Analysis
-
max time kernel
1050s -
max time network
1044s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
18/03/2025, 04:24
Behavioral task
behavioral1
Sample
client.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
client.exe
-
Size
503KB
-
MD5
18027ab757117250f63fd4cecfb17554
-
SHA1
780bc94badbc0d1beb029c60e9023afc0351d265
-
SHA256
8176ff71185aa68a3d034ee352edb744808cc1c0c8b17ec188b0e0a87ec3d66f
-
SHA512
9b724169672519ada3730540e50cb0979d9f3db06e95aafb785ba713f04dd3108d05872f8acc11d72c51990e4f6084325d03bc866fff5979e18edc462cb20218
-
SSDEEP
12288:Hnh3gCeDX0PfUC2jykOJQVB3z6Lm//HFl2Qc7kc:HnTZNGB2LmGV7kc
Malware Config
Extracted
revengerat
retard
127.0.0.1:333
127.0.0.1:21
127.0.0.1:443
127.0.0.1:80
212.102.63.147:333
212.102.63.147:21
212.102.63.147:443
212.102.63.147:80
RV_MUTEX-TwUnoWrUUgHRH
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4452 set thread context of 632 4452 client.exe 82 PID 632 set thread context of 5072 632 RegSvcs.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4740 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4452 client.exe Token: SeDebugPrivilege 632 RegSvcs.exe Token: SeDebugPrivilege 4740 taskmgr.exe Token: SeSystemProfilePrivilege 4740 taskmgr.exe Token: SeCreateGlobalPrivilege 4740 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe 4740 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 4452 wrote to memory of 632 4452 client.exe 82 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5072 632 RegSvcs.exe 83 PID 632 wrote to memory of 5564 632 RegSvcs.exe 88 PID 632 wrote to memory of 5564 632 RegSvcs.exe 88 PID 632 wrote to memory of 5564 632 RegSvcs.exe 88 PID 5564 wrote to memory of 4260 5564 vbc.exe 90 PID 5564 wrote to memory of 4260 5564 vbc.exe 90 PID 5564 wrote to memory of 4260 5564 vbc.exe 90 PID 632 wrote to memory of 2508 632 RegSvcs.exe 91 PID 632 wrote to memory of 2508 632 RegSvcs.exe 91 PID 632 wrote to memory of 2508 632 RegSvcs.exe 91 PID 2508 wrote to memory of 3172 2508 vbc.exe 93 PID 2508 wrote to memory of 3172 2508 vbc.exe 93 PID 2508 wrote to memory of 3172 2508 vbc.exe 93 PID 632 wrote to memory of 3932 632 RegSvcs.exe 94 PID 632 wrote to memory of 3932 632 RegSvcs.exe 94 PID 632 wrote to memory of 3932 632 RegSvcs.exe 94 PID 3932 wrote to memory of 408 3932 vbc.exe 96 PID 3932 wrote to memory of 408 3932 vbc.exe 96 PID 3932 wrote to memory of 408 3932 vbc.exe 96 PID 632 wrote to memory of 5804 632 RegSvcs.exe 97 PID 632 wrote to memory of 5804 632 RegSvcs.exe 97 PID 632 wrote to memory of 5804 632 RegSvcs.exe 97 PID 5804 wrote to memory of 1292 5804 vbc.exe 99 PID 5804 wrote to memory of 1292 5804 vbc.exe 99 PID 5804 wrote to memory of 1292 5804 vbc.exe 99 PID 632 wrote to memory of 3784 632 RegSvcs.exe 100 PID 632 wrote to memory of 3784 632 RegSvcs.exe 100 PID 632 wrote to memory of 3784 632 RegSvcs.exe 100 PID 3784 wrote to memory of 1912 3784 vbc.exe 102 PID 3784 wrote to memory of 1912 3784 vbc.exe 102 PID 3784 wrote to memory of 1912 3784 vbc.exe 102 PID 632 wrote to memory of 3616 632 RegSvcs.exe 103 PID 632 wrote to memory of 3616 632 RegSvcs.exe 103 PID 632 wrote to memory of 3616 632 RegSvcs.exe 103 PID 3616 wrote to memory of 2088 3616 vbc.exe 105 PID 3616 wrote to memory of 2088 3616 vbc.exe 105 PID 3616 wrote to memory of 2088 3616 vbc.exe 105 PID 632 wrote to memory of 2004 632 RegSvcs.exe 106 PID 632 wrote to memory of 2004 632 RegSvcs.exe 106 PID 632 wrote to memory of 2004 632 RegSvcs.exe 106 PID 2004 wrote to memory of 1652 2004 vbc.exe 108 PID 2004 wrote to memory of 1652 2004 vbc.exe 108 PID 2004 wrote to memory of 1652 2004 vbc.exe 108 PID 632 wrote to memory of 4200 632 RegSvcs.exe 109 PID 632 wrote to memory of 4200 632 RegSvcs.exe 109 PID 632 wrote to memory of 4200 632 RegSvcs.exe 109 PID 4200 wrote to memory of 4588 4200 vbc.exe 111 PID 4200 wrote to memory of 4588 4200 vbc.exe 111 PID 4200 wrote to memory of 4588 4200 vbc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwwbgkhf\bwwbgkhf.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB83A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8366ABABF1A8426690791A9B91F4A719.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4260
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\goyieuvy\goyieuvy.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAFE1492144CEFABA5A6AF77CB509.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3172
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jer334d2\jer334d2.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB953.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAD26DAA28E64CD7A6A579AC62673C2.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:408
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4moqckki\4moqckki.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEFC29805BCB4888A7D36E5D1B578CF2.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oc0czcp0\oc0czcp0.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA8DD43B437447DCBFFF9790AFF855.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nquerp05\nquerp05.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC544C4A5803E45339CD55A8B8DFCBD7.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eebduo5m\eebduo5m.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE28B03A33F954050A51EABAFBE50F9AF.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3u2b5vhn\3u2b5vhn.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC184F6BA36D54B3690A12D40B9658B1B.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4588
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ge2xo1wv\ge2xo1wv.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF21C3B726654A2A9B5E7E1E466513D7.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55b96262894a6775aa100267f4c761048
SHA15cda0183486488a33535d545eb9e8844276ca7b0
SHA256d1ee408c0404d538350e99d1e85c2e6a789ee84c1bb5618f52cf885ad411487a
SHA512fc9e7de845439b788f2506065dc707d7adf92a6f7809d5987f86a3f7b77633a4728dd2ae385316d37cc8a1fcf42817c006596d5b87856d839474ec2d129199f3
-
Filesize
8KB
MD593d27b63be9c1d207676dda714d39bba
SHA157a2c9e2f78bf17665b4c1cd2725135ada2eaebd
SHA256918e92ef9586860f18148fefacec6cac6913a71ea885a2083babfd04e728fe0f
SHA512789cc6de78f54438fe4daf0dad6f1d56022a77d0524baa9a89228bc20cca436f49234dfa5683f8daf1d038015a0d36a16d1908aa641a00e828425d81c4143dd3
-
Filesize
8KB
MD5503b3039a01264467a233bdf80171fbf
SHA151ce0ade9e83f0905f29daac91b1aaaf07dc54fe
SHA256e63b5917cf5106009ea2d7c4e8ae73c0c9e8e4cf2b0ea645eb06f9cd16318289
SHA512b961d0aa92d09b902aeb87cc32204f70d4bd443692ccbf582eac4982c9babac224b3d0a2622ee7d5edcb91b050f6f605ad815fd66de0ec4930b7b5cbd5b30010
-
Filesize
8KB
MD5bddf5340534c12d54ab9e55aa473c6bc
SHA16577f83d77ce3801d5f15e66357bee8620250ff2
SHA256c1dfccc61a9715e80fc344d5951b95bb29db315642f77917cdfdd6cedd8eed3c
SHA512d6914482339362ac310ab80356846cb8221349bf658e2f821a8382bc8cd69972dc45fcc5f70080c6982b31a4cce182a9ff0d97b7da6669d9b5c4717e2f8a3b7b
-
Filesize
1KB
MD542d552558e7e6f7440b2b63a6cde217f
SHA19c8fa01060f667cf3b0caad33e91fa59e643cf76
SHA25611b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69
SHA512e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b
-
Filesize
4KB
MD51f0ec21c4fa48137a0526c3c0fdea8bc
SHA1d7868157fa33266e837fa897cdf281463cd9b2c2
SHA2566bb158d3401976e135ed0b4d7bc4cc9f00771a9b1c2629e3fa3edfa88d2a921f
SHA5125327893ddfc43910f482dc544faf1823bfccbb96816d7246f7bc91ce46f185b1c6677e04f99ae4c62d79fe5e3793b85f8d70957d6073e3e2fab385477d685773
-
Filesize
8KB
MD5d343dc2c5d8be191e947703c92d1fc1e
SHA1d8889b12182f7354d9bc4f53f81e5699b3edb438
SHA25650613b64fe146b58b146fa76593d75de7856d41fecbfcb59f410f613eb9d859f
SHA512b163e22d0707360caf378dfc5e8828e8d2db261ba96a377110c3a41a750c9ebe8e552a9d44aa6810b3ab02e114ccca4bcd162acdd8c339702b551f917b8a435d
-
Filesize
341B
MD52eaba4383c078d42b2f7b6b56b3a5753
SHA15587ecf57731e8778b752069e01fe8ed58cc8423
SHA25600a43ce37f29e94bb7554ed4cc4a4951efac366e2c5cb15bba82453733442600
SHA512580a75cbadd4185020ed4748a806ceaf1d7b541da6387202e9e3e24d3d8d04e9fabec9f7871085826e84fbaab34d75fac2aabb9ec1e7f4964272c961821c67ca
-
Filesize
207B
MD595e9e190fb8fc565ac344a740a10ff8b
SHA1133cb66f6ebf1b154859b5fd7688426dc54be3a9
SHA256393b6c6746787c97e909f9ff8e5534c31f6c8a69960507b413fd2612815041a4
SHA5126e6c03e7a4c5037f22e415da4473446be0cb33f92b5c58b047495080af3059b836b93e34491c2ec702c375e73386fc2d7c2726d0246a452d759e22fdb6430b3d
-
Filesize
355B
MD5f9ad0fd80cd20785a4c2310cc7bc8c5a
SHA1401f2099128cc33475ba6a586daa7b217ae41611
SHA25628a4affaef125abca3716c975cb04cb52ccdf2226c916ddd9bce8c0785008120
SHA5122b22f9ad8c29355cd62640e2ccb1eabb5d72a365dcf2cbd66ca6099e2cc1570030745fa8fc21519dae72e52f9cf872c291d8b93a371cfcd8b46f3a9bcf29fc01
-
Filesize
221B
MD5dee662490a3c31112af59fbef0cb1e67
SHA19075b8e44674678ff7c88358519baa9341740db2
SHA25661d191e9699c9fc1ecd57606309684d15875c580ed33ac1fcdcbdbde78ad8ce9
SHA512fe223d8edf4661be8200e43e97771c4f0b8e2879740cd4e9f08f4246b4192793e9f163425c008747c8acb2a800402c17967555367f01178ce765acad81ec8989
-
Filesize
6KB
MD5a6243b581d3c6f8cf669412099ad9570
SHA141537a8579062ebf60e4261cdae051d320cc1149
SHA256f79cd87aa00fdef134f54c332ebce27f4b0a16854793a6be40a53acaf8c8620f
SHA51283f094435a5b451a87e24b4d36a36a5296c291696f8b46cb23601580fa6968c3b694662bf98456f5fca8aa002affed310a37bd5fd02e516afd4034c26b63d3ca
-
Filesize
3KB
MD57342990f290a39e8aeaab97b2ddf3d2b
SHA1eff302e132a397e93bcd717c73b5c21e013dd711
SHA2566b38185ab3ed7a64b19a0ef36df6161c622e9f654fb5a3d2731c3a05a9da102e
SHA512ca54ab966ca4b73373e064354ea2d3b9a3da1d347493f81fe16cce65c243ad00f3c60e3426d5ea2829cb81668ea36001cf6eb9c72c380b95d72463d9390cfbb8
-
Filesize
3KB
MD56d6be269faff0aef74f0d50e61f848e6
SHA17085bef0a3fcc9d848281135aff614ed80671be4
SHA256a5916d1d2d557ceeca5240a99699e23b83684eb5b7e1ec56668ebcfa354f2340
SHA512d4e4c90c687b4f80a1b6670cc028f1e1b804659df397290bb768b2a55dd553ef3c2b75b49429384981a44a14927f78d16f189c80b3cbd9ae1d71f78dee997750
-
Filesize
3KB
MD5f483d656af23e013659526a64ec91a49
SHA120b2cf4ef3bad6553634377d385ef07790e3d7ba
SHA2566b233698bb6c666fc1206b5fdd1ac41f8b65125e001920b002f44f6ef4d126cd
SHA51239aff4345aa2ef9ad0463d5d73347f24cde5d0cdaf4e153de2e770d8030749dd634e485a5dd6e9bfb2bbe7def2d1618102d440892173ad5115a1c506b90f2a3e
-
Filesize
3KB
MD57ad5b7d27ca9cde4b5451412e1e9b398
SHA1d50f77524f557b51a52a3730f2fe3d753a785cb7
SHA2560118570403f38b6f1f84899e96ba7ef770b5d239478f1f05d147c7669eece011
SHA5123384beabd888a4ca09c88926094327d06ac88bdab9102395aa006f497e4dd3d75243047279ef1f5df24dfa6603aaabee811396cdad73ac8985593701ab9f86f9
-
Filesize
3KB
MD5fb7ac2c62f154bf1b0bf630056460a11
SHA16814bc82b74700340e50335522cf66be457ec7e7
SHA256e227defae1062da38b669f3d8fc7eb5959dda55b9535be5a6dbd6851f3bbb6c8
SHA512a13689e56cbbe5db444903dfbbae87f91a52533686fb3d51cb1f28151f6a0c232c80cc66a2ec5c100813f970c6d7c90b456f915c7a5fdf36d5ee8d27feda164a
-
Filesize
3KB
MD5d2d8bdbacf7fc5f58028e8a786734fb7
SHA1fd89a660d47b4595c4ef7f2edec1db4397aee76b
SHA2563f16f17979aee2ebc6c782dd3ac0f53a92469d7ca0868a8187677fa0ac01abc1
SHA5124c8f1b536fc5d6cc6d4beeccc310675c1741b1daa45e71abed165de8c02fb14dafe0cf35484f05860a6f339a038dc27aade9be2dde5a182fa6ea335410d772f1
-
Filesize
3KB
MD53b38df88ffd91c7822d80ac38ec86129
SHA1dba3f624a0121305f393d5d1b156e650f56c55d8
SHA25673444793c412a654681e770913377e274d57fd15d3fc398663146b1a66ff7fb3
SHA512ab1d5d2ee6ba4e7b6b92ca99e5850798e22d0a4178ba2e3e15a9b2eae5ac184ca6ce11419557609420a6eb08379d413ca72a4238966d64fceae9949675c9f8d9
-
Filesize
3KB
MD52239f449c5b75b658581e2b8b43af75f
SHA169bf804231053b5876839999997620565baee5f4
SHA25630e3f63061fc044e6006272eac548cb0a8648ed53dc379d1f267dd3ffbfe9467
SHA512828d0b7cfdedb307075334ac52fe24d4208246e5af8a630af7c63fae9bd3f8c83f7ca5ee762c5c42dff4d39cffd29db5ec8f75c3362dc308824028f57ba2f1b8
-
Filesize
357B
MD5505146fca8f36b7caad085d4f3e0b932
SHA1dade832e28e42223ce507c3df9fe8380849af45d
SHA2566af204d197d34512299b0dde6422c82ce104f01709e4ecd7ccb58424afb3993c
SHA512a3a998d66f34e70972e20b9bde05f2006fec96c30ed9e556b4e1da3dfbba92fbcff9a211c81c0aa93ef5abfedba126a9776e18732af04da1764c748661f4b033
-
Filesize
235B
MD59385f3d54368ed11b9b2c00e1f2cb882
SHA1b33f59742aecd62162c24a81b846cd7b6d8fb955
SHA256bf340d8ba99829b7df597b8a9053658738bab9eff898609501ad6a1741be0899
SHA51291d08dd4793e30a1b80b39cc40d063c8969f47f4cfa8768e53ea06f6483a8c948070bf348e0900b067cc6cfc3ac28f940e82af2a63c3ccb40b82be03ce970150
-
Filesize
44B
MD5742160e4a4a1d12b2e9682bc6116fc9c
SHA1bc3f16b140dfdbf5b4de6ee73659162d4f3ca2f4
SHA25623c1afadb9dd7c91730ca7f9b483f2b4b2b5c9ff2fc6b095ee071e2c99f03a77
SHA5122b49f5b5030298f3aa171d190afdfe61ed1e5bc409ddba64fb36c72656b8205afca9e325e4e4577acb9f66aafbb2bb5693255b313a2e293f2c7bdc7a8ab55875
-
Filesize
352B
MD57ad335976b6538d4bc10a51f7bf8bce7
SHA1e6bff208e4139bdf91dee890cc9b6688f3070daa
SHA256e9e03d227b8540e5a8bd6067db080b072dad25960f611d6b9a8e1887bdee084e
SHA51220d9c3be9ec6d6b034ad918d1ed41114389b33f7c24a10ec26a2be620833c6fc21c815626891a0c35e36678ac2b4bcc5e9418f53939953a8123acedbfb503a18
-
Filesize
218B
MD52e4820e5e663fa22e5213d9eb5601f0b
SHA1853cbd6a90eecb41acf2f365d480b83d4f1abe3b
SHA2569f8d74e8b483f4f2033476e10b8473b8526e28db24e899f9a00667600d6ffd5c
SHA5127e957df96f85c05fe75b749f9ea430516ab00ac0282ab1db6e3655097c350c807a29bd055cb1c88ea2f5a86e1caf2ae508e9caf986acb24f19793db5e5d85e1a
-
Filesize
345B
MD58a8a5989a3891b0b9d7b508630564c45
SHA1dfc1064e99c5161afff231a24e31a7c260db7809
SHA256323f2d4f28f0ae55e47f80c91ac4cb1498fca55cb02d47a8c09479e39309b5d5
SHA512e7bb84ab94d16dd58e2a544c25bc226457bbb54d7aadd1bd5386c51a4c2d2ec7a9a6ddffbb1a5f21cd9a1916e912da6d932c35884282acd05670d96d4597b840
-
Filesize
211B
MD52ff533b6f0fab6daae94e64e963d81ff
SHA1d8dde10809df26e27cbc587b8e9093950b5b3cfa
SHA256458284479d79aa4fed8e8a998a0531cb90319ddf37429ed4881dda2cb0eb2ad2
SHA512f817955a1c6e5c835e7a495c53a682ba2174b46ff24c917ffdab3942a918fd4d4cf503dbbcd74309ab19fcf2daa9b2a4ad545cb6f626e542a41e0a33e2687889
-
Filesize
345B
MD57573edb1c3da5682370e8f909d9002b0
SHA1434c07f81dd147bbce901b5c5dac1038301aaaf3
SHA256aa12bc90a66992a34ddff377eb6d990cd33e682317659d50ca6e17485308d1fd
SHA5125862adea3b9c3356783b7ea40d15fb68c40d7095e540d5a06b1906a39cc6c23f30b0c00b4374bc1b0a0a03de67743b1fe97c03abcedd95ead1cab072c1f7f75f
-
Filesize
211B
MD54ff8b82d1261e04e4a747c13a7512d5b
SHA13fd3df9b4a1eab607734a10c184b90120de41530
SHA256fc29cc9e277c1175cbd7ecb3be0fea3dccb36f5f11c99aeb75ec56092a87b337
SHA5126a0bb0f40600e6a7597ba230af96ce84446493030e0a3486881cf64b4162b4281c042abb21f176bd683d7938fa903057dd9e4300875d40206be927f6ebe77f27
-
Filesize
361B
MD5098d4e8d1a870ca4cd8251ff30b73e95
SHA1142b8a81f96033edd89ef228310999f27d3272c8
SHA256b266ba0094fdcbab4fae8b68b9b8ffdd5d5ce16a1165b79719537952b407c765
SHA5123b5e3608f017a9ae0a7674590f212e3a91e5b2f844ce68d85a8864e9ccad2c68ce69f6a4953dbf423f1ec6bddddb1c9cb5e50ddf431dcc341720c6495e8e17af
-
Filesize
227B
MD5310edb0a062681344bf29fb21af8b65f
SHA17214bf7e1516e22a980fbe9ffc2f25f0621c93e9
SHA2561d54dac17455c5e078e2eedb8d59350aac192e7c339dbfd0fa1f1482fbf67728
SHA51265d26f0670c0bac63b3941f5f1422628e2e02bc13336070c002f93133bfb4533702b3f600ca1535f4f7af6df97fa621020f611be5d21a59491033c99b1a961d9
-
Filesize
341B
MD59172ce0fad8ca295ed306f8982b31258
SHA1a626890a3089a91b28deb4ffcdc2fe234413cd2a
SHA256b558e113f134944024260ebaeb3106f1712aec382eb7a7a30718a9de81ef8b84
SHA5127bedf1dc3acdfe639b23a363a96046196907fcbc4782a44df2f67ba0e275f4b6a06abd2d6906d3efac556cb869e304e03fd7848d439f04b4239234ed794404a8
-
Filesize
207B
MD55dfd6db0de55f653b1068432fea827c3
SHA134b343afcc181078c69476129d4828fda49e00e9
SHA256d15dc3748d13158b6769deed4e611ede28696e71c2422f235e40c0894ea52d1c
SHA512216dcf98f4f6d95ee95d048d402a81c63cae619aacf957b727eb20659af73f9eac6fe4e471ee4d30afbef0cde906160a2d847b6adbcca18dfde6bb3d5b77a97e
-
Filesize
357B
MD5c4cbf9a1ed8203ae7894d17934819fe8
SHA1d8bde3827c208bc0b3207ffd6ded4b503151fbd0
SHA256a3a9033115815cae4eead0a35c86c42ff20b2c542eac08541393e3841d4f1625
SHA51282da35fbe09e79e50ccf8adb24c1daa4104e4b5239a0cd184ffabf011f8288afdbaa48df8c8d0f0b0e77001bbc7cf3cccc54b9928b6d44852d7df516ca837892
-
Filesize
223B
MD5685dbf5db5fa2d8dec5f0ec3d2c61135
SHA1f50bdd9c5760b402b4bab5c7692c6806e19fdcc7
SHA256b5f708a185f6e4d0642e16323d06d8e68d54d765d29758c784737378661aeb91
SHA512efcb05c341f21d631852f39cb068df13caddeac96c310dd08e45864bf64dce8222ec63feeb14e765d23ec616639fc2366b12a062e3564d6390c179c525243470
-
Filesize
5KB
MD56455e9ffba59dd009b46a119ca0fe301
SHA1ba3078d4deff1b51a10e51698c91478a88065c23
SHA25670c27ecda95869f5aeff42844af006f13cb4fec55a3ada319ad6708da861d06c
SHA5129fd3dedc153e31eefd17a87d58d935ef19d85019d678541067a31114e8a61aace3690f178fa1e2f69e988451b4fc7c57faaa832f2b8adc0e0f13e1cf4c6608b3
-
Filesize
2KB
MD5412dccf15536c209b91f5dbd18839976
SHA162d9cfd5117cfe80e492eaaf82df0ddc6d021ac5
SHA25607dde44b7a5999333a5e1106d2e566043c50125e478c25a98c494d515218adbc
SHA5128fa33d9794557879430b0b2551421eb45c8e06f0d0a5d0c9aa9b865336995db446c157d91d6a481224f9b92b573c5945b26a2dbaf1d078e6217300b0b3dc8bc6
-
Filesize
2KB
MD5460f9c2c73201ddaf923fe3420a54969
SHA1f2c078b4850189a58a73fa3070982d69fd8c1494
SHA25609d40c9fd267efca1c8f853c85347a6a2478546c8de7863e69626daafff5c3f1
SHA512193c754ba83cdb02fe7045a2609ebc40b1bc3fb7cbdd7779a88c4280b26d888c31671e75f53b555d812aa02e05697bb89e6a476671929b33cf0185653a4c23c5
-
Filesize
2KB
MD55dc504ddacae44fbcfc99906527a7971
SHA1415d3e9bbf4a385fa29ec275d27115ff2fb30f0e
SHA256fba0fde1f724e280c705880f8ee9119ad27a9d1227479132189d51cabb8d1f37
SHA51253646fc516589f65223d0826dcbec4756243cf052825e15ec346e90218dd42b7f1be664766fb3fe8026797d65c6b7bdc096867f34e3f33a3d8a0c7625241c30d
-
Filesize
2KB
MD5355a4c9517cc0733fd14702da69521de
SHA1a82f21debd3bf6a236461f6199ddb6ea57e611c1
SHA256cfde6a2f60155f6208871922538ecb09c20393e6365e61bf72fc0998113c693c
SHA5129e06a2761a45ecd7bc2a8c9792e6e2e6066360aec047d6d46aed2e7ed44e217508348a01229023bf67d6a957947a8e6abdc772516550fb1d2e7a22b48a47094c
-
Filesize
2KB
MD56ff6650f91c40a62bddb764e8364192a
SHA1c7818a159b4226d2171be2d04b397a137fff9eb9
SHA2564386df5789fdd10f7535d670a48859c5dc3877decf3811e27db126a3578102e6
SHA512ebc316954711d714f16452f6ab8c4679bdec6b9af3c9a6f1bfada5fe1494daa8ace91b4f3080a83804869f2c386cfb4783ce74cde9d5cd6af5f954455af02841
-
Filesize
2KB
MD56a856f9842deb8ef23ae751813b82e76
SHA12580c84c94b31e1b2a70165a7a8cade36897f644
SHA256c79f809d470049d6483b5944925d186740b02fd0f8a69d1f1468d564c03688a4
SHA512c4feb29a7752fba0a27559770a14e349657d34ed2e12a85a68b73a052efecb993112201c3b4f19a8db51e44d72de63aec03e4bc679b8b9b79ae4a583c6d45f17
-
Filesize
2KB
MD576744ba4a12dfa044f13aaa7ec3b4291
SHA16b38314696c048d7155089d6e8b22b5b817ce126
SHA256d571eae9a90237333cf0b91565e8b72cf52e8809fc3e993507369057718f5723
SHA5123965d21d61f026785273a477e176a85f08eb3554defb47b749e469b30443204c661c37047479f36308e897b476c886bd2267c7db9b454898a2eae0a7d0610549
-
Filesize
2KB
MD5ba71c864b7063ddc4ca3a0b0b460c36e
SHA1f65b1433647be410949442766956103184b7d83f
SHA256ece9db2a6c407ed82888a965a9a3472d8cd58797e21ac9428fb4632b4ec1b6f6
SHA512ec2e2cabdf5907cd05bc6cbb7ef7b85ab30533bd67ac2a56994107fd7e9bdf30ace28f80a15e493e6f8573b603b8d89c131b60bd5d07e7fd5493b20764c23aec
-
Filesize
8KB
MD57475ce16db22bd77f847fac01c5758e6
SHA1dd4f0f9ea93bf034d20526babb9eb9e93647b728
SHA256e376dea6259af5270c4e80f43afe95cc9a6f7365d8ab70fc32222d3945681ba3
SHA512659a747fbe09c037f50626d4d82ccc5548d9453ab8693689c65b44909896b59f10498dd6b021007db6d9788816a1dfebb2ce11d031dc3d2f38b10244f6ac8eaa
-
Filesize
8KB
MD5470cdc897d05bc4483761761ddd9531f
SHA1c27c80aff3059f58cac84018333f898161724690
SHA256b94a3da9448e601b50b884ed6920291b903157e246200a690a24d0e3af7b0746
SHA512bf59d4bd3952de2f71c99050f8f55bfb49f6599e31fffe5a3a2273aace797516fd68c0ff6fe529bc316f87d4787349d6655f30f5494f314faf921580301f4e0d
-
Filesize
11KB
MD552ffea112bfa0abab2121aa9375ac7c3
SHA1ef55311dea75f1c9070f8b071e0483085d54c301
SHA2562be14975e1948c43940abc8a050501a1c76db980371a0c90da57bf288aebb159
SHA5123c3c35b76fa02665aeaa3c44800283a82acaa443a2afa55e5917dc35e2f0385cc940190d0d242b2ca49de23cc4002c0024b68d357fec9276676b0c8d9adcb4d4
-
Filesize
8KB
MD5d9d601e9ea3369dc2837f992a96a8cb8
SHA13da9845676a682688e8d3b5b0a01523ba8e9bd9b
SHA256fb7685e1c7fa87e63e9d6d0ef18cabba16aa4df6855dd2fbe088aac73586261d
SHA512f4f14ca449e9f68f60d7e9f6c0bc15600e271122f2d1104bae796bad3b3027ded56122440539f9f2e5e8af7e145e4ec02fbf5d38c1ab66922966e2161a11ccd0