revengerat | af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/RevengeRAT.exe
Size

4.0MB
MD5

1d9045870dbd31e2e399a4e8ecd9302f
SHA1

7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256

9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512

9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
SSDEEP

1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral28/files/0x000d000000023bdf-105.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	svchost.exe
1920	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
86	0.tcp.ngrok.io
6	0.tcp.ngrok.io
64	0.tcp.ngrok.io
79	0.tcp.ngrok.io

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 2944	1388	RevengeRAT.exe	87
PID 2944 set thread context of 3420	2944	RegSvcs.exe	90
PID 4492 set thread context of 4652	4492	svchost.exe	127
PID 4652 set thread context of 2136	4652	RegSvcs.exe	128
PID 1920 set thread context of 1292	1920	svchost.exe	165
PID 1292 set thread context of 2592	1292	RegSvcs.exe	166

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2168	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	RevengeRAT.exe
Token: SeDebugPrivilege	2944	RegSvcs.exe
Token: SeDebugPrivilege	4492	svchost.exe
Token: SeDebugPrivilege	4652	RegSvcs.exe
Token: SeDebugPrivilege	1920	svchost.exe
Token: SeDebugPrivilege	1292	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 1388 wrote to memory of 2944	1388	RevengeRAT.exe	87
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 3420	2944	RegSvcs.exe	90
PID 2944 wrote to memory of 2392	2944	RegSvcs.exe	99
PID 2944 wrote to memory of 2392	2944	RegSvcs.exe	99
PID 2944 wrote to memory of 2392	2944	RegSvcs.exe	99
PID 2392 wrote to memory of 2012	2392	vbc.exe	101
PID 2392 wrote to memory of 2012	2392	vbc.exe	101
PID 2392 wrote to memory of 2012	2392	vbc.exe	101
PID 2944 wrote to memory of 2156	2944	RegSvcs.exe	102
PID 2944 wrote to memory of 2156	2944	RegSvcs.exe	102
PID 2944 wrote to memory of 2156	2944	RegSvcs.exe	102
PID 2156 wrote to memory of 1772	2156	vbc.exe	104
PID 2156 wrote to memory of 1772	2156	vbc.exe	104
PID 2156 wrote to memory of 1772	2156	vbc.exe	104
PID 2944 wrote to memory of 2592	2944	RegSvcs.exe	105
PID 2944 wrote to memory of 2592	2944	RegSvcs.exe	105
PID 2944 wrote to memory of 2592	2944	RegSvcs.exe	105
PID 2592 wrote to memory of 1272	2592	vbc.exe	107
PID 2592 wrote to memory of 1272	2592	vbc.exe	107
PID 2592 wrote to memory of 1272	2592	vbc.exe	107
PID 2944 wrote to memory of 3844	2944	RegSvcs.exe	108
PID 2944 wrote to memory of 3844	2944	RegSvcs.exe	108
PID 2944 wrote to memory of 3844	2944	RegSvcs.exe	108
PID 3844 wrote to memory of 1268	3844	vbc.exe	110
PID 3844 wrote to memory of 1268	3844	vbc.exe	110
PID 3844 wrote to memory of 1268	3844	vbc.exe	110
PID 2944 wrote to memory of 4332	2944	RegSvcs.exe	111
PID 2944 wrote to memory of 4332	2944	RegSvcs.exe	111
PID 2944 wrote to memory of 4332	2944	RegSvcs.exe	111
PID 4332 wrote to memory of 3360	4332	vbc.exe	113
PID 4332 wrote to memory of 3360	4332	vbc.exe	113
PID 4332 wrote to memory of 3360	4332	vbc.exe	113
PID 2944 wrote to memory of 3312	2944	RegSvcs.exe	114
PID 2944 wrote to memory of 3312	2944	RegSvcs.exe	114
PID 2944 wrote to memory of 3312	2944	RegSvcs.exe	114
PID 3312 wrote to memory of 2208	3312	vbc.exe	116
PID 3312 wrote to memory of 2208	3312	vbc.exe	116
PID 3312 wrote to memory of 2208	3312	vbc.exe	116
PID 2944 wrote to memory of 4492	2944	RegSvcs.exe	126
PID 2944 wrote to memory of 4492	2944	RegSvcs.exe	126
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4492 wrote to memory of 4652	4492	svchost.exe	127
PID 4652 wrote to memory of 2136	4652	RegSvcs.exe	128
PID 4652 wrote to memory of 2136	4652	RegSvcs.exe	128
PID 4652 wrote to memory of 2136	4652	RegSvcs.exe	128
PID 4652 wrote to memory of 2136	4652	RegSvcs.exe	128

C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ozzoblhg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6A8F2DD92AA4470BA4D9071293252.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cz8asbor.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4447.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc482BDEBDBE0041C6984561C66874BC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xepsxjl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EEAD48FB9CF4B26A0F63DD888F49510.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1272
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\doehl9pf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4522.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9224DE352CF438A95F5912F2162C436.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y1k84aiv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc883374F697834D19808D7AE8B1B10AF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1qnrtung.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FD8167A4DE94C1C8AEEBDE92F546DF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zfdctryd.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE79621F0D4984C82AA511C1213F31E56.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rhddqfz6.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF680.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7033B3FD6A420DA12B76891A9499DF.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mlhtmfzj.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF70D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7064F46F236430AABB92504F6A96B8.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tc0a7gst.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B08CEF26E9D40AA9024EDE4FDA9E339.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:668
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfjegyrx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF865.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52583EF5C71B4CED894F4F183C8B34C.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g_ypzxyw.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF920.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB96E0EE6E5D41699C8593CAF7D32FE1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iiysiaio.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81E2B139633941968BA1DC16D8492AB8.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s0ycty-t.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5804815BB5C4E19A0AB85D34BE37E4.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrjzph5w.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAC60FCB67A4E079513D6C02F3B51B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3whndvap.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA087E5BACF54BF3A07770D53C5C699E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
60257db96a5a93595f5dd9aa7e870900

SHA1
64c66e7de7ab32128f691eb9e804f0a5f92c2c6d

SHA256
43773eb38d0a1da91a3a4f5071850fdf300c93f95450ce01d88c13958c73cbaf

SHA512
68fdd64b8f3ae08fe332a134a4ade66b93cc5d8f9bd5637bc4b48745386fe523c11040e77248e661870e57715915dcc4a7c90eb8cb6b959135221f49901b230e

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
3b9be22d0de084505965a91afab90c8a

SHA1
0d7c2a2730325d66cd6cc7eddd86052c61fa89c4

SHA256
4fb30cdb63f46faaebe805bd873f88a2386abe180c782a436074a2c459b84cb3

SHA512
2c6897c27770ac742877f08c579600ce614833ae9eea2709ec3a1d4901a2ecdc8ba59ecfc045106965c3ed78cff098d77751a13d0c65dad78b0cbd727c674890

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
37241f3cacf1a9a0b582430ec3f2d1f5

SHA1
62f41cd2052d6e33f20b67a6c96ae3404ac02c7a

SHA256
fc396b4578a2de73a6f72f22377bfd5d37a57ddce8cfd1bee84ad2957e0804c5

SHA512
fa5522063ce5957388d636e6966932259976bb8a6536f8d9c9a83d0c21f9f675cb92028431f2437e347f3022c270dd291a073ba7e32f6de4bb20352cd6283e8d

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
54bc9b69d6a20b48b0c04438a2102d67

SHA1
ed0e8dca7a2b3a452455f410ecea273b336e0e94

SHA256
a43db9a578293fa16dffb7178c9832d14168afd5cfe83d47da53c2e48b08662c

SHA512
f6d31e77cd90c47a73826a543a94112d7f12cd3b28efbb52d6cffebc5225f076d16710d105238b0a646f3cf2a9cba2b85c590e0533e78885fc28e4dc1938b9d8

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
da70281245c0ae7ffb039a219f2d5662

SHA1
1fbdc15dacb4d986b58f79edb2466ecf7f5230ae

SHA256
055a13e5ece4d120133b631b6b60c9d6bdb301e006be9df2e5ae70d8328fc066

SHA512
0d082ec84d3b250b4572507377f8d942a023e0fde3dc2c72cc03ba03ca532834463d05dc2c1fd23dc9b5736ef511502b266f388b1296ca15cb093663e998cebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xepsxjl.0.vb

Filesize
338B

MD5
7a354b496b9b397ebb14057eafede32f

SHA1
8970ca3895ca9472366e4fecc1f1d79ac1da78b8

SHA256
c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8

SHA512
ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xepsxjl.cmdline

Filesize
194B

MD5
9ad8caad90f39fe8368a400c9de0b9ee

SHA1
2a6a8f6690761bb46a05b51f582db053c0a77cd6

SHA256
8ef2e513ccc82d7f4267f6f4d583e6067271d432bfa9935888b5b7092036d6da

SHA512
b16bdf7f168c32ac339ac5eb25353c93df3f16a02c76a69f00236bbe61975506a2e7a62718df5a02e42a75dd0b6dfb644c367ab9b7194ef8f8eeaae946211386

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnrtung.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnrtung.cmdline

Filesize
198B

MD5
8b553dbc86e96a399685dd51409c5d3f

SHA1
99ff2f6b9e94d0a9791fcda984d64c31355b9dba

SHA256
4b660458c048b555e890e327368c94a7314ebf65805833321174e408a46d21ab

SHA512
b9f9a235af9db87e63ba4549ad60c18e49661e063cd5e3a1b235e63430e93d97fefa6c7defa059ffcdc148ec9757c30fead70275b0de5a97ee02a80996ae8f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES43CA.tmp

Filesize
2KB

MD5
ad5780aac3dcf8530919797d7398331e

SHA1
7cb10237e2bdea5db9384f97eb2554005af4c47c

SHA256
d81d4a9299116a8576109ad67d232a0186549b6d86118382a215c27d0df16759

SHA512
de9819395f63976e5ee09bc4052e1e8d0c223c56c9de5b53ee1dc58ef158b5d2fc772cd986b89da5c1e055992238e28568a82f6d8be990f2d49007fd68918371

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4447.tmp

Filesize
2KB

MD5
5fed827127923259b20ed7139ced949b

SHA1
4f87770bb6f0e8febbcb3dca5d194f39fc090a27

SHA256
648f9b70a98ba278635f4b0ab2e2e1bd047f7df089d564c090ecabcbfc57f064

SHA512
9b2b35e1009505c0c01df7b7c7a119b70e27e641fee7bc38c4f776c578506d91df481b96fee12858bbbf5043078b09df140036946df67c26ae333908f68c1c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44A5.tmp

Filesize
2KB

MD5
5a2d3309bcec7315d13e73e8fe583ae6

SHA1
d59ca14b001498204c01b5a59111fed93dc8c53f

SHA256
87878596a51acfb12a1851f7c1210d0478be7a4862ada388d7fcf22b97520c83

SHA512
a873824bc10522b5a3c186392378407d0cec34edeaaf90fafbe9fef9d843e88a1dbeb783bd4c911828c929eb6cb5d43cf9b5723ebad9c551dc72d593246f9cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4522.tmp

Filesize
2KB

MD5
6c8e12a2b67a65ba6d29b0b58f242809

SHA1
b6327a7e1b3ded6c2dcbc1301a2e2e15ff652a0f

SHA256
6533425a918be309b5ce79de9773f9d59edf4a1a21360abe0667358b5732d785

SHA512
2d5d07e13605d9fae3d80bd994d2756b9e0511b25dd5e1c7486e90d49520af469f8134ecc2b75cc751b28e056457b17662bf089975931c01a76020f4df37acd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4570.tmp

Filesize
2KB

MD5
4276ffe233a5ba793ecaf851ef698c17

SHA1
26685ecb00781b6b2368fd64890465cb77c5f70e

SHA256
b97797f32883365f7aff0ff7b9feabfc146bb969f86cabfb7f38c27b336fa808

SHA512
e3929ad1fadd2e3f44c8618ac3220f336299e238decf04141f07b2c7e7bfc48f22bd7ba03e15b0085a13b7578662e1ea17531836d8627fdf32101be6c9188d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES45ED.tmp

Filesize
2KB

MD5
19daaa9e0a0fd7ce5bd4958933925e44

SHA1
4004b1b5c4b43007f8ae6b49b2e10dd0fa08cba3

SHA256
d5be7c6c8bb7488e15bef8323815e36110f700e207772aef770cb29d5baade74

SHA512
e6b09d1c1ab2bccd7265958372b949fbd233e0be557e1d141f0bc6998a6ae4ced09685b074e41e98a7a02e4a20f70148803d6597e7912f64a0fd2740f47fb197

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5C5.tmp

Filesize
1KB

MD5
2bd39b8de695939ab80b50d90b0102e9

SHA1
597db91a4e782ce7774a5910a09110cbe01abfc9

SHA256
7a1e1da1e3fd36d341f4d8b07e05f6278659b1a718872d193b21a5a118f43eaf

SHA512
94b7142508def180838b1c1b10e013651ed1365ba9d4bef04cb523cf10a9e16b0b778982564a614b1ca09245e2ad9cbe9a4da5cfd755d0c24f08a5bda541ac4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF680.tmp

Filesize
1KB

MD5
79b6580d6ce737ec0f3e1553f99a55b6

SHA1
e0241f08e1e06dce9943ec2ac96426d02a9cfa78

SHA256
d97291a21d1529a871b442246a275f39ed4ad08c5f52f4677e63be9b470fc640

SHA512
44e2b579f0ae083c5a10b07efc291ce2dfea723a3bbe607e3341f321927efd994f16f2e751326a3cab052d82326c5b5628690982cf1c17d3d71c7f318a308a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF70D.tmp

Filesize
1KB

MD5
23f3a73bc2de9214caf144ab8f151a26

SHA1
379bf532a19534b6e59ebcb0c0888cf13efe01b6

SHA256
8257014b098c288bb1a8c874253cc75e55038889327c29dc94b4c96a72feb7a0

SHA512
c188a5c6292bc5ee087ad4e44dad4525e23af0d0d3d532f938411f4efaa5172bd073a3a7b44aec6a0dad7f6ab842440b0f21e6143d460d51281360c60359f591

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7A9.tmp

Filesize
1KB

MD5
9190d497d582dc211e0dea360e303612

SHA1
b43f1d84e70a13cf67bb029761bc879ad090bd78

SHA256
8dd45aa507c2427890c35f95c3962414174ad2bec685e380a89fdee50a53bf68

SHA512
8e9c3544474a002df983dfab5177f75fb5e1c5135dea007b6bc0bcbb8e1adc46b917013027969b057cd37d4fd978039416ac8165120cbbb9f29bd015f0461f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF865.tmp

Filesize
1KB

MD5
258d7ae8fb7593e3e62f486c2cd418b5

SHA1
e3bcee203e439e0ee6dc9f47f5839184e28d4804

SHA256
568ba69e5e78b131e887915184672fdef9d18d84fcd2ad7c3bd6c85200ebfbeb

SHA512
ba80a4dc7806cca86d628d2ae85c630e6c3b92e6bb459df227aad9bbbc125f75147c98fb609a34aba6a3972bd8341999d364ff174eb393fba25c346a91a1d10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF920.tmp

Filesize
1KB

MD5
82542923d56180a124156e5174c3e807

SHA1
2dcdd688518c3d1e51bbb0542ec6950bfa969391

SHA256
df65777e89771d2c6a2f7ff527a53976c89d4002b2d321759a7afe130ddaeff6

SHA512
3a34dd35e8703a494cc0e28cd108a9a9ab3cc64696a45672e183a8384ff3041befe003e9378d0a53989fdd447510667ccf244dd09f4d8c2789b7def8cb4fea54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF79.tmp

Filesize
1KB

MD5
00e0d528e85dc347223ef352923486a4

SHA1
0db71edbf4ec4e5aee28607478507845b00fbbc3

SHA256
2676d1ca4fea642ddf1cd1318e74ec09d8a4be0480994b424076a2dbf1ffd043

SHA512
be0d801bf861f6fa2ddda63b883735649ccec03f41ec18ab95bb6946097a1123ab558e32e550cbfeda2c51ba1c60e8dc081ef71d70ef9838b06196725375280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cz8asbor.0.vb

Filesize
352B

MD5
1830e137566529844ec4176432dbbabd

SHA1
34e0949bb3b0258f4b70cf50a1d78e124e0c62d9

SHA256
57f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf

SHA512
63080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\cz8asbor.cmdline

Filesize
208B

MD5
fbb9deeafd2b94a446decb265fe2ec3d

SHA1
6139e28bd31245d382c86808e460a885667ad686

SHA256
ddd6deb8b12600c299c662bdbae640bd5e17fbc6d55bc331ecdc055c8d1499e9

SHA512
12baf6f4285d35175326fa97b0ec95a5086483711ed92ea767803cd93cfcd032d8dd30a80646d6caaaeb7659d560d399ccfebbbaf53c87e3f68ecadfb0b298b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\doehl9pf.0.vb

Filesize
349B

MD5
a983e17fe05ca4e0cb4b37cd05d31792

SHA1
cc91ff79215a350a6a1f2bb4f039d894198e8421

SHA256
76bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef

SHA512
37400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\doehl9pf.cmdline

Filesize
205B

MD5
c82d8a989bdc226334b5c9ccaae20b95

SHA1
79c4451645ff30b0bfba611fc3380d73bfe3c869

SHA256
a1e7ea01d3aa3b8589a2b4e53411c39398b0664d6255474d0269787147ceafac

SHA512
72592c024d10256e5ac73f02f95c4ac7383660d22eb7190ad564ece86e76ceeeebe5e6e6cd7c6bbd652e480076dc92b76eff52a54fb4c10364170a9925f68fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\g_ypzxyw.0.vb

Filesize
280B

MD5
b77a186995634af20ce8b006671fecfe

SHA1
4ecf62cbf48d0f6ecd011cec5c09cbb128b0e653

SHA256
d5a80c6859c4c155f89cdc76f0092bf009f7311fa5e4352993fb6eea0ff00df6

SHA512
bcdb2e73b7d369e0c8f3d12fd955e76f777a22137f3c813c39346458982405780db77a15afa46fdf5cf282ee06ae6c85f3350e89d4ed410b34a7e869bc250927

Download Submit
C:\Users\Admin\AppData\Local\Temp\g_ypzxyw.cmdline

Filesize
171B

MD5
ba9c027963ae093baae41f7bf2e60ede

SHA1
48e99f8cb04980bb11aa6205c2c286c83809e340

SHA256
a254fd773da1c5dbb5fc9bc9a31d26b7bbef65f9ff812b04bc4e52789d1ad2ed

SHA512
bfc1e9776c6a5aea0beb9316a717ad88d96f189acc25e9c5b53d360d2e3c487969369295e073c789a7e3b019df1dce75d0de692f5899634c2d6f3c09a8c77145

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiysiaio.0.vb

Filesize
283B

MD5
3e4e9235ce3ee5cc3dcfd2ae0094cad1

SHA1
9361befb9e40acdc08da7937055885fc0809e93b

SHA256
5f6cffb6892b34e718287ec29358945ea1fe8bda8b42f8704ec21a5c839a458e

SHA512
3bd6e12ef0574d260484848dd4b240849d7ea579244c1b56bab2068f3a5e6ae3f43d84febc86f6915ac455d0ecba964bdac075d6dfca656e2a60824aaa6d92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiysiaio.cmdline

Filesize
174B

MD5
35c387af9d0f4852288e49cd59cc038c

SHA1
0a0c743e94198c4e034e3a26f6cae8d2b41c7d47

SHA256
320f81bc5703648e6ac5347e189a3a07f906ebf7b659b692a46371d4aaa225ed

SHA512
cc534bf22e71c4ff04506d8ee9f833f0537f284530b74336e91b68e06add2bd9fdbbad02473ba8072cffb464b131a47a1cdf2e4a89987c2cc14196760a8534aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlhtmfzj.0.vb

Filesize
272B

MD5
adba28f3832cd1602a6a4dc994a1ccbf

SHA1
5f40fc67ecee10e69edecdd5e1b8b76c1a5e7d37

SHA256
b0f3da06db0ffd21dacc7e046a93874c781af82786ab637e72222f8bccabacaf

SHA512
0051da407df06426005bee8f9d3c161936b301ddac3e1e0e42bb2940b603316a420e59ad5aebb7d4f079273c064a4bb55ddae5c93150ad36f33c8b66b53cc9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlhtmfzj.cmdline

Filesize
163B

MD5
213dc4fa6af5cb2cb04629027bb0ab9c

SHA1
f69e1258f2fe7299326b9fb44a16c76e530d5cb8

SHA256
a25ec1e23a8edd22b2971ec37bdf72aa75508cff621881c045f4a37cf47032e7

SHA512
61a3b3f670e3f85559bead008076265369b1dc94caab37b7358200a444cf33b1309a7b65e0f3f13a02c83e5faa936330a617ef92e6ae7c937a3e937f0ef431f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozzoblhg.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozzoblhg.cmdline

Filesize
198B

MD5
dbcefc1fd87d183fa0b3954d909112e7

SHA1
da4c0260c12f72887e317ef74b027a5b939d7d82

SHA256
304310100c3a56f0ad77637aced1adc3e0d5c09a1482b47387b5330fcbe24794

SHA512
440f985df034502c2dd3512fb7330a59e9067b6ca83c8fbcf67e8aecfd52c0d4dee1d88ff3b2e2827ec6d202a8446faeb354226c6a6daa5066d1e67d53c7d888

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhddqfz6.0.vb

Filesize
271B

MD5
e7e907e232e10e9db26a6b794bee7db9

SHA1
f1c333b095d52a354ea143f75d8731e212a1ea77

SHA256
3f67c2c555b72a66e87847b90097e6f3264bb772a2e557c98d8cb3dcf344067f

SHA512
db4983c0aa04eb26f152385128cf7641ab6f313eb78bad281807b31fc307c108ff6233e1bce99587a581bb8f4d4c648e358cf01485386b0748a74c7490814fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhddqfz6.cmdline

Filesize
162B

MD5
730e83eb4f696263e31b1373a95154eb

SHA1
412aee0cf7ea8c2d55bbd11295920a12c1425cb5

SHA256
03b19cc6ddab6384ab77c6160c0aaf84fc34e040ab87c18f801deb7cfb96bc9b

SHA512
a295737b24feb29ebe2ed813e5087ef49fc7a6d6f905c51914ced17d578cbf6894b021704937b0f9dc102483deabeafbd8ad1d4fba472ecbbaf6826d9e25cfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tc0a7gst.0.vb

Filesize
280B

MD5
24f16281edbb494caa9395e5f321fb4a

SHA1
5905c6be6149bf3f915e0acebc610851811b121d

SHA256
9c8bca52e106eefeb17387bd6fefe7341f280d7dafde8998bfd11486d5c0b8b8

SHA512
c606b756f0f5fc669f885d7125873e2145ef8bdc9c05c813795594efa76095cc428cd494cf151df622af199c89108b2992cae121fad77fd954c717528dbfb875

Download Submit
C:\Users\Admin\AppData\Local\Temp\tc0a7gst.cmdline

Filesize
171B

MD5
709655e0ffb18b2d85929677c427961f

SHA1
cafc504143ed9ba50a02c005de3ecce8809bceb0

SHA256
691cd5a99020e942cdf7c9333546b99aa15b942a132dfcfd0ef5b433d2b0b6a5

SHA512
1253846b49426f40531d58ee42bd79098a106148b168ed977f9f53d5e9830e21e740fbe8c263b044650c6d47ef46a51f8973be45b7a50d3edabd4e7b25151262

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
59B

MD5
d602a61ee57bcc4830ebe29151bf628e

SHA1
5b36232a99544df60b27fc87cdf36817758ec659

SHA256
9e85433cd508542ae645092755f427204ac98bf3ac9f2e9260327ca1a4c1aa71

SHA512
07b0e326c405f0a0cd2a1810132859adeb13dfba126ab868394f0de2efc8f68fa04b607e3d25a7b5004cc5cb531a236ea224c699c86925a518ff6d486a56b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2FD8167A4DE94C1C8AEEBDE92F546DF.TMP

Filesize
1KB

MD5
6b07ad6409d5b9840e49b087724652b0

SHA1
480ed8da114083a3e7a1d0da123ff59b09856221

SHA256
cbe03dd1171ca217848e8ecc1f7d3761c65ce87b7bda41e8577aa8cd4249bbc8

SHA512
aa9cc80fbc2b0ad58cfa6e144605f028d09485480b0fc13121ba95af214c799108cc44f3c4ca4f7244b21c2ddbcb915960b1e8e8168d2f0fac388b81c574e6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc482BDEBDBE0041C6984561C66874BC.TMP

Filesize
1KB

MD5
2b1c797dc7d98302d160cad8a48bb569

SHA1
d21abffaad078bf1001bdacbdbfc415712e4aa5b

SHA256
e8e832364befd892bf3b4e354cbf450777ed6c8ed4ab53e4da6b19b07c537a67

SHA512
61d97fc46fd371d92a6c52034452cc3ab40342bf8e2ca789c49f8e59b7c01af3b84af612769bd0042800f9786448f9d1d38f1047116f1720eb2672d45ee7a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7064F46F236430AABB92504F6A96B8.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7EEAD48FB9CF4B26A0F63DD888F49510.TMP

Filesize
1KB

MD5
ac7ce09218c8db7141245000895721cd

SHA1
212dfde15a3c423c390340fa58daa63d428e70d7

SHA256
7dea12ce0d65a04a31703cb278cdb111b323cbea6d50f2240658532249f7a008

SHA512
bf6b19efd3e73cc9001a5ed141356cfc2b8d71a201f0e7dd3b7467ae5c74c392690c13c30bf476f83db31e0779657ba7f7fe602557cf5c7448d7d120883534eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81E2B139633941968BA1DC16D8492AB8.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc883374F697834D19808D7AE8B1B10AF.TMP

Filesize
1KB

MD5
82d466e70a06fd97e70b4c05c8511539

SHA1
6d3a0408a6f3eed89af0a27d8383ae39a3cb70e7

SHA256
5b8f8fa56de36074d2161897f719823caade1619af318f4911d9b851ddb1d871

SHA512
d1a9b28d0d7524dfc1b080c2d560dc13ede802245bdbc042fe12d22707071d4d21c767c6d62733e6868d164968312c24b88954c324bb81fc76ba38c0b106dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9224DE352CF438A95F5912F2162C436.TMP

Filesize
1KB

MD5
b5c81690b0eb8e17cf1e8e69e45773d1

SHA1
def824a0941fb6c703c69caea8f0e8e0f39c571e

SHA256
0fe4dde7f1e9e65db3ce71529aa56e8ca92b126d80438ca17ae1807397573b54

SHA512
b76b672601ae57c85c75dca0d57c140962a2b1e0c26307865de8d8c103c769fa377b5573c2f11ad01859e45ca384efbb63b6722ebb4fe7cb63b73d797a1ce1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA6A8F2DD92AA4470BA4D9071293252.TMP

Filesize
1KB

MD5
296769437d2c28cc41fed36299d07d25

SHA1
51dae71c6541c0959647011fc3d13e3b7aeed44a

SHA256
53fa144580b0a916400aa8fd12b6300e90d5c7176736e2f535b5bbf26acfb574

SHA512
ab373a03ff1be8d612e1989fb8457d1d47286459587ba59bc20400ecd3edcfd77c959ea08913bc2f09746354de1e5737697b6a28dd548d77fce9f46a91eee392

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC7033B3FD6A420DA12B76891A9499DF.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE79621F0D4984C82AA511C1213F31E56.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfjegyrx.0.vb

Filesize
281B

MD5
e74b78fa9f340aa84ea9521425d20721

SHA1
9ae5c680b046a29675c1d8e26513ca1bc4f6bdd2

SHA256
90447f9b09a6d9481a0cf4c14918e742b91822f8b28c0abc247a746fc83de10d

SHA512
7c16a47d4ff390f681e840aec30761788ac07e0dfd6c68c8cd84cf52f1d30d293fc03fe4644c54bd92a84ea2d652156c04fe2bc80e33eea2ec387bc1fb875341

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfjegyrx.cmdline

Filesize
172B

MD5
5513db562fb70423dd7e019d7893336e

SHA1
96139cb453f0be910afef6139d2dfdb84a4adfef

SHA256
231c624b415c7c24fd8f5d5cd29a560497ea45a21b837fc9d12535d4e6285ebe

SHA512
e02373d88774d29718286f5b798dba4a38af21671ba210596ae8c92083f2aba84d95e090e19744f61b247d728fd69e61bc13ee8d96fb39b0f68ff9985dc4bf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1k84aiv.0.vb

Filesize
338B

MD5
2de37b6c25304214817c88f9ec6e9847

SHA1
74f77a317b1f9822d11094eb3fe1c71797bb878a

SHA256
a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a

SHA512
a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1k84aiv.cmdline

Filesize
194B

MD5
3a68c6bf8e06269946e846172ab4976b

SHA1
3e052f12c06c2257dd4183b01450f519e012cb43

SHA256
18bc4f3f0b7189d6faaf99201c8c80f3022eb2710eb5b453c6c12464676ec097

SHA512
573a0ba4f2e619c20a212def0e87f4679c016db9a904eec48fbc29cb033a2d866bc68dd92605c3a48a9bc3b9b38905e137a186e6fcb6eb66862ff5aaa295bdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfdctryd.0.vb

Filesize
265B

MD5
61d2dde4b46edcabeaa9a64f5666a648

SHA1
bcde23b9c97af1ef107d00fe5040a6987cd09443

SHA256
75ea06634452131433c11c1dc3852137093d037ff662e12a2cfede5644579629

SHA512
b5212b642ad7b56cb4c99c62a020159ef121a25fcedc99a1326941a29556e23d4908a32fceb1f3be88d2991264c9b360e6aeae07fb63804f7ef0c8aa04a5a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfdctryd.cmdline

Filesize
156B

MD5
d9d83678cb7a47b35b812ee7fcbd6780

SHA1
1cc1d0710796feca5da73a3fd8f848c96bf1b8fa

SHA256
0cdcfbf8648424148a01b2776f992d1d75f224d2985053b076b2f975beb558b0

SHA512
2dfa09f4367e3bb9923bbc68c40c01601ef3d3687c459be9864fed57401cac2cd0480df6293e81b5fb3a2f242fe49e8787d7a92d9232717800ba9da544327445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
44cec95e94d301652db8fcefef860ac0

SHA1
49a41974e1d99b7cad7a4804056e65f3d047188b

SHA256
c71974cd98d53bffdf022633fed4e6c3b4b380f8b210f9986c39680ee1da0c12

SHA512
735ce923b99f9265547d5daaa8ddb48aa6e293094aa88b55c8c0ffbe12924bc98c9a01dec83f7bb9cb2a676c71257253ae8dfe5eae12cdb85b7afbde2a367b31

Download Submit
memory/1388-0-0x00007FF9BD275000-0x00007FF9BD276000-memory.dmp

Filesize
4KB

Download
memory/1388-8-0x00007FF9BCFC0000-0x00007FF9BD961000-memory.dmp

Filesize
9.6MB

Download
memory/1388-2-0x000000001C0C0000-0x000000001C58E000-memory.dmp

Filesize
4.8MB

Download
memory/1388-1-0x00007FF9BCFC0000-0x00007FF9BD961000-memory.dmp

Filesize
9.6MB

Download
memory/1388-3-0x000000001C590000-0x000000001C636000-memory.dmp

Filesize
664KB

Download
memory/1388-4-0x00007FF9BCFC0000-0x00007FF9BD961000-memory.dmp

Filesize
9.6MB

Download
memory/1388-5-0x000000001CC60000-0x000000001CCC2000-memory.dmp

Filesize
392KB

Download
memory/2944-11-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2944-9-0x0000000075082000-0x0000000075083000-memory.dmp

Filesize
4KB

Download
memory/2944-19-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2944-20-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2944-18-0x0000000075082000-0x0000000075083000-memory.dmp

Filesize
4KB

Download
memory/2944-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2944-10-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2944-114-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3420-17-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3420-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3420-15-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3420-14-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads