revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
119s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
07/04/2025, 06:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

revengerat guest bootkit defense_evasion discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001c00000002b1eb-552.dat	revengerat

Downloads MZ/PE file 2 IoCs

flow	pid	Process
22	5048	chrome.exe
22	5048	chrome.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
4300	RevengeRAT.exe
1216	svchost.exe
2152	Petya.A.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
1	0.tcp.ngrok.io
4	raw.githubusercontent.com
4	0.tcp.ngrok.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Petya.A.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4300 set thread context of 6096	4300	RevengeRAT.exe	100
PID 6096 set thread context of 4960	6096	RegSvcs.exe	101
PID 1216 set thread context of 3948	1216	svchost.exe	131
PID 3948 set thread context of 2668	3948	RegSvcs.exe	132

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petya.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884823391809888"	chrome.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	chrome.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeDebugPrivilege	4300	RevengeRAT.exe
Token: SeDebugPrivilege	6096	RegSvcs.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe
Token: SeShutdownPrivilege	5888	chrome.exe
Token: SeCreatePagefilePrivilege	5888	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe
5888	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2152	Petya.A.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5888 wrote to memory of 2792	5888	chrome.exe	82
PID 5888 wrote to memory of 2792	5888	chrome.exe	82
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 4912	5888	chrome.exe	83
PID 5888 wrote to memory of 5048	5888	chrome.exe	84
PID 5888 wrote to memory of 5048	5888	chrome.exe	84
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85
PID 5888 wrote to memory of 5008	5888	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4643dcf8,0x7ffd4643dd04,0x7ffd4643dd10
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2200,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2196 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2504 /prefetch:13
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4140,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4236 /prefetch:9
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5164,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5172 /prefetch:14
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5192,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5728,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5860 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:588
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:6096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6xulu8v.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4612
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc931AB878B63F4610AAEC7146E7564E6F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b4o87pgz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74416459A7BF430EA61A29FCAEFC1819.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxxzqdxh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3364
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1160.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc147B3AE7294F427AB2B26C67D6C34EE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b-0wqvrs.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DF9E4A6B18D4195A5BAD0FBA16314DA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bfhurytw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87A96A1DC194DDE87C88EED55AA4B66.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0lxttfb.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5156
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1289.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E89A930B0FA459594E0F2F957199970.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jgqmkzi8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB5711C3EC0648CC9E3DD0685B7F3C90.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qz70gzma.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6088
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1383.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4BA5DE06D7747D38DD4DB8C5F6B7AF3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1216
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:3948
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f9urvn23.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD983.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB313611C9B0647B89D278B93C5A31E52.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uzwizozg.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBB18EBDB1CE46AEB43125C7A92A7585.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlweaakr.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDABB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32432A4E928E4AECADC5ADE49ADB4E.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0o3xz3z.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DCE571F825F442E9D70C8B4C7F3AB8F.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltlfqja1.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9DA878A5C3746D584297DB95A2757BA.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnuxvqff.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2B13D883AE34D4DB966CDB0A8B932D4.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\66jy6045.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC826B67C5C5439FA013669E5F3EECA5.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7zzsl-am.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AB92B73BE9E430691DBCF2C8EC9A020.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_bygtdw9.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CAC78DDDD0142988B694D2FE8537489.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xsbg0rf.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2063C140446A4C4D912083C85F1FA8F8.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6132 /prefetch:14
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6112,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6044 /prefetch:14
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6120,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6180 /prefetch:14
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4356,i,1703575264193604249,14088552842163381171,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4320 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3892
- C:\Users\Admin\Downloads\Petya.A.exe
  "C:\Users\Admin\Downloads\Petya.A.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2152

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
fce9240cc60af23d6b402822d81f4611

SHA1
46c93e8adbaee7ce8789609cf66ea184ffb59496

SHA256
6cbdc56554bc5e48103a308c9c9e422313b2a9a1138b3f1a78f39116ee3af421

SHA512
2ee28960818deb803cb85c0c2a92dfc5dcfd7b310bccf9ffebc53528e1914b440425564c3d6472693cd369f92feb1c84820fc808c913382200d73d4023af0215

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
c83f3d957de54e92da0e7ef291367ab2

SHA1
d3db3ab07970a6bcc3dcd2530af158c120c00aed

SHA256
8ce5339385a7fedd0a99da79d5409bef9fc2680c29461e3afa498db13aae9c28

SHA512
e76e07d6b266a1f399ba5c22f6b934cdda34fab7b6f5f86f421642b96fa328b4f224144451454889e89b2a3115e9365ae83eaf995d3547f3a297153b7d99b287

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
b8427123c0461c197c75a4f24a7dc75c

SHA1
847d151b8323233060e2682ebbb0ebce81a597c6

SHA256
86f35b3d56bb12cc94b67ea19847a7d13098c599fc09b4143a11faf6035cb86d

SHA512
7581b92e725c7ba386f16bc17110bb876f29ca0e8bcee202176dcbc1dfc449112a12513eabedee967f3f26dc5a680435e78ad8322ac376068b7b333b5704e0e6

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
a84aa56d9415b09afc1ed9cd123833e4

SHA1
b13295ad08a4a8f9d0eabd5a3428fe3d0209bcd4

SHA256
ffe3016021c35ff7b2e1c264c95932b872d035995ece2eb4c1d1fa8291b85628

SHA512
381f4408a9c2845f2777f58ab908725207981a8588778e77bac962f7dc3f860e2105f8904fbc08a0dd0f708443cbd963d918d04e1667c214f416dbd28d77602e

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
1e6c4b32205b72a32786ffcf143ffaed

SHA1
7a99df34d2d7d17e2e01272cd084fdae505bc8b0

SHA256
84a41ba1d0f60c4097dd6921ea73781140c40c14a1872d4aa1872046203e6872

SHA512
49ad851721e811be4b360819eaf55b5a1f572c536fcd86692c05533fa62e91efcf218ad60fa54ce5fc5bc476b04dae78c8ce59c22c7c1448980d430e288ab7f7

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
6409aca98604aa0dd337f0d2e46f351d

SHA1
c94f84813f20a89c2de101e9479417b9b2c50a9d

SHA256
38adcd8362defbc052fddfdfc055743b4fd28b8a0518ccd853c737e163a7766e

SHA512
dfb2c399b1f17bf2391bcc60e2ed05279c22b3747737b1a00aa9e62e2389e72bb8d9bfeafd7f0f4188858e0bdfc7e3b9c6d19e8493037ab132529ecca8b67c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4659e36b72bdfdfbfc6a08448978c660

SHA1
453cb5707b181de4e0ea842e2578a10f46cab75c

SHA256
e97aef1187d561c69f751563abd07612003393d1d209540b356eeb364c3e1684

SHA512
6e6df5ba3698914a15676d14d19de476f839ff9bdc9405b717b9876d19b8c356167a555f51ea084085f314d9b82a3f80c3d05ac84b463ac74fd25d1a8a0b1837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3cdedddc5d83f916236da32f4ae3607f

SHA1
31d99cbc0309c928c6a0ca9d6faf43ab8eb41591

SHA256
e89c2e5bffe1471c3bfe390b23079c2e142449afc1bc146c4ede3f053c439f45

SHA512
67893ac732c2ff8731e35f6c1fadeae6dc4f137c3fd6f1412291253847ac61325266c08c4fcdfe776f0c7f5145949b5542c0cdffb054b08b0697e852992b229e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fa790fdc1a5bdd33d7cdcf0710725a07

SHA1
f4b4b253f504a465bb5b642cc307fd7bd3489cab

SHA256
278a514093e0e484e8e4f5de8b425de8f55b909ea7e3bb544dc038cfb6122cc2

SHA512
d5b4f6272736321d2b2661edfdc55255c95db6b4bc0f500507d6b3ea4f39b0a840472dd076ca0717fc8c3417370b05fb3d39c04d332a7c4b137da516792510e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
001b328e0e43a2ec0e141e20dcc8b36c

SHA1
9f4c94ff567b14a4a3bfac859d6844702b9f0d05

SHA256
b0da4c5922b0febaca87cd453ffea8d8e2df6a02c74bb03a690aa7e7d3104b64

SHA512
2f57cc41ac8f1bca4a8d793aaba676df8e6d5a2e6688b966e6ae6d1e2f04d8fb53156a5ed69bd888151c0fbfcba3ec112d48581241fcff940b67e207dc68f7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cfe366875e120065d31263b16accfd5f

SHA1
ccb02712ab07ab89fe4c117261d59e10fdcc90c6

SHA256
2bb8bd6b2cffad9bbdc94b930f1d368bb05d8b3d0aa563df9a7056298c37e62e

SHA512
77801a3cd582a7973c96edab9772722aa8d41add5503c1b667265c109035908c4a2b2d1e4b434a35149bc76beb03eae8c131f83243f7d11b7c3083a4b6bb98af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e7720ecc22f6fe01cfa6e0bbaaab8e3a

SHA1
f9fc43aadb4a1cc5ddaf06281a1a9947e7b56569

SHA256
2e793e360ef9d2d3a7a635fd457c23e94d22b3f77b4d23bcfd754c3df5f87f82

SHA512
cefd7dc279ace5678f47a6bd2ee0d329dcf8ff331d3e3117a640dbdfb84eec56237a8d4f1881cb80867d506882b8de9c3db9ab6ffffb5772ee4ac1d0d656cb44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
64c0b41cbd06ede3f27d1df28c7b41de

SHA1
b129af33b995bc2399ee734b038d3ab101b82ddf

SHA256
031e7af2ee0e6999121d309130ce0442c4eab9eb18dc4af4c43a63f73aea5fad

SHA512
36c4b4860879d498a8b703ad18a3aea7a63b8345cabf447d2f30428964a9842ddf584ddf4a924e13d175313a772d7de047b20f4454a9b6310c5e3c72e8d92f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fb1dfa288852f3170ac203114f7c4778

SHA1
4d1884f8df821ad06e14dc1af460a6e86c85b30d

SHA256
c0b7213ba427738602dcb28c6187954b5d95b4649bb344f0eb28e7d4029ebd6a

SHA512
5d7c4c8fe18cc857e01ac2f2c66ed57425e3f292ae1bb614da4cc7cb65a319c77fa8ed8d6822ea3f5a947b94e3f59246e63fef0fb92071d2d21a8b5d0827fd83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
46791dbc537d38d91ac85b79355c12e5

SHA1
b501744e4b1c7dc4849412f413d5ea07edc8e9dc

SHA256
50736b236599d7a14ebfbfe0f0b9daf4c0c5dde6048518e27c1a50bea8a34504

SHA512
5c611e327adce71b6dfd494c7f94137eb953cc225289fce8f24d087ffe4fa0f153a7ed40fe42f682f7268bb3eb27c146d2e32c670646022b7c90f195fc1bfb3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2e124730b0bd4a670dfbc9398b98adf3

SHA1
dcc9c7b00dc54f722360f36bbf54b9545656b580

SHA256
68ea40b5f221354639b0f05f101948bb2e5ac4fe19635d877d7ff27a53591985

SHA512
e43b390e952a143ee6a475090e67a1e7c6c6d9745888aa4426b549c68085e46ff76d9a0969a2a39f98958b1cd255f341342a9c6e7c63ef289b2cbd75d54bd24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cd96af74e32bb25753b0976f6e2d548e

SHA1
133c7fbbe8c67ed20981b3959bc79896f4961ad5

SHA256
8e7ef22830cd640042977969bac695a5472989e806c55b96208d035113da0142

SHA512
18473f07dfe60baec6f4a706cc4e9cd8311bce417a4026bb99ccac678fe4e667ae5c3ccb2a1de74eeb88eef6e3d7553cdc4480c9a6bb057ea5c5cd027da0f1cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578bb5.TMP

Filesize
48B

MD5
389457d3869c1d25b8685cadff64c5f9

SHA1
c4e185dac8325617e3b588c927d807867d9aa142

SHA256
9500631ae9dd8b447efb20c9201694be8319b388c49ed681b6fc471dfb423a6f

SHA512
a5918f529f9e47cb45b028eb28fad2d2926219d4e1db7cb6b32677b9e8c0824cbd2a8fce4313c87f48011fadf30a06ddbeb97a711de918f953a807bf35960ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
772e2bd573461a99a809dde44f5a72d0

SHA1
7968b27899059ddae329a22c54f3db92ff91c512

SHA256
5e8885f42dea4561dc01a31d66945b515fb1f7521bf88bceccfc76511b97c0be

SHA512
e0d121db16547e43fce880f17e3eb6f4a6b7ebcba71412391e803d435a30ebc80094fb86e668ec14fa296139644ee49be7915f21c53d79cef02361f2d3c2d507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
5ca2e6db0c31cb6848058a3052ac00b0

SHA1
fddb7f8a397e640a27665fc531cf61a4c54f9cb2

SHA256
39b95f17548296a81b5a91dafd0702e8a2c8bdf08a89493dc3e51ab980cc111c

SHA512
f43f228af75be9f2063594706fac4025a32cd0a7740582b33e0959555da147cfd4336059b1d91d310b7b30adccde19d7bf67faf7aa863759a9835962ae85359d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
50c47b316ee8ee14849faa8917794742

SHA1
ca5c76e6f483af1eecf8a6ee1a384041981d9e10

SHA256
c68cbdcc2d7904a3470c0496ef159f44bc1f41ab477a076351b5c369830af98b

SHA512
ae6cc1d37a915fed4a98ecbde6924f323376754bebb20da2fb226337b8c629c5ab1568b2748a529a6a7deca0abd6f6f095e02a5613e8ebbd6eecc460cead851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp

Filesize
2KB

MD5
eae592924d165254d6d22c1b3c71a818

SHA1
e1712dd4ecbf1ce07b237dcded7c96a508f2b1e7

SHA256
a20b49ace4f497430ab90b8c919ac19916407c61bf89728c8ccb9c9f15e160c9

SHA512
549a3c6991d3917e6397030e658f1410255f10fad305359a9dfd95c98f01b1112a8f3be5160ee1d9bc03b498553e79966dcaa5635c328f672d225cf9871aa865

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10F3.tmp

Filesize
2KB

MD5
362590d6cb8103692381d8dcda7e43f1

SHA1
d181795d393d9822dbf60931c9bc7844d35cd9d5

SHA256
e7d0cb0dd62d11086ddf279019535552002c33be06aa714481cbd64c3d3afb7d

SHA512
f3536a6d0b3fc5bc3461771a7d2d66d0a63364c5eed6a81a0cbaebfda61d532037c91443173cdbb7c220ed0ed8f192e0f1ff16618567835d13bbfb8701073aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1160.tmp

Filesize
2KB

MD5
1c661451295a43c26e93b62fb63aff33

SHA1
e6b2ea00f73fd56d076b2a80086220d97d1ffe1c

SHA256
19327c02077891e5a8a077a4fb893918d57b2224a6a8691f978388a377b15117

SHA512
62b293258b282a75051d9d516de45a5c7c5d2d1f13fd533b888ed7507a12321404b91df245adb46e199b90e1f7e350ee0feaff15f097884d35ea1045f07f16f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp

Filesize
2KB

MD5
dd44392d129392d6f095cdca68701aae

SHA1
ac37be84fbc8ac9b9ed904081048f46224777b3b

SHA256
07e206c21662dbb6d4f060e6a84410964abc2652ca52848fb5458d7b8c8ce56e

SHA512
01a8b00f5e7afc31c4660a7d42f9173046a279fe4b1fbd2d895a103b308008cf90aeb9de62f82fdf2a5bba4479651f3cb5ed298218d8adc049e4e7c740e6bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES122B.tmp

Filesize
2KB

MD5
e9561957cebc6ec159394361b11d2081

SHA1
b48b514661a1f19875b69cb889747e8e87036b7c

SHA256
1c680342ed87deec630c6aa89e85a62e983dae187c360084037734104ba764d6

SHA512
62c2364967710d1e9db410e99ec37faa7d345fddedcfff1aec7601f92e1c533788b757981f3d555fea0d8a46d1eaf5ab0f779d15f98e0f2072fad459d585112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1289.tmp

Filesize
2KB

MD5
cd287a841171eb136502c7c2855c92aa

SHA1
298ce90342d3c224c4b184d9577a59e604595de3

SHA256
0d9d25a59c0a1d750b38c904604c31888c59210e3303e53081764106319a2e02

SHA512
2b3c4b69e61fbf947228e7239e79c2ac79c1dd1f886076c8fe88ba9bba139b9b63491f314896176e805b856511ab2c0d474e1495c11423eee5033eadd9963dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12F6.tmp

Filesize
2KB

MD5
48aee95b72cf8c3dfb308e4c1dd67744

SHA1
e1a2f9023b93c9072473320008f10c234f81a6cc

SHA256
c45b42db5664db0bc2aebe24c551c0f09270bf4ec0a4f01e033b9122accca28d

SHA512
ed2a213669a2c6be6c1e4792a911a124ba1ded83fdb691789cae536dc418e9cf786d792cef3bc219ec04da6d486fdc8fb00baa78d3703941cf6c4d3c4abaef4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1383.tmp

Filesize
2KB

MD5
6bd009e60f016c6f86a65d4de7962e3d

SHA1
c9142f95deb46a4ef89718670b600e0a3880ce32

SHA256
aecdedab21a860943f4bcc0cbab9babe8597599c475544e94c1cabd9461e334a

SHA512
b63e8b6a17cf40380046a77dad2abf602d12391641946f391053b1719f9989109d098879a0e021ca3b3bd455108d464151cbf188109c660777858a37991ac14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD983.tmp

Filesize
1KB

MD5
964f1ba1d7d92ef396e3ab164a095bbb

SHA1
83ac3fb351268c8777ca4a66455eea697c1ca3da

SHA256
6487bfee5f8044cf163cc5307ffd12df1e86426aaf5af427f66930d720c0bc57

SHA512
54669d4de58730ffb36ae53036f3a57f27f51d3a189d8f5b80a0f5ac75a73d3ef41c7701d08232d75845f63dbccad22a72929edef82c7244918026b5bcffeff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b-0wqvrs.0.vb

Filesize
352B

MD5
1830e137566529844ec4176432dbbabd

SHA1
34e0949bb3b0258f4b70cf50a1d78e124e0c62d9

SHA256
57f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf

SHA512
63080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\b-0wqvrs.cmdline

Filesize
208B

MD5
5ad244b9270856dca644dc93818a77f6

SHA1
3b0bd644aa984b4b98e47c30657e819e0b8cb1f5

SHA256
7b06772331616e2ed1f3cfae2d7250bb0915a172922819d8b6cafb6ceb3f427d

SHA512
f3f1fdf20d02dfa7fe011e85f62607b587b9526f07ea065f9c684e1f402b6c65e7f6b95cb657fcb3a31f76755262a3a376ef566f7d4b482bebf6ff0da2aef9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4o87pgz.0.vb

Filesize
360B

MD5
a4b323723a454569f29732da2dc47030

SHA1
159ea474d85420bc1023b920b2284847199fc688

SHA256
1bad328f5447371ae4b3fe3ac5555ec5f61ff11c89eebf7ca23b399fd843a41f

SHA512
a5c28053d312ebfc1fe27cd0a33c8eb8825f0f61101240d78bb53bf1bc67a878f8b5b4fd912525e86fe1068b14439ad11db598dc99533dff6ac13d053292662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4o87pgz.cmdline

Filesize
216B

MD5
e147ee2cbee04e98c91f7aac7e816f4f

SHA1
3651627f220b6a858b21af584f4f6ad45a339d31

SHA256
af0375b01c8c0195f95d5d0779564c84a40e6ece9d4409c54ef4cd5571d063de

SHA512
9aa201978a68a89f8464939a42b82d596a3a34b53cf98fe263b8fc7acd7ce74131c8775bb539797ecdea781b448d783cd7073a5d2d1deb9ed85d915f3d9d1090

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfhurytw.0.vb

Filesize
338B

MD5
7a354b496b9b397ebb14057eafede32f

SHA1
8970ca3895ca9472366e4fecc1f1d79ac1da78b8

SHA256
c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8

SHA512
ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfhurytw.cmdline

Filesize
194B

MD5
abbab13f9cd02d6baa3d2564022c2bbe

SHA1
66108cc88707d767c3fb74a728bd74ef48f62064

SHA256
e77ffc65355133f250d134fdf93472be74e7ac392851b314a02e40e3134f7712

SHA512
76a32afcad719b0128f3554a91f1d6f53f5e9916e6fcc0ee7bbede72c5f0cd551962fb780bb11be0f377783caba10217214721aaa4b4d51f93a2526e6e142c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6xulu8v.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6xulu8v.cmdline

Filesize
198B

MD5
a4285462f5af5a3592d4f0ac991592f1

SHA1
c6ff846b6ac3094e581eaddff3ddb7d18d153c75

SHA256
0a3eefd6d33812fdb823cdfbbb0cc2ac6adc5b567035ff2427be75eb72f8638d

SHA512
7f236e670c9874669f11f681d79f7be7c0d9ad6036df1f70134a404b3fd2f1657fb662ba5216b10c4fdc0679cd99b15f5d236803524bca45349cd620eb6dd804

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9urvn23.0.vb

Filesize
265B

MD5
61d2dde4b46edcabeaa9a64f5666a648

SHA1
bcde23b9c97af1ef107d00fe5040a6987cd09443

SHA256
75ea06634452131433c11c1dc3852137093d037ff662e12a2cfede5644579629

SHA512
b5212b642ad7b56cb4c99c62a020159ef121a25fcedc99a1326941a29556e23d4908a32fceb1f3be88d2991264c9b360e6aeae07fb63804f7ef0c8aa04a5a321

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9urvn23.cmdline

Filesize
156B

MD5
827b4cebcf032cd9d4692b01e0611f5f

SHA1
a64763f04e927b4db9a0737403ee25fb3dbe8330

SHA256
93efd60057f7148f46affbde1d5d67e2953e86b4d1ae1ab980a35acc168a5a0e

SHA512
2ae4a0d7bda96926ee9311659b364e49aff551bebbcabc0b79d6b861ec08f397859b8d00e435328abc349aae3fc43378f7d4eba55d1c3449ed363e6485751cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgqmkzi8.0.vb

Filesize
338B

MD5
2de37b6c25304214817c88f9ec6e9847

SHA1
74f77a317b1f9822d11094eb3fe1c71797bb878a

SHA256
a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a

SHA512
a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgqmkzi8.cmdline

Filesize
194B

MD5
05b660cb58a213464be43d47928e7cd9

SHA1
90e824364540ba86f816feab5636a427fd9e98bc

SHA256
6081911d107dfb33f2d7bb178168257a75cc74478cc1668124a12719c175684c

SHA512
6e30483208fad20a316dac097123583e6ac86b7e6e61106d91187c7f4a80e3a78da5daf7922bf470e222224d0cb09b220c26d02a6f19933f3c6318056325eba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0lxttfb.0.vb

Filesize
349B

MD5
a983e17fe05ca4e0cb4b37cd05d31792

SHA1
cc91ff79215a350a6a1f2bb4f039d894198e8421

SHA256
76bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef

SHA512
37400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0lxttfb.cmdline

Filesize
205B

MD5
7ec97aea6084e72b3714e66b57d0bf6d

SHA1
99f94e36b58f1c8c1a095ede0d4e15272154166d

SHA256
a501c455a2729316ecf4237afda94193c93519b61d69670012a778dd7d85495a

SHA512
631a4688b161677c02ef1e51f2344667888805c3f4e1d4e2ff1dd2ce280bc04a4728322ff111f2ae9187428b82021233d47d131f72f601d6db2fcd423d96ee15

Download Submit
C:\Users\Admin\AppData\Local\Temp\qz70gzma.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\qz70gzma.cmdline

Filesize
198B

MD5
a0a603c9c641d925ff295d837c4d777d

SHA1
236402b5424cc346ca2e8ffb6407ef1a01782533

SHA256
d546c54aa2216d1aa63b4b74b783e8d5c7a2111474061aa58c2bb80068f63762

SHA512
9815f96c68899be04828a77b83eb40f2b558f9bb2c6041349da3efd1ec76f62af183bf8fb3a7f94872c461cf82c24727bc4aadc9a5a43bba90d88bb819ef7773

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxxzqdxh.0.vb

Filesize
350B

MD5
879086e881e63b2a6885e7fc38386f83

SHA1
56c736074c0117021aacd3987bbfa2c198037691

SHA256
ea8d788634c512ac025122216afbb69c6a6d20d80990d8c103756360be167f95

SHA512
a742240e5e8f66c8205fc37b26d2b8fc16b4ff4dcfa5da9f8ab133c820a3aaa3ab2d94439467e086a70078670cc31de9fc2611587cc2c7b340deef5b33ba7003

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxxzqdxh.cmdline

Filesize
206B

MD5
8d02b9181f55bd98ed23b094c6a721ce

SHA1
13c1a538f678a068d35f79bf56ed265a6c227763

SHA256
08d82cefa321feb1721a842dd58f02225bf9d162ea5562b4b8b6b05f9e9a5477

SHA512
0a6e9f3e9a30a48ba57728b4dc86240e3c8262dbc4841c3898c34cb70b0e0ebccdac5f0538a4f2d9450fa00c70e8cc41244b7d1d2252e08b49fd59ca121f367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc147B3AE7294F427AB2B26C67D6C34EE.TMP

Filesize
1KB

MD5
6c144e454bfd8950e9644df085a48198

SHA1
80cf06d740dfd9b3e4bfa8d1cd72709df73e872d

SHA256
38d1c32086c78072a6700bdde58e9a602c99ad2ca23d6baf957514ec3531a556

SHA512
d7d0bfb59688fd90947ced3e55c9bf17cc8d510f3719ba449aaaf3d2acc4556b3de3849a449b08e7b0b66399d0ef98c346c5c5df897cf842e1eaa7dadf7ed803

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32432A4E928E4AECADC5ADE49ADB4E.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5DF9E4A6B18D4195A5BAD0FBA16314DA.TMP

Filesize
1KB

MD5
12056ad3066679f5dbd325572fbe2a99

SHA1
53cecfb6b3b612284b4d8b8a9395280d385e6f99

SHA256
a2ceb54f07787150f648d3601443b878113c917b30de88206823c2b1ca36652b

SHA512
f8fbf63c5646ebe7329e33138468fb2459d96cdd8415ed136870c84d6a3ac03e0f2353f359788748b6310b36d097bd4e5bdf4a0843336bce34fb3c2428cfb88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E89A930B0FA459594E0F2F957199970.TMP

Filesize
1KB

MD5
94452bd6f8ec255ee5d68bbdcc877e3a

SHA1
a68eb46669df01936ec5b031c8c08f2afa86b91e

SHA256
011c2444d4b8696252fc3f26234ae1d3550324d1edc810f555c05b2997f37544

SHA512
1639308f3ccdd3f70834b451d09cc62257618ee4ae3c92ad9c992a06280880360b4b7e6ba4069e72e4847f3b6d26db97272a30236bba0be99770dadca4f8d2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74416459A7BF430EA61A29FCAEFC1819.TMP

Filesize
1KB

MD5
2936b8645c1bbad66755c6c8ebeb538a

SHA1
ff38c04c03f9342cc519c8571ab161289fe7d734

SHA256
197ba7ded8d6748e750373161cc5964eb46cb37939c26969e8f46bdeb7d45b93

SHA512
7ba16e7708f0698737ae24054e41b3370081f50350b482e4d8f2d3a81f2a0ea96b85f28ec804df566ab537bbcf4485bb0ad8890e53e2788d44a78ea5990827fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87A96A1DC194DDE87C88EED55AA4B66.TMP

Filesize
1KB

MD5
4a2eacccdb01b01b117216dcde15c8fc

SHA1
b72d017bfd2f6123889b336a4f8c9009efe8dd76

SHA256
54f012b070c3cdf483219dc21fd51fe898a47b23d1fd4a708a071f7eba3d6584

SHA512
520941eafb92ec62ccfb3d1b87222bbaae2b044fb6f89732b2735175f6d12ecbfad111ccf1ad9cbf639925716553129617bebce772c678d70a94dee5ef23acc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc931AB878B63F4610AAEC7146E7564E6F.TMP

Filesize
1KB

MD5
6afd9b01508c9c69a0de03535ad5f530

SHA1
d727f0baf6278a5bfff339fc5b8a8ea9511f42b5

SHA256
6a3c72a45799088fb441484696436b87e6b923ec1a403cbbc2d6cf0273cc9c23

SHA512
0308b417648e44b59bbf1de84c36368d11490faa87f64557dd26189217427e4c73254f96d88ec30430112f70a8e2f3dd346ffe36fcb2d34c529e839d9264fc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB313611C9B0647B89D278B93C5A31E52.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9DA878A5C3746D584297DB95A2757BA.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDB5711C3EC0648CC9E3DD0685B7F3C90.TMP

Filesize
1KB

MD5
47ff0e089fa27d610e0b6d32697d66f7

SHA1
aa8f8566d7180d52cabd7dc37437b9a5f093e75c

SHA256
fc0f73bfdc1e71a2f4fba2090d060068333eb23f9fa70fa91591dc688d3b2a26

SHA512
74ceb9114158289ee1ad6fa31f16ebfacf24909976b5750c653446427cdf1d8cc3d88643c39b8b4082e354f86e721f6130e3d675c3cf2f69a57c5725736b22d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4BA5DE06D7747D38DD4DB8C5F6B7AF3.TMP

Filesize
1KB

MD5
7916feed8bc0e43442862a106b433455

SHA1
7db8350ae1f95109c9ff8facb238fa8cb38e7401

SHA256
e8ed1405f1038ad617655fb2b09b418fe425aa2a3592e8335afabdcad567f6ee

SHA512
b77715558077c168c6208eb608ccaaa8755e5446e406a0032dc3ec5378fa9a067ffeaa99ab80a3d315a9699d323579b411d788044823611517db5c46f2594bb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 992054.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\a6d8f8ee11047c07948a66e22b9920.exe

Filesize
8KB

MD5
44798fe12238dde0384f694a752d71d0

SHA1
7c9a435e822e3288295b04c70761fab8e6ac082e

SHA256
68a96e575b080f8656e97d70c0dc591544817b23b62ec3735713d7eb8378131d

SHA512
fd783d7858d6962ef580d286b536fb4ffc8b1a26dd2502f6af6e0091810a0ed44de55274cd24a16381c98f0493ecb45b5e95545597b414a082bbd785a23b8743

Download Submit
C:\b98faef33da7484fae2c.exe

Filesize
8KB

MD5
25bff5fbc1f87da0d55de4afab6ee7aa

SHA1
8ccb36d9074c44d37e663150287f4d9839481a5f

SHA256
e193e722f7c22c63bc999b307901a46e9a769909a068a57626d9e37a45247fee

SHA512
4144a801fa26038ec7654908c5270b697ead9e5602898dd094ba595ebefc7dbefa5e8bf37fe6d7aa6aead7aa6f1a645747353b9e48323e47d1a30ac3d7e430be

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
a325a09b559d2c7c816ac43edba4caa1

SHA1
e73bdbd514a1ea842f429892f35e7d8212169327

SHA256
4be32e5312fab0ba6ceb2d6117c2163c5a322cca4cdfd8695e9e210bc77ea3d7

SHA512
a461075af81385ae9fd922e6a8a864bcba0b441de5741df0c290596dd57851ce97253b7f68e6b3b329487fafe886e86d73b66dd3ccf819c5866ddf92657eae96

Download Submit
memory/4300-593-0x000000001BBD0000-0x000000001BC76000-memory.dmp

Filesize
664KB

Download
memory/4300-597-0x00007FFD22480000-0x00007FFD22E21000-memory.dmp

Filesize
9.6MB

Download
memory/4300-594-0x000000001BCF0000-0x000000001BD52000-memory.dmp

Filesize
392KB

Download
memory/4300-592-0x000000001B700000-0x000000001BBCE000-memory.dmp

Filesize
4.8MB

Download
memory/4300-591-0x00007FFD22480000-0x00007FFD22E21000-memory.dmp

Filesize
9.6MB

Download
memory/4300-590-0x00007FFD22735000-0x00007FFD22736000-memory.dmp

Filesize
4KB

Download
memory/4300-598-0x00007FFD22480000-0x00007FFD22E21000-memory.dmp

Filesize
9.6MB

Download
memory/4960-600-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/6096-798-0x0000000074560000-0x0000000074B11000-memory.dmp

Filesize
5.7MB

Download
memory/6096-596-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6096-599-0x0000000074561000-0x0000000074562000-memory.dmp

Filesize
4KB

Download
memory/6096-620-0x0000000074560000-0x0000000074B11000-memory.dmp

Filesize
5.7MB

Download
memory/6096-603-0x0000000074560000-0x0000000074B11000-memory.dmp

Filesize
5.7MB

Download
memory/6096-602-0x0000000074560000-0x0000000074B11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads