a8792f56e1551e5d640be438830297e1e8a2503201e8b41062d4e2ba99131fd9

General

Target

rkill.exe
Size

1.7MB
MD5

6d622dcc87edc9a7b10d35372ade816b
SHA1

47d98825b03c507b85dec02a2297e03ebc925f30
SHA256

d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
SHA512

ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
SSDEEP

49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

rkill64.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts rkill64.exe
Executes dropped EXE 1 IoCs

Processes:

rkill64.exe

pid process

2708 rkill64.exe
Loads dropped DLL 3 IoCs

Processes:

rkill.exe

pid process

2664 rkill.exe
1196
1196

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rkill64.exe

pid	process
2708	rkill64.exe

pid	process
2664	rkill.exe
1196
1196

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

rkill64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944"	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-8464"	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	rkill64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\print\command	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}"	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\DefaultIcon	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\DropHandler	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\shell\open	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application"	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 38070000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\shellex\DropHandler	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runas	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\FriendlyTypeName = "@%SystemRoot%\\System32\\shell32.dll,-10156"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944"	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\open	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runas	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002"	rkill64.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rkill.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkill.exe

Modifies registry class 64 IoCs

Processes:

rkill64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\ = "Compatibility"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runasuser\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\DropHandler	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.bat	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runas	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runas	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\DefaultIcon	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runas\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\DefaultIcon	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944"	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\EditFlags = 00000000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.com	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.com\PersistentHandler\	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\shell\open	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\open	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser\command	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility\ = "{1d27f844-3a1f-4410-85ac-14651078412d}"	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = 30040000	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\edit\command	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = 00000000	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\comfile\shell\open\command	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\runas\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\open\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.bat\PersistentHandler\	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\PersistentHandler	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	rkill64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shell\runasuser	rkill64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	rkill64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application"	rkill64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000	rkill64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

1412 Notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rkill64.exe

pid process

2708 rkill64.exe
2708 rkill64.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rkill.exerkill64.exe

description pid process

Token: SeDebugPrivilege 2664 rkill.exe
Token: SeDebugPrivilege 2708 rkill64.exe

pid	process
1412	Notepad.exe

pid	process
2708	rkill64.exe
2708	rkill64.exe

description	pid	process
Token: SeDebugPrivilege	2664	rkill.exe
Token: SeDebugPrivilege	2708	rkill64.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rkill.exerkill64.exe

description	pid	process	target process
PID 2664 wrote to memory of 2708	2664	rkill.exe	rkill64.exe
PID 2664 wrote to memory of 2708	2664	rkill.exe	rkill64.exe
PID 2664 wrote to memory of 2708	2664	rkill.exe	rkill64.exe
PID 2664 wrote to memory of 2708	2664	rkill.exe	rkill64.exe
PID 2708 wrote to memory of 1412	2708	rkill64.exe	Notepad.exe
PID 2708 wrote to memory of 1412	2708	rkill64.exe	Notepad.exe
PID 2708 wrote to memory of 1412	2708	rkill64.exe	Notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rkill.exe
"C:\Users\Admin\AppData\Local\Temp\rkill.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\rkill64.exe
  C:\Users\Admin\AppData\Local\Temp\rkill.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\Notepad.exe
    Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Rkill.txt

Filesize
3KB

MD5
e7a05f4a5d20d6e66813ac8afcce9ce4

SHA1
56e325e9276e6a995040fcb367a193099658722d

SHA256
070e3fae740f87379d86584746cd68b88c8f974409783df108089a596ccbbccc

SHA512
fa9493c27274b7510d9ec50b0223fcf394e5c83ac109c565feba9efb1101ba50dcdef7e693e545823eec3742bbf41a20ba9942adb86c431fc00aaba4654186a7

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\rkill64.exe

Filesize
964KB

MD5
ae368c10327fe7a8e5c875360e529b35

SHA1
d69fad67631f48f2eee9109a368eb176356da531

SHA256
797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7

SHA512
e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads