ccbf

SHA1
5f40fc67ecee10e69edecdd5e1b8b76c1a5e7d37

SHA256
b0f3da06db0ffd21dacc7e046a93874c781af82786ab637e72222f8bccabacaf

SHA512
0051da407df06426005bee8f9d3c161936b301ddac3e1e0e42bb2940b603316a420e59ad5aebb7d4f079273c064a4bb55ddae5c93150ad36f33c8b66b53cc9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4xg_0_h.cmdline

Filesize
163B

MD5
dfa1c069d7508fabc9cd8196beefda4a

SHA1
5ad87bc55083c35223a528fad906efb471c6b4c0

SHA256
11a5544c364cca5dcbcec3424fb887ec85870b37e5125ed3c99ef51f4dd5c738

SHA512
2c35d84e5fe2d26ac98746d8f649bb3a2619e25f9816aa3d72e348f2382cd40743e4c581d93594a1ac212f1c20b26acfef682c0fe2c88d51e19e3042e0c12575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
86444657e0134c296ea3d154877443dc

SHA1
00f5005a851c8672f90c8ce33c59822a0d8abbb1

SHA256
5c99272f809e9b2a89f803f14399d92fc8cb335c23792ef8552b6cd675d3127c

SHA512
cdcc75680d4cc5839ca5d17ad8fca8115bf1c426c9ef63e4b873230fc9f2dfe268c6b640aafeda0f151b25c7dd4cdfb65d56bf2b5fd6452f606408e2ee0e31fa

Download Submit
memory/1872-4-0x00007FFFD7940000-0x00007FFFD82E1000-memory.dmp

Filesize
9.6MB

Download
memory/1872-5-0x000000001C810000-0x000000001C872000-memory.dmp

Filesize
392KB

Download
memory/1872-3-0x000000001B680000-0x000000001B726000-memory.dmp

Filesize
664KB

Download
memory/1872-1-0x00007FFFD7940000-0x00007FFFD82E1000-memory.dmp

Filesize
9.6MB

Download
memory/1872-2-0x000000001BCF0000-0x000000001C1BE000-memory.dmp

Filesize
4.8MB

Download
memory/1872-8-0x00007FFFD7940000-0x00007FFFD82E1000-memory.dmp

Filesize
9.6MB

Download
memory/1872-0-0x00007FFFD7BF5000-0x00007FFFD7BF6000-memory.dmp

Filesize
4KB

Download
memory/3236-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3236-14-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3236-17-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3236-16-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3236-21-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3364-9-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/3364-10-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3364-11-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3364-18-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/3364-19-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3364-20-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3364-113-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/3372-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads