revengerat | af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

Analysis

max time kernel
136s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/RevengeRAT.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
SSDEEP

1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral27/files/0x001400000001a4cc-348.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	RegSvcs.exe
2064	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.ngrok.io
14	0.tcp.ngrok.io
19	0.tcp.ngrok.io
29	0.tcp.ngrok.io

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 2064	2120	RevengeRAT.exe	30
PID 2064 set thread context of 2704	2064	RegSvcs.exe	31
PID 2828 set thread context of 1868	2828	svchost.exe	110
PID 1868 set thread context of 1252	1868	RegSvcs.exe	111

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2268	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	RevengeRAT.exe
Token: SeDebugPrivilege	2064	RegSvcs.exe
Token: SeDebugPrivilege	2828	svchost.exe
Token: SeDebugPrivilege	1868	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2120 wrote to memory of 2064	2120	RevengeRAT.exe	30
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2704	2064	RegSvcs.exe	31
PID 2064 wrote to memory of 2616	2064	RegSvcs.exe	34
PID 2064 wrote to memory of 2616	2064	RegSvcs.exe	34
PID 2064 wrote to memory of 2616	2064	RegSvcs.exe	34
PID 2064 wrote to memory of 2616	2064	RegSvcs.exe	34
PID 2616 wrote to memory of 2300	2616	vbc.exe	36
PID 2616 wrote to memory of 2300	2616	vbc.exe	36
PID 2616 wrote to memory of 2300	2616	vbc.exe	36
PID 2616 wrote to memory of 2300	2616	vbc.exe	36
PID 2064 wrote to memory of 2568	2064	RegSvcs.exe	37
PID 2064 wrote to memory of 2568	2064	RegSvcs.exe	37
PID 2064 wrote to memory of 2568	2064	RegSvcs.exe	37
PID 2064 wrote to memory of 2568	2064	RegSvcs.exe	37
PID 2568 wrote to memory of 1744	2568	vbc.exe	39
PID 2568 wrote to memory of 1744	2568	vbc.exe	39
PID 2568 wrote to memory of 1744	2568	vbc.exe	39
PID 2568 wrote to memory of 1744	2568	vbc.exe	39
PID 2064 wrote to memory of 1796	2064	RegSvcs.exe	40
PID 2064 wrote to memory of 1796	2064	RegSvcs.exe	40
PID 2064 wrote to memory of 1796	2064	RegSvcs.exe	40
PID 2064 wrote to memory of 1796	2064	RegSvcs.exe	40
PID 1796 wrote to memory of 1752	1796	vbc.exe	42
PID 1796 wrote to memory of 1752	1796	vbc.exe	42
PID 1796 wrote to memory of 1752	1796	vbc.exe	42
PID 1796 wrote to memory of 1752	1796	vbc.exe	42
PID 2064 wrote to memory of 1728	2064	RegSvcs.exe	43
PID 2064 wrote to memory of 1728	2064	RegSvcs.exe	43
PID 2064 wrote to memory of 1728	2064	RegSvcs.exe	43
PID 2064 wrote to memory of 1728	2064	RegSvcs.exe	43
PID 1728 wrote to memory of 1692	1728	vbc.exe	45
PID 1728 wrote to memory of 1692	1728	vbc.exe	45
PID 1728 wrote to memory of 1692	1728	vbc.exe	45
PID 1728 wrote to memory of 1692	1728	vbc.exe	45
PID 2064 wrote to memory of 1160	2064	RegSvcs.exe	46
PID 2064 wrote to memory of 1160	2064	RegSvcs.exe	46
PID 2064 wrote to memory of 1160	2064	RegSvcs.exe	46
PID 2064 wrote to memory of 1160	2064	RegSvcs.exe	46
PID 1160 wrote to memory of 2832	1160	vbc.exe	48
PID 1160 wrote to memory of 2832	1160	vbc.exe	48
PID 1160 wrote to memory of 2832	1160	vbc.exe	48
PID 1160 wrote to memory of 2832	1160	vbc.exe	48
PID 2064 wrote to memory of 2088	2064	RegSvcs.exe	49

C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rp6mmgrw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A8A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zt51mtll.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B35.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfnqvhlr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B83.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjenc9nq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mbj8l7u4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C10.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tznvv9do.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvyzidww.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C9C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqmks0mr.cmdline"
    3⤵
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CDA.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7e3tmjrp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D19.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o3vh96jt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jwvfrc3x.cmdline"
    3⤵
    PID:1092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eatyte6r.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DE4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-udwo4ob.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E22.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lzhufl1o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E60.tmp"
      4⤵
      PID:604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fganzaa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E9F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aitkvnxq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EED.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xackjy5q.cmdline"
    3⤵
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2612
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ou2macgq.cmdline"
    3⤵
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F79.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcqre7kk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FB8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inhqjmd4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3007.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3006.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ev-bjyl0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3045.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3044.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulbgwxc3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3093.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3082.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\623xxkwq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30C1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tz8twkmy.cmdline"
    3⤵
    PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3110.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc310F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\febqkfrm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES313F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc313E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1016
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrni5xkb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA96.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ad00otx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB13.tmp"
        6⤵
        
        PID:2068
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\er5eikz1.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB61.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgrrsbqx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBA0.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zlh0ltvy.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBEE.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c_ofe61d.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC2C.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\na_at97d.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC8A.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luqxtv2v.cmdline"
        5⤵
        
        PID:1832
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCC8.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wod2skek.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD06.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xalro4-n.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD54.tmp"
        6⤵
        
        PID:1692

C:\Windows\system32\taskeng.exe
taskeng.exe {CF983383-B722-48D7-82BF-88BCDB184ADF} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-udwo4ob.0.vb

Filesize
378B

MD5
b3f4020948b586a0f9b5942315ffdd2e

SHA1
bcea9b02c02f4019410a5fc2d6aaa1b8448993e7

SHA256
62c128f4f8749a44b0ad3bae5847c107154d0af80562dd4774b92eab801ee16a

SHA512
e75ffeab199cdb63a8be4ba2c2607d1616aea9edbb8a4a4632f3d36f13c6e8bbad4dc23992db5f5a6390df143028247bd5a5012394ba47248e084067f9a2ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\-udwo4ob.cmdline

Filesize
271B

MD5
5a2a18f8c7d87416207d066922798b8d

SHA1
452899ccf87127643b69d38aecaf3aa13cdb3cfd

SHA256
4254c243178d1666774e67f2180d89535738eac3b5c62a8ece8b0b3381b68b7c

SHA512
3e73a57dc40f5bde3480040f51af4f02f40f0e761e942a8270d1b615339ff6d4d90578a2c8da824bcea8fb9d0ad439e18c4f3464e0a445c14a267f5d70d1cf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e3tmjrp.0.vb

Filesize
350B

MD5
3005a8f0fa8ab6091d90f8b835b63ad0

SHA1
fd3dd678a6c1bef579b1665c642b634cd8ca587f

SHA256
edca18ee70d61134bdd624b3134099fe77dd1e344274c46a5157e1e299244f99

SHA512
0795a3a9294f86254bf1bea602dcbf2cd6c02314be3f4ca867f4d29f02eaf83b1d68362a373e47ad094bbcfbe411493c6d1fc5bf50185b4a7df89a42c92c1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e3tmjrp.cmdline

Filesize
215B

MD5
6239ec03e4f4df6d513c8c164530bf69

SHA1
f04b8cbc74db05e4a4bb9858dbd0ac325da4f696

SHA256
397e2c86dd5ac0acb358a1a534a3aa2d78a65c9c6dff30b2c3460cee8489f124

SHA512
c57456a245327cbd117982d6d2f17c9b59ef8caf16af22e8f2372375262a92fdb2fecd53d6fcd07adc2d6ace6a9d041e383d4bd03d152681b4b66523f9bee667

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A9A.tmp

Filesize
5KB

MD5
8f3b0b17a9d5b2fb437d263c3ef1c885

SHA1
36dc733156570c3e8e8dda4bf110e1a83f088c47

SHA256
e1eb4d3e0b476c56439d2881d7b45a3b06040a25c6912c36a827d5ceece53b3f

SHA512
747b2dc60f0cd05ec9d5f4f1cb72590df256c4b54d6adf43c42a5bbc6278066211103416e9ffc9ee1430d73602f4f2c0518d98b805d7f3999641eb282ec5146f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B36.tmp

Filesize
5KB

MD5
4b032ce0ea7a1a672c29550f4ada2768

SHA1
7284f15d607979e2c6833ad70bddae0904e71757

SHA256
035350e1e49a87190b8a75f1ad59945e7cd6dcd3efc54f5a5fd381f7c6d741ae

SHA512
54c58a25a00a288bbc24fa47eadd0026fbd1085a9dc605c75b42a02369876d485c6359fa71e77eedc02e61325cab71fad187122c9d4288e08b3693050e8f3b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B84.tmp

Filesize
5KB

MD5
9522a885c415f2f906a701f84c4b5ac9

SHA1
d36013e41831f2edea612335d1bef70e3d7d2e42

SHA256
13e3149997e31c7b636af93db0152101065ba0440c90c70ab7ed558116f62b71

SHA512
433b8a7a0ad6f2f3f608065ad6449e8ca18b8da242e4ee4d383f472486c3308138248a65ec979d582dfdf54ca70376ea877c9944528323226afe403501a6a39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BD2.tmp

Filesize
5KB

MD5
028e2a42849cb82d05bc61cbfd0cec97

SHA1
20eb78492f572ba79d4c99c175c239605a6c011a

SHA256
158e49f51a7532602efefa926fbe4f50cdacce656f89c7e5b0b1bddade8d2520

SHA512
6f8cbb6ce175efd2b73c8b339a48aee4f6c14a5b4a6e9b7c5fde4d53b3d1fa334a0f9bdaa26dfaf5e4bcbda667bfdf5cd5cd3817618587b95e6eba9a9f2260d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C11.tmp

Filesize
5KB

MD5
c71fab64fbe0adda7d17b042d0882b23

SHA1
a4f51bcfe6c2b316d15ffe9a4338cf8c6b9232cb

SHA256
9e29389a49925d17547c6813b15bf10028e03fd5d74db183cc151eb221f60ebe

SHA512
12be0b63b0ce1daa257c9280baacb958e624eda6fa469a7a1c76ce61edf3f63bd921dd0dc09d5a55e2f25e13aeb4a6ed7d64c4065b6d1c456f1838b9af9b4099

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C5F.tmp

Filesize
5KB

MD5
1d4c6997522615976c4f02de329f4b8a

SHA1
9d70f2658b8bc27f1d7d8ac0945ab7532a57a6c3

SHA256
3665f2a731e72fc7d9ef771bfe0fe2e2a7a28e82b080b2c1dd521add49ee3fa4

SHA512
72c2b074ecef1d288d29bf5c5945be25317e4c11db708eebbd526a2b9abb4911755023b4db895bc0a192667a299f1ed6aaad22989cb51ae52dc4625812054d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C9D.tmp

Filesize
5KB

MD5
948df82725274d8c303839698c022b7f

SHA1
a68ccfb5ee7463003950ab15436f6583177af4df

SHA256
6cdb22fc1b82fc2f9e8a69310b085e82c99afbc84a694fb46c9e4864da99039d

SHA512
8c38ceca9d1ea84edfc474957eed6302072d658db82bf7bbdeeaa9a2354b668041aa17688436de48f04e8fe1dfd81215e80bc7e62b66b0d536baad331c2a3f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp

Filesize
5KB

MD5
ab35d1e9227f929f371bd880258987f9

SHA1
a39007bd23a1048c47445286b44c3c78fa3b626a

SHA256
1ad346002e390213faf8af2ef0ae4b8501a49b3de7f56b1dc0e72e76243871d3

SHA512
644fe4f46f6f5ee5e6b2f6ab14e6fc8a39ef8de8752c1224f31c483b6cf0f8443e6f9dbe495e7e647c6ae69b63285aebb4420e6f6fd8a9e6b797ae1b7b0cb7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D1A.tmp

Filesize
5KB

MD5
9c16d582bfa84fb1ba1b4f76cdf45916

SHA1
656d4dc0bf402158ffa11cd3ec7fa33e0dde6697

SHA256
c0c5c5b1fee38a3b5ce16e471ea1d2bdf6934667d0cf7b72c978a6ccb2c68e4c

SHA512
c7a006821cb98775b39b0f1fb6383a57df85fa4108efc3c7e7186db1579b65c98ceed4d36f8dd4a4a19feba08ce5d072bc30508bd8ccb63d2ff79b637699390d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp

Filesize
5KB

MD5
8c1c078d1a1c1d0608e6b08f5e7e0f0b

SHA1
61b0b22b5b01eb9429b8c5fcd27521be12542138

SHA256
31e23a20e88110eb0ff747203eb576e0404a4e2b32255c9cb440d3b0e7977782

SHA512
3d04b0a5dad205d74a960ff215470d6f7ad7fc6a320a0715e8afa9d4fa4a14159215231b78f08b1fc0a9e07c293035291a8a0c07b0f26ac952dd36327afc5d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp

Filesize
5KB

MD5
c7c9b582af3149b83f556c859d0c23a1

SHA1
0178f07b273938b24a644953f2e6d3bba2c4f838

SHA256
d5895203de253ecd6cd9546d481145f4ca8cf824034c861e29764abe4a8f224f

SHA512
d9d3f619d54f3e2f47badbe7b99409632e4a101495b7913dd00745f518e11b1ce5da1819c1f73c09cac804d0e6f9cd1eef7192f36be8b9a1834b8bdf42cd1c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2DE5.tmp

Filesize
5KB

MD5
37c64737b0efe92062e963af6fb2cfa6

SHA1
16a162815a0d7d36c7ed3aa89ca05bdb228bc7dc

SHA256
87b3a153e62dc8f77070e48aef78aebc66901226e0c1033b6d17ee8bbbbf4a1d

SHA512
2a21a701606850ef34b44210793389f95ce5994181d08d7aa5374747247a1f5f8ff526e3ac713aa6bcf5c44a98fb4c8279c15ba00a0dcea3855f9915e995f526

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqmks0mr.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqmks0mr.cmdline

Filesize
267B

MD5
18df1be6f0ac97dce18e44c6d07abd0f

SHA1
52a0543a07567ef3aa06857a4ca210e896c628f5

SHA256
a61fcc6f7a0b3f66dc1f68fee257c119554cf3dd7e56991f81dc8c49720ab40b

SHA512
b9da76650bf425c9a7994ff8b7d011a34695eb981a8d7a594fd782fe801a786bb8f8fb4941e05b98c20d185deac8fa8a513b544b5b957713eac43286b679cfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eatyte6r.0.vb

Filesize
375B

MD5
61580d8eee92263741c70b5e756b3a1d

SHA1
cb09d0e8635efa1fee911b9ead83c6a298139f27

SHA256
1430de0fb4d00afcb7d7df9abd3d248df27101eed793251c8bccaa325a9b6f77

SHA512
b0aa8925e8016324ebad6a4307ea4c9b9a58ff564b718092080f966ac069eba387157da708303ce83b7b42b3ffe16efc4dba874e7b4563693195d6736de96d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\eatyte6r.cmdline

Filesize
265B

MD5
cb4e3aff671a84dceb8653a9f70389ca

SHA1
c082fdec6a6f823f3ba47e15ea695a77b150281a

SHA256
b6c5dd5fdb9c2eb60d9c1aa4123f374b2776870dc92e824b73a517927daf38ff

SHA512
f6e3b794f7e1be128748a6fda90820e2f64f754d5f37b47e85aac4e5b319f6b0ae6375b1c6693c749720f8b35cc9611e3b675280f7048c8c17546487848fac15

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjenc9nq.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjenc9nq.cmdline

Filesize
224B

MD5
98630c0db45985bcc3ae2488e28c5b53

SHA1
9fd27e2c110e288dfc33697d4c331cf04734de31

SHA256
43ca005bf8f1f610ded5c38759167c8ee7c065144fa8ea1cebae66a965a407b5

SHA512
1593683be36251428aa0279ed1e1106a6e191724bd3d8efddba6aca75aab81f72d1521d3359cd8062ff5b1fb4e6ecbb7920ae39b1f8f592101059dbefae431a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwvfrc3x.0.vb

Filesize
378B

MD5
a52a457213a9d0522f73418af956a9ef

SHA1
cd46e651cb71f2b3736108d58bd86c7cf3794ecc

SHA256
be60d63078e797b8b46dc31f978e20e9819ef09b6fd3d5869934ace0530f23f7

SHA512
9d3458eefcd36539d4e97ed847f06faf96e0a8445e1d352d6a77506a042f513fb39523f90eff3aa1ef06afb000371e94d1968bc61d28bfb00f2a8cbbcc2eb3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwvfrc3x.cmdline

Filesize
271B

MD5
6eb8a5cf7627625cc27c9e49b3bfaf5f

SHA1
03a5999704e8bb4e291a4d57e3e196f418bdff17

SHA256
1a08c078642a4878ec7cb143b9dead4de73146fbde1a78a13ab841cf4c0f65e8

SHA512
f2038c5d212181c636b26d8f2b7edd365b0550c5dfcf2ebb8d606ba386b753ded4056d0585d39c479752a7f7fff1af1074c7ecb2a5baf712b525bd24297c9bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbj8l7u4.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbj8l7u4.cmdline

Filesize
261B

MD5
e3a2e0037191729559c62db5593010e7

SHA1
c5ff9aaa295ef53a31e10137ba4f635703edc427

SHA256
227535eba34ed907fe8964331e63aa112201b0f2a192007b4e6b85ce96be8355

SHA512
ae7b43a8e4e95ebc10c25b932fa45a35668cfbf182c0970272d5e503b30fe2a763b8c7873dc78eae2312d5297ae99a1951cd9d9ea3a802c0e1175dc4011831b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3vh96jt.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3vh96jt.cmdline

Filesize
265B

MD5
9a3a6a852e1952311afb1d3ccc302c2c

SHA1
1672b8e609cb9b6a648cbce021ac12f9c11bce6c

SHA256
a04e8c1dcb2c2d53621f9d414798f7d7f56ba82f212c41357e48d39ea78c9a31

SHA512
e18a09e2b5f321e8eaa017089fe753c860a41233b313cfd2fc29ed0d08d9e4f2e861066f7539b787fc45c560ceb5a3b06cac265b85fe14074398d5c7921b0dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp6mmgrw.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp6mmgrw.cmdline

Filesize
253B

MD5
f89f3766945b8aa7bbc01db8588765e5

SHA1
27cfdcc62deff2e0605667c23acd42a765370ba9

SHA256
02a233953a7800a8e9e9249826d6fdc390a62cda1850c7a755fe8118d517a1f3

SHA512
f809d16dbd1a584599ddeca5d708156ea9f6dd61dbe73ce27103418c4b6d21f2a18e808bed7d0d02d11c02fb949ea25bf97716cf5d40d2ef1bd3b1307b860449

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfnqvhlr.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfnqvhlr.cmdline

Filesize
253B

MD5
4c4a3b8ba6554e0f2cc6fc492d938ab1

SHA1
3ed82c953629baa3c526d67263761e7929afede2

SHA256
e757a74cb3fed4bd7cce48dbca4ac3d09ba43b8be9cc1fc2c4bc29fc63103e8c

SHA512
a5be342a5426cc83c7e6cf26acf047360d501d38fa145abeb05604913660104859e60c7adeb6714ede5be502fc51bf103e0f674bc8d8a24f4a8b6a3158ea642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tznvv9do.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\tznvv9do.cmdline

Filesize
267B

MD5
e881157ab0e0aff235530639b3695f69

SHA1
e304abe183e311ae6f970a43e0f6f8ad426a3bf6

SHA256
1b293afe83d764226e5129366a5c94d4b6d7bbd913eab1c18851a995b199e976

SHA512
6d70bdf7d462a8f890f347e7cb34fcf9f527db956f5e06f74337c49f710312faae299629ede8da396bb98c5264903fa316de5e17e1af7219d3fff522bb4e0719

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
59B

MD5
d602a61ee57bcc4830ebe29151bf628e

SHA1
5b36232a99544df60b27fc87cdf36817758ec659

SHA256
9e85433cd508542ae645092755f427204ac98bf3ac9f2e9260327ca1a4c1aa71

SHA512
07b0e326c405f0a0cd2a1810132859adeb13dfba126ab868394f0de2efc8f68fa04b607e3d25a7b5004cc5cb531a236ea224c699c86925a518ff6d486a56b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2A8A.tmp

Filesize
5KB

MD5
955c29e6642db6b23d9ca8d18903794f

SHA1
2a12553a01cafeaf83d2f52febb424af00e649bd

SHA256
6839c94e5031c8646f5d3db534b41c09076e93cae238d1337aa8a1d41ad741f5

SHA512
30eaed32fb99fa62ef8883c4b6e34678175cf8ce24a953d80e43ef67a68f79e9a59996ea3cb4465c6f6d6e0b03a0fab1b241c1d21430bedc49e3e757293fe296

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B35.tmp

Filesize
5KB

MD5
d7d67a3915a3aae053cb2867a77fd9fc

SHA1
829757b4c84456ea3771deb6988e77bfc3ad117c

SHA256
d1d578383b3b0b42856bef5deb0fc8cd2406e1f9bc8f6818b2c719a66e6d8093

SHA512
bb877e96798c34921c613aaa44e424593a791f450a10e254e5a643ec774d527178c7b36bf91cf683e712d893e8e321c8ecafc6a2521f148200f769c9ce2d78be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2B83.tmp

Filesize
5KB

MD5
666d582d0f49759982ad0b7cea623a35

SHA1
54f28f61b9f4ae52dcce4ee9eb8ac0b8d7809ba8

SHA256
b890a7bcccc09c2d2577b944bb32e3419d70458e5ecd02f2f846325b86bef862

SHA512
29d157e897c2e0547cf105ebee1dca1eabf410ef364fb807055e2dfc79bae4be60ae2d8f012ca02eb37696b335fa0eaffafa1db7a032b80945fcabf954b18d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BD1.tmp

Filesize
5KB

MD5
1efc3dabeb7009b6007394dd082dfd86

SHA1
a410d235b0cf2733a2ebccc1215dc6d0302a2540

SHA256
6185bd2851899871047c82a55a8019a7f3435270e8e93bc06aa3dc757ff55846

SHA512
25cf1e8e4a81fc324e1b0324c41f67381ca47760a9cd64b52111286f4ce2b02228db5c5e948586201628ba0a6b8fc73597b216ecfe3b74f072c3ba9c0e7e3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C10.tmp

Filesize
5KB

MD5
a4da846ea032d0e25d23ca969a569fe4

SHA1
facf679f92a929a6fd914bb43f7b52e6536b6802

SHA256
329ca0161ca179613635d25604e61a249ba4f1b762f5672bfe27c3bb9a7f47d3

SHA512
3255e2339afa13b7e0f1d74572712bcb87ee7366859b3161bf2570b57a9738c1d195a14a7f784849e1ce2233f31b048c393c07f854c0a7a9fb037693d941f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C5E.tmp

Filesize
5KB

MD5
f039d48c1767e0e4303ba43ffe355c97

SHA1
2e92eb77d16962623212f004480717303db5101e

SHA256
e78a94663d6c227a309e24b0952ee7ec52c49fe817a02f29516b36d24d465acb

SHA512
4a5e0e693827cbf1a742f71e8b6395382cdfee797ee1e8b0b3fb9e4132e593da9cc532a5cb0b2e9d660d2eefc29f6b0bba849792a6385100348d18cda0950ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C9C.tmp

Filesize
5KB

MD5
abeeccd127afe60188318600ec0e2795

SHA1
adc607f07fc09053d796abf25095c76b361436f2

SHA256
d1df4661c37810b6e6d906cad05c9e45c42a080f2b832e56c9e08316a35f6792

SHA512
7a6ff2db0e83b9b6d24210fb9a44ea3e0345221f656f46290841bf352edac16dc5a4cb4e8a914ef60c6ca507e6bd5eb1e169ea187feedb7b3050022567dc0ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CDA.tmp

Filesize
5KB

MD5
55e078852806b5d83533794483a09a7b

SHA1
ed79aa8f044b59bdef3c7091acab59f92543227c

SHA256
be654a24194cd1ffca4dd20466530905c4f208bbfe0f464746d6784bb56e60fe

SHA512
632b637781498756bbffa5b267d80ed155f6b89a2842a9691f7cf302ec8ddc1b360d1f4202661b666fd01a1335c6d0ef2f2c69a10c5ff15f086156f2eb031068

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D19.tmp

Filesize
4KB

MD5
5c923814413ea3e2619c6411e67015c8

SHA1
6c9e8e4530dc8a178e2c058b081ede57f1f50ef3

SHA256
285b92c8b3a65ce129218f8b18d1a07585d8709b0005f672bd6c966cbd4ab5e5

SHA512
9160e44e73ef4b97e95a7b85ec743a21f51f8f8dec426fda98c292bff7998814cc435091188eb0d6fce42614ad8ce71bdebf72dbc61617658a611f6d82be3a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp

Filesize
5KB

MD5
4a95cbe7406a930bc0b431ccf5ec97a2

SHA1
1ef8622262c9d6c829affd42877361fec2ac105c

SHA256
61d27f9f3053d3366d2ea7234418be37478f0c1773d7d622f2b9c7e0c39f07a3

SHA512
b83016a32a253624ee336c74cfd1265f4bd5c95fa7667d776e236783a537215440b4d2a5f7ba6f9421a756ce11b22c3584544d3f9c5d9c4b0a7e12a5fc09da14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp

Filesize
5KB

MD5
0b29c6dc82961bb1ba502861a41b0a9f

SHA1
0491d8095d42138c473b92f400b6138662cdd8ef

SHA256
3152b3a5164b8f7ced037e4dce64e877bd6054d4d39caa0547c318ccd25d15f7

SHA512
1b4b429c2f60dd47f37bbdb40c19bcddb1b2c0c708b458c11969c89bb5f94db82dab6dad7ccc9c2112c50c0c584de93924a4be242a9738d6ccc36e6dd7ca55fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2DE4.tmp

Filesize
5KB

MD5
5b433d6e19bfb6046ea8babe98b38fef

SHA1
f7c31647ca9efd914a1bd005664f6216fc412c86

SHA256
71c163391ea0a47c536db329b28344f6b99f06c45d0d5d9a898b0c024d961cec

SHA512
f42496445d976b4d09942f2cd7cf60fa0abac253601a956eef473a0a8e632ad2552926a0c55edf6ca87e3e50e48d0833fe86143158bb413068206ad667fbbfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDD06.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvyzidww.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvyzidww.cmdline

Filesize
261B

MD5
7da32f6ff3bbdebbfe40e51293a071a3

SHA1
a3f992dce9ceefc5a4fdcf1960bfc7df9334f077

SHA256
5bdb0f81ca97d45444ceb1d3870e1fa7cb1b3a7004948a2971fd2c3e36406458

SHA512
5f04f73b04db36deab167744f24d290459773a432536b88ae64154a94b2019ca17ebad17e82896861f8aba66dcf7462121296ccdace685d69af397610c19d562

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt51mtll.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt51mtll.cmdline

Filesize
224B

MD5
1c4f60c1dd327730deab46124cac0fa0

SHA1
0321591bd6aa92b7bf54e7ed9032f572738cbda7

SHA256
a70dadc875bd769adfe07376ac1dde69a9cee14614e8ea1b9db420c65c632055

SHA512
544989416e4d39d1f0152ce6fa898ac7a049d1b5ac6314ffb20dca890b44d5c47fdfecbb748ee9c04cd3ec5e89c9caa0dbb3762fe5a536eb0d605ea3367fd51d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/1868-360-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-362-0x0000000070ED0000-0x00000000712DB000-memory.dmp

Filesize
4.0MB

Download
memory/2064-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-345-0x0000000070ED0000-0x00000000712DB000-memory.dmp

Filesize
4.0MB

Download
memory/2064-347-0x0000000070250000-0x0000000070AB4000-memory.dmp

Filesize
8.4MB

Download
memory/2064-15-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-14-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-13-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/2064-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-377-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-346-0x0000000070AC0000-0x0000000070ECF000-memory.dmp

Filesize
4.1MB

Download
memory/2064-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2064-33-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2120-12-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2120-0-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2704-32-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2704-34-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads