revengerat | c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb

Analysis

max time kernel
688s
max time network
534s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
13/04/2025, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Claws.exe
Size

169KB
MD5

7722c519958c86885ca19a7d9940b9c8
SHA1

bb0c80aa03b1b9f3675f0a827a35f54d73b83a15
SHA256

c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb
SHA512

c0591c7f8682a643a5d41d3add9464a2bac2bc86b70b8b67613cb20f7f40d607deb64e9bf823c9cf4991547ff42c6f1279e548b54dbab954bad24cdc9b65006b
SSDEEP

3072:YLb2/QzfuruwSg1YyRyaAlYLC1ERXEqYPhVdU9HOcLkl+KUS:5M2OWYGyLlYW2uKBOcAUS

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00080000000282e9-25.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	Claws.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Executes dropped EXE 3 IoCs

pid	Process
3380	1.exe
2556	2.exe
5196	2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\SysWOW64\\2.exe"	InstallUtil.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.EXE	Claws.exe
File opened for modification	C:\Windows\SysWOW64\system.EXE	Claws.exe
File created	C:\Windows\SysWOW64\1.exe	Claws.exe
File created	C:\Windows\SysWOW64\Command.EXE	Claws.exe
File opened for modification	C:\Windows\SysWOW64\Command.EXE	Claws.exe
File created	C:\Windows\SysWOW64\2.exe	Claws.exe
File created	C:\Windows\SysWOW64\svchost.exe	InstallUtil.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 5808	2556	2.exe	83
PID 5808 set thread context of 5636	5808	InstallUtil.exe	84
PID 5196 set thread context of 3412	5196	2.exe	121
PID 3412 set thread context of 2748	3412	InstallUtil.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Claws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	2.exe
Token: SeDebugPrivilege	5808	InstallUtil.exe
Token: SeDebugPrivilege	5196	2.exe
Token: SeDebugPrivilege	3412	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3380	2732	Claws.exe	81
PID 2732 wrote to memory of 3380	2732	Claws.exe	81
PID 2732 wrote to memory of 2556	2732	Claws.exe	82
PID 2732 wrote to memory of 2556	2732	Claws.exe	82
PID 2732 wrote to memory of 2556	2732	Claws.exe	82
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 2556 wrote to memory of 5808	2556	2.exe	83
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 5636	5808	InstallUtil.exe	84
PID 5808 wrote to memory of 4640	5808	InstallUtil.exe	87
PID 5808 wrote to memory of 4640	5808	InstallUtil.exe	87
PID 5808 wrote to memory of 4640	5808	InstallUtil.exe	87
PID 4640 wrote to memory of 4688	4640	vbc.exe	89
PID 4640 wrote to memory of 4688	4640	vbc.exe	89
PID 4640 wrote to memory of 4688	4640	vbc.exe	89
PID 5808 wrote to memory of 4800	5808	InstallUtil.exe	90
PID 5808 wrote to memory of 4800	5808	InstallUtil.exe	90
PID 5808 wrote to memory of 4800	5808	InstallUtil.exe	90
PID 4800 wrote to memory of 6096	4800	vbc.exe	92
PID 4800 wrote to memory of 6096	4800	vbc.exe	92
PID 4800 wrote to memory of 6096	4800	vbc.exe	92
PID 5808 wrote to memory of 5100	5808	InstallUtil.exe	93
PID 5808 wrote to memory of 5100	5808	InstallUtil.exe	93
PID 5808 wrote to memory of 5100	5808	InstallUtil.exe	93
PID 5100 wrote to memory of 6004	5100	vbc.exe	95
PID 5100 wrote to memory of 6004	5100	vbc.exe	95
PID 5100 wrote to memory of 6004	5100	vbc.exe	95
PID 5808 wrote to memory of 5620	5808	InstallUtil.exe	96
PID 5808 wrote to memory of 5620	5808	InstallUtil.exe	96
PID 5808 wrote to memory of 5620	5808	InstallUtil.exe	96
PID 5620 wrote to memory of 392	5620	vbc.exe	98
PID 5620 wrote to memory of 392	5620	vbc.exe	98
PID 5620 wrote to memory of 392	5620	vbc.exe	98
PID 5808 wrote to memory of 1220	5808	InstallUtil.exe	99
PID 5808 wrote to memory of 1220	5808	InstallUtil.exe	99
PID 5808 wrote to memory of 1220	5808	InstallUtil.exe	99
PID 1220 wrote to memory of 5672	1220	vbc.exe	101
PID 1220 wrote to memory of 5672	1220	vbc.exe	101
PID 1220 wrote to memory of 5672	1220	vbc.exe	101
PID 5808 wrote to memory of 5400	5808	InstallUtil.exe	102
PID 5808 wrote to memory of 5400	5808	InstallUtil.exe	102
PID 5808 wrote to memory of 5400	5808	InstallUtil.exe	102
PID 5400 wrote to memory of 5928	5400	vbc.exe	104
PID 5400 wrote to memory of 5928	5400	vbc.exe	104
PID 5400 wrote to memory of 5928	5400	vbc.exe	104
PID 5808 wrote to memory of 1852	5808	InstallUtil.exe	105
PID 5808 wrote to memory of 1852	5808	InstallUtil.exe	105
PID 5808 wrote to memory of 1852	5808	InstallUtil.exe	105
PID 1852 wrote to memory of 4752	1852	vbc.exe	107
PID 1852 wrote to memory of 4752	1852	vbc.exe	107
PID 1852 wrote to memory of 4752	1852	vbc.exe	107

C:\Users\Admin\AppData\Local\Temp\Claws.exe
"C:\Users\Admin\AppData\Local\Temp\Claws.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\1.exe
  "C:\Windows\system32\1.exe"
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\SysWOW64\2.exe
  "C:\Windows\system32\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0ewe4ry\u0ewe4ry.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BE7BD43259C44B79651A1E2220A7F4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c5y30gpz\c5y30gpz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc328B6A46114419D8C7AD973E4671755.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avdo4nxq\avdo4nxq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9B353D8CE2D4049B8EF842F998DD26.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vd0crw4q\vd0crw4q.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5620
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES214E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC8CDF8F73534F5F88D3920B37087F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0eyxunc\x0eyxunc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17D32BB39B8A4B17AE2E2C28D1F44475.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqv4kmo2\eqv4kmo2.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2277.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA451D2D133E34ADEAD84E2496FAE3CD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrihi1t5\mrihi1t5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2313.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc160A11E231D84FA394B96C505A58CD5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slwcc1fp\slwcc1fp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60C9174D1DB84943BF32B91DFBF61F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ukqjvh00\ukqjvh00.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES243C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64B8082966FB463AA3EF42B41FE14870.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:816
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\51a0kgs1\51a0kgs1.cmdline"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:5976
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29F03350DD74C1FBFA999B3E514784C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\2.exe
1⤵
PID:2796
- C:\Windows\SysWOW64\2.exe
  C:\Windows\SysWOW64\2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
8KB

MD5
a9a23aa0b5d9e253dbba9dea5c813b97

SHA1
2cea6e9d8fb3b608a074975a9a3b8e6a39e72148

SHA256
45c52dd2681beed5911d688abe69942682f03dc21a1dfc7c06e6461ed97afbb6

SHA512
34e315ad893d673a26c31f06c864928e5eb4ae9b4b8cf17435fe08c4b02feb9aada4038ccef23383a9b674a9028146d80111f96261d5a25be08faf1dfab995d1

Download Submit
C:\7819bb69b3861a95b3.exe

Filesize
8KB

MD5
75a4579c6e025f13cf4b143ecef5774b

SHA1
573126830b0ab7e3c85e6d79a0f7f94d66d07cd8

SHA256
c9a29051c7337a73d112bc40d7421c1f6dc15d236fd83ea0f57d103b066d6213

SHA512
abbfaf5fd89f83765785a246f7fb3795ef31889d4b1a9f1a80b33dfe4e6e615814f8fd78677593890d35c9d5063245d6c9668c250ed671f2739dc800fa1134d7

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
90d6ca0d76406d8d41250a4f8db5d85d

SHA1
a2bb76b5fb33c70e6f5f94ea86dc902785744a08

SHA256
6869ea8ada47b413fc7dbc5a0d7710dc93701509e9f818da57125818b5e43de1

SHA512
953ec8b811d55d2f1f03285061981783c13b1b984a1a91876439af4fa7a52c07060a7b3ba294c242c465334e430a2d7d5c73877c506c0ee6e95167319b6df302

Download Submit
C:\PerfLogs.exe

Filesize
8KB

MD5
22c1d3da024088c0875770d4e7d18a34

SHA1
f01f21423b9b9a60fb0a305003e0c25df121edbd

SHA256
09980cb140908f6b9f746cd3cdaa3b86447305215b93f437707564e681125d8d

SHA512
874c8748beded4090ec587320ae71f6f063b4352b6bbad6e6cd8d32cf175d7ee4f1c3b4ca22ea8afd5050b0cf0d9914817d0884fc2a24285e51b8a6394abb028

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
520179b8245a530110d8729e37ff4cc9

SHA1
2d046a5db77504ae516c1e061f88c233681062c6

SHA256
4982f06646d151453185f4d8b73b554cbcbd90d50ae9d671f628a58a534c646e

SHA512
5abb7f1841432ab14dea529a9c1ff0c2d8ff9c4875ecb6659e1fb8e279a453e118f9602ac5189dc121e8dba232ab8d20e21845bb1f4e7ca589e8a1d29e64af7f

Download Submit
C:\ProgramData\svchost\duiGGjj.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\ProgramData\svchost\windows-delete-winpe.ico

Filesize
4KB

MD5
1f0ec21c4fa48137a0526c3c0fdea8bc

SHA1
d7868157fa33266e837fa897cdf281463cd9b2c2

SHA256
6bb158d3401976e135ed0b4d7bc4cc9f00771a9b1c2629e3fa3edfa88d2a921f

SHA512
5327893ddfc43910f482dc544faf1823bfccbb96816d7246f7bc91ce46f185b1c6677e04f99ae4c62d79fe5e3793b85f8d70957d6073e3e2fab385477d685773

Download Submit
C:\Recovery.exe

Filesize
8KB

MD5
c016ee3d5c9657ae1bb40346f9342787

SHA1
be5cfc7e454d11fb717f2e6a87b934a01b76bc05

SHA256
20df2118d8592444649dbdda17c4c4210a505eb27b0be8223c695a785734ea37

SHA512
650841e5d95164f8540b85c04bde409c9ba113e297bc4007ec2ea9bc948d3aa75d445d808e15d6717185d68aa93a1d5048983398dc1cccbb5d919657e091b225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
950B

MD5
d84362b5da71e2c286d7a2ada40a5b50

SHA1
8db89c99e309294a8ece7175d4b8ec4ee8af7e53

SHA256
012451907b80be15cae381bf801d33689754d148741c228edc9d9a9c165b614c

SHA512
92633814e57c8bff649f2ab67462968e2ebf3e19bde5909f0212c88942917e41cb5779fe2a5e3f83f1d711bc505f438d1e8c9cfb70ee5c96f73dd73d1b4948e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\51a0kgs1\51a0kgs1.0.vb

Filesize
134B

MD5
175abe76c274ce5017fbf6e3f3ba2901

SHA1
225f707fd5f87e483de8489603a04c9987450033

SHA256
5b91f6d443114bc81073f6ebc787c1a66471544d7f247dc8bf2dd6c710235948

SHA512
614fbe4bf88037bfdf9c85ce36a7c2fcd0e6fc7e74ce071efdb11c53548b6eeb836c9216485d602ad626434646908eac7dcc888161bfb871b0c6a7135dd74f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\51a0kgs1\51a0kgs1.cmdline

Filesize
200B

MD5
6bfa8b88d6fadee54016192f13af5905

SHA1
0ec87af982b0c9333b4970461230904a510c7512

SHA256
82eba6852896172ecf39b036d2a1581262abd2f6a781272f5d90609614366526

SHA512
09d20a40c4830fba4d5bac262fad05bd444427f35e07043cf238a2127841951b8d24827fb5cb0e9b9a456efb20365abed5fe0d4491e61666b2ce794b4eab89b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FA8.tmp

Filesize
6KB

MD5
cbca0c1e3a3794b26920a97596a13224

SHA1
3f5ae740f3c0e70a2aeceda68eb488bc710041d8

SHA256
0e6ea9a43537937680e6789fe7c225c09372ed9e2aef53ee13210f1568ebb24d

SHA512
f4935d9236308e0ba76870d14b0057f65d2e7365c0d648cd9c883cbb680aa668cf1394ce38541366a0c5c0bdb26d507eb2759740a6bffc56d5ce183f8e8eeedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2035.tmp

Filesize
3KB

MD5
37ab1091ff6ea9faf8373986f5d2a0b9

SHA1
8b03c80f6dd07cb1e92179a4c116e300d08eec67

SHA256
54b90bac31b1a1c535b05e80d9b9a2d006cd189996d5432c028f127d92489fa7

SHA512
95e9a351a180629ac81943b888fa4dcb68c158ecf3aa3c8e888bb1527433eb8b0ae0bcb622f9fddbafe69f33eee4750ed5e4c360f0fb2e5b57a7b4b052499d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20C2.tmp

Filesize
3KB

MD5
22207d43f293bb1c218ecc9748e3efb9

SHA1
58b2a86000f844f6b8444f9f9f8f6c08c574d2b0

SHA256
824a9c30352ac1f91685ed1abfa2a92f7be6bb7d08bbc9964ca057dd563ffe7f

SHA512
dcafddaf3e6f042f492c77439f7246442eae32170a453c0e3144be08a2da03f41756f43ced28ddd20a07bff9a55364555fab1e5fe772ffa764f0cc753f3e4609

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES214E.tmp

Filesize
3KB

MD5
699f6f8fb8469892f9dbf419918e5d38

SHA1
6e2b92eea8cf0ded4f32be2a60871cb554da3897

SHA256
9c956ee59ff9a05058c4c5205c4486d258c6ef7c61e1272aa9bc30ec34391af8

SHA512
5550b2e745c37f652dac99e604dcaff88169b7688b1cfbcd969f7ca2b7a201becb5522a3e9d94f946087c87cc3737c7fa41c407e6941645d48c64a706e023891

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21EB.tmp

Filesize
3KB

MD5
b97b31198559aec16addc88dfbc8cfa1

SHA1
4663c38caaf32089df9d7b7225f5ae13815e235a

SHA256
9f3d888d5ffd7267697955576f61fa800f0deda848cd59cc6c82ad090acd49fc

SHA512
21516615d496a2055e32f6c1b13f87f28fb73a622d374706a96bc8dfd4fc4f015de31cf823f6a5c13b53be39bd84dba9a35edee7bc664df8657ed1bf70bdc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2277.tmp

Filesize
3KB

MD5
26e36fe1b7fa6003f50a76ec14d53fe7

SHA1
e08ac9ddec9f07ccfea63c837eff00e715abaa33

SHA256
a6c61f655a1e593cebea546d5b2c521a8a2bb975fbec7d19059ce5b479c86fea

SHA512
00ecccf47ba1a38850b055e126e7006cbd274a05d1f172e18c4eddc0c99dcbb15c70870fff7f21f894df2a91a60d93e695baf9aa6417796a65f3586d209ffdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2313.tmp

Filesize
3KB

MD5
e9e4c7fd99974cd0b795634a110f94c5

SHA1
304ec6c8b787b2d539d4aa323f21bfcb6d2de460

SHA256
75582d20814356b560e9755e48e0950dac542460956f4d656b3e875050b1fad6

SHA512
f2cafb928d97b721ca3a3e2aaeed78560495860076aec858c7f35b67be9ac09380271b27665073b3c7b280c294ee88574286656bc12e97eebd7a8aa3496df9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23A0.tmp

Filesize
3KB

MD5
3b7148ff7b601a624ef311e97fd8f541

SHA1
da7977f35d34516611c2a5bfec9467ada07b6381

SHA256
edf00cf4671e4b482a1c29d37f8f044a878a3a91c53617a77a459cb4ba4b73f1

SHA512
274dc621c455f286d4be17bcf0481c18984707cc1e4e901912899c0a63aa0938b845725751f77416a4657f59508ba1197523bea98c51d3c7d80c11e87e4ad912

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES243C.tmp

Filesize
3KB

MD5
c34c48ba6a15c6f001dbff01fcc6520b

SHA1
fa60c513af18af3034670e1537b6ee04e00fda51

SHA256
7d75d2f3b1fe4f89b7713e5b55eb4b2041dc59c7615c4bfb22093eb503a812b0

SHA512
2e3472ee963aad00cf8e6c5f4f17d47298df75ec01dbedcc8184b6d08c9aedeb142bb8a72246b16fec53208db739dabd52e166f894dead7dcdc8da51965af614

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES45FD.tmp

Filesize
1KB

MD5
0b65f085a19df9f1ffcc1d944eacae13

SHA1
3d5dcc37cff10e7842b39347121d4ef8b133fb47

SHA256
c80b883daba571539cd5a17f80aa2ace370a144a884f67bd4983526c1a903410

SHA512
850c9053d4780cc02687ed59f8f6589bcb116843b09e8af2f16e9f54bb098854ed8290b484769199d9622341b87a5ce79cbe939718c20e73bee49aaf2b4eeb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\avdo4nxq\avdo4nxq.0.vb

Filesize
347B

MD5
e0f9aa36c90879dc37c0dacc0cf47837

SHA1
f6fde4c6fe2bc3af043543321ae0e7a960ddd2e6

SHA256
5b6e22fce1e69742769a34d01131f86a547ab72f503eba2cd7e22f1f3ac3f5f0

SHA512
2ce4efe548e9501ed2ff9bbbbb0f0b8c1857c2433b51ac5ca0f50d108be5f36e5f2f6f4464de5469f52a094391f022c8d11f197da72e1d31482ae61aa3021b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avdo4nxq\avdo4nxq.cmdline

Filesize
213B

MD5
8ebee3f0ab002183dafb508ffde6028f

SHA1
13fd74075f94d12c96ab1f83e8d1deb5647f2183

SHA256
a55f546a411f917c975fab532387dd76bf2e4a98d15813f2e01b8e4a9f55c46f

SHA512
87e7c2be70d1e156a2904871fcd63645b48fcbba964ded14495c7a125006c8cbbd03bae6a6893a9485976b4db4ab409477dd3a9795df1588c1cbeead3c08e268

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5y30gpz\c5y30gpz.0.vb

Filesize
341B

MD5
87734aa074faab002b0989985e85fa8d

SHA1
7c55f9028564e574739736603439e1ffd4ba80fd

SHA256
0d261de23b8bc30777426d16939dd6a8822e059260945d6e0e7a9b6aa3def84e

SHA512
efb5eed5a6b687286671226ecf0a2a4b4eec9f4ccb67d82e228229a9c89da641d753f3cbab9870f943c11bbed983d273c78ea05305df5eca325277c610f6652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5y30gpz\c5y30gpz.cmdline

Filesize
207B

MD5
ab365a8d36583708e11dd1569721582c

SHA1
b8f6d3fdddac92dad9d334edbe1e17cd5fa20f6c

SHA256
a42288762d82a416bf0b6f641ed013a6df279888ef50a0a251b97fd62aa4ca11

SHA512
1ffe10d5bc783bc0900c282f3d59b32836530cca5a695aaa5dc9ccb0d7d351f51a64d9ad3f547aa83a8413528c53c4681e1d16ee0976f3f88e2edcfafcbdab9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqv4kmo2\eqv4kmo2.0.vb

Filesize
337B

MD5
b474110bfc43d8274814f3b20afe1d63

SHA1
3ebf8ff04c779e0e01170b90645b09259ba94404

SHA256
a0b7fc43964ec3043807fa9cf4201ce4fb8b982df358296658c0d1940e997f75

SHA512
cf7e97b1003be7762bd6608903b3c26b5a3c648024015416ba8b9f3f02102d48170d48ea938d2bec5c456639a8e2a4bced2382a55b55c4413158c8171117483e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqv4kmo2\eqv4kmo2.cmdline

Filesize
203B

MD5
253f6e79f391fa42876231dd270f9d44

SHA1
f9013c1daab747a7e66472126813aae6f882fe41

SHA256
3d767733c4be332893a3a679457f993d0b0860f4c75fbd747b9bf10b751faa94

SHA512
2e65a1965cbd24acab90c713e76e74a519bae1799c583545709b74ed9e6217ed1b45aebb3d6a98e94636ee6a1ddbc7a1ebb204f676c575367f785414d875262b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifWfhaRClg.txt

Filesize
25B

MD5
fed77b04fcc09dd5149dba8693c0a813

SHA1
720ab3fc8e5c66f738e34d68761b11064b6ab1bb

SHA256
7d65baa7fd7dc3efc3efbed707780ddfd83036e7f4b5584598160e492f05ec52

SHA512
d3bb9ce9c20bdc766fc8b07ee2b0998da43e28fc2e267d7a06a5b1752d6a6bfad9f9bcc938f57cab22ff770f8ee38ddf4bc6d229fca1bbed7a423f167598dee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrihi1t5\mrihi1t5.0.vb

Filesize
348B

MD5
d6b579c23dfa859f6c562045c18570d6

SHA1
d001abd98697e172a386df15b7c2b691896f4510

SHA256
b7eb521f9045649066ef4dd04985e03e42abc6c124fdff6330471ae3f08f8be8

SHA512
cd83c67e873922e905a37b46c4ae3863c6e8812ccce35dba89f642ba28394324d5aba58f5a75f51b9430e2212e0b3cb6d6365bee85294a6601131c405211f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrihi1t5\mrihi1t5.cmdline

Filesize
214B

MD5
d31c536a0e19bda61f1831138cc32313

SHA1
80237039c1b8a6e2f40be87a4aff8c997dc22f6b

SHA256
37d4e517d7a720704dbfb18d51eac48d19d8fc53cd018af02df416810709dc99

SHA512
bd03b9f547d01bc7368adc0322a5a80365168b32ad94c4272bd5e9c4ad80a86e7431d1e333b2fff0ac587dd2cee3b1a8545a3ccbeebb1e4f98ea2b076314690c

Download Submit
C:\Users\Admin\AppData\Local\Temp\slwcc1fp\slwcc1fp.0.vb

Filesize
337B

MD5
7b04ca08440d68c89b297916219d9ff0

SHA1
ed65d6a92602bc30e05a2d5515726c53e9360c38

SHA256
135fe3cb45ffd85db002c75ea3c8ba84e715ed59a99d039d75bdba320269ff00

SHA512
1b9bd142bf9150f58af66d514619a1c61139e423d935b8385838fe87b45a66bc94408cca3d1c50f5ed038d99d9c48628bb9ced73cef983608d72931580391514

Download Submit
C:\Users\Admin\AppData\Local\Temp\slwcc1fp\slwcc1fp.cmdline

Filesize
203B

MD5
450632a9fffb41e3a5c6145a69f9b3e0

SHA1
0c6614cce89a01354422a0eb8d5aed608037f176

SHA256
7e29fc9f1e1fca1ed3eded052714f445311139007e8dad9d61fa311c15f7076c

SHA512
084e6e47515e4e92d1114a67fbc6fc2b71f75b5adfc06f1d20897b773329a20ebf303d8aba9baad7b0d7b1424418292b84c4c2eae247c145bc41fda5ce16ac3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0ewe4ry\u0ewe4ry.0.vb

Filesize
353B

MD5
4c756d9dd49fc8e4b7af1cd3fdca2570

SHA1
173139508da5953bbd2c6b1933461224683c68ab

SHA256
ac018e6e0dbddb444e9822085c137c759411936cacb424b77e4aff4c0c0d7492

SHA512
b76738583db0e5abd413945538f81743684eb794b7dffefdcdf98c91cda6a225807623c43ef4e2de63d8fe3d020d9bc49bc58a37350fa5fb2f8e342beea6514d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0ewe4ry\u0ewe4ry.cmdline

Filesize
232B

MD5
9f58db39e98f9064e15ba09e320b7e45

SHA1
c718b6edad3be27c2c076e0f45c21aa2b66fa0e6

SHA256
9a94cc4b058a60981c4368188e593997addcabdff42efff96bf9eb37a490c9ce

SHA512
180eadf9982c7b83dc9b820df231f1d6914b6f1a384e019404b40eab8f3d367c81b78bbddd70d50ec9eaa4550c7e15c385e0cb67bb931e3229e094a0402e686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukqjvh00\ukqjvh00.0.vb

Filesize
341B

MD5
b751035d7aa47775ce0e5d1fc25b5640

SHA1
161c89c59c140abe4e929ce78f0ff0b440d85bde

SHA256
929f4f4f063ece4353d9f7d5d5d1d4a5fd348cb1857129c948e7b5732efb7801

SHA512
d0b10fe4bedfcc9414a937b92dc9600280a6a6c3935db1b1e40cc90ff3653cc11cc14bcfc37e75d51af1940d82b7c203f9f2085ec6e179397f3ad5e293bbaac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukqjvh00\ukqjvh00.cmdline

Filesize
207B

MD5
a9b1f0b6d484962529df766a2af3bc57

SHA1
e7815280c5f03fb79ec6aff387261094bdd18199

SHA256
1f92ae5c9c440d7e6246ad3e5ecc9bc73ffd6183d979a7b03b5bd2f8d213b48c

SHA512
e8874e23f1a6ea951d4cb953d4c0ae6fb9fc52b16da89ae6ba5502b027ee814db9422a4db5679bc6b4716594cd9dd0d5c72856d480c88a57cd87b4a9549b21bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc160A11E231D84FA394B96C505A58CD5.TMP

Filesize
2KB

MD5
078ac7e403b58faf7a94044865726693

SHA1
e5480b6398ca33c94b19f7a388cb09bb03018f58

SHA256
dae3822d9d2ca8c1fe9b3984fc338660a759ead91e62a8e295f46bb9c4102ec2

SHA512
e24876b736f1a6caff253c558ac0da17c7ebd08fcc86addf368fbc6414b9d667e14b59ba3b01bfb107791ed50c42bba0d3d4eeeb21d5181d1b9da914a15c3b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc17D32BB39B8A4B17AE2E2C28D1F44475.TMP

Filesize
2KB

MD5
24205f9d5a6220831ebc4266d0a79da9

SHA1
b3bf5dd73472293ecf21eb007696e77e4dfe78b4

SHA256
4d71011f331866bf490949ad9d7c72a63fcbca53f0ca96ff15bb16df78c99b1a

SHA512
6a4acf350cffd2870344d1ea201dee54f2308fbdca822e4977f02cf00febcac17443c8d298d26c64d1e762e395594a3edbed95486404822673121dbbb1226d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29F03350DD74C1FBFA999B3E514784C.TMP

Filesize
1KB

MD5
b10290e193d94a5e3c95660f0626a397

SHA1
7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

SHA256
75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

SHA512
6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc328B6A46114419D8C7AD973E4671755.TMP

Filesize
2KB

MD5
5c02804700e8ad0a8800a5b9e0887bf6

SHA1
642b3fb03f852ce61f2554addb27fb366d562d60

SHA256
38e85e72d0f9b5777e594007dd8d9886b54259da3485a62198468baac3d755f8

SHA512
37b42957243b5c3819e6f65f2811362863d612dbdcb3ae6141b3da4358d91d1fae0ad4f837d38024c28f18d6d44d850b4213f4830a10fcac11e3636176684e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60C9174D1DB84943BF32B91DFBF61F.TMP

Filesize
2KB

MD5
05f9c89c04c8e5eae5c4b54d0d99cbe2

SHA1
4509983f3211bca7d1982d686e1ab69549740e3c

SHA256
fdea1e612dcaf2b8d580456d6aa351f759821dd155197026217d27e45a2d4a41

SHA512
8cdf1e883e2cd0c2bf4f7dc04353fc12168c05ca9cf1075fc42cc06fbf6dfc135ab64392501675cad503245351b850224c4f6bdfcc078ccf1fecfe58727242ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64B8082966FB463AA3EF42B41FE14870.TMP

Filesize
2KB

MD5
fb593222da189e1d004db43464d0738f

SHA1
dc76bc8c3352fc4a79f0b9a50081cf9cc990601f

SHA256
4710a1fc3359e9cb2cdea62221058513cc5c9d55700ff7d328533303b7822b71

SHA512
7b23506d3f1b245770084a7345f4a2cb0de687fb9bf64e2035eff9fad6a70c9d2aa3b819b6de6f8483020eaba70172d082eca57bc10b9ee67f8c4d83fc140798

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7BE7BD43259C44B79651A1E2220A7F4.TMP

Filesize
5KB

MD5
529df8b20e900e2b7e1e8b88485337d0

SHA1
6fa99ec439190b53539648d220fc3ad465a69a40

SHA256
0bf01fae0babaf61e81bbce0a7639e8d13dae01b9b59ed0f0dd4e7d6ef9532bb

SHA512
7e51a0da11f87db816b829d310f448105732ab24a5c157d5a651c90a0273783d713d5b346b8155a18d01f9db873125c8bac60e3d652de957f5e32e3ad9cf4e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA451D2D133E34ADEAD84E2496FAE3CD.TMP

Filesize
2KB

MD5
79e7e97ed950a7c84f507af8f6b4dc1d

SHA1
508e279aab0ad8b087184e04fde84fad64955e22

SHA256
27b065706f4f5670ff6cf8a432fb6f21eb42bc85428269b96da60a629ae0de29

SHA512
de4ae4b4108f248fb2327ef78b348af2c23621ada4e0367314fc3d18081da60d68eb33073c80e2a60d3d4a3821c82308797dc8726cdd3979963dc4ffb47b56c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB9B353D8CE2D4049B8EF842F998DD26.TMP

Filesize
2KB

MD5
0284fadd9fb81f63e85387440915e175

SHA1
de794f6a2b6cab17e9659d906a87fa92e0d9552b

SHA256
cb3657b9658414639976e5929144826e3ee4cfd2e36bbc9a966bfe1483cfa195

SHA512
aa500da13b912582c29f3821213adf29363874a8f3f6242eb8a33b85f5f21eee5e3d2fb4cd462d4dafd6ddb4f82a214277c926c69d289b083942763bf36d09e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC8CDF8F73534F5F88D3920B37087F.TMP

Filesize
2KB

MD5
2e1db6cf622fbeca83053b9967996697

SHA1
fdc4cc343d1cef1313976c63433086f23898d37f

SHA256
9ebef3db42ea5af8132d79f904ad4e7bcaa9aa4bc4f71c8becf8455d3ac637dd

SHA512
a3ac7e34a7cb456d0cdd12f085e05126395e209faafea2e0bcd7089cdf2138d4d3c41fd8d285ea7c581a4366059851bc34853bc6da7233919769dbfd01ea45f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vd0crw4q\vd0crw4q.0.vb

Filesize
357B

MD5
967671199e32a8d1ad1b1890a5727b2d

SHA1
706abcd836d50a13b974b2b63b866ea44f6ca4cf

SHA256
7374d0038bbf23dc9d56b6a904381072c20f1b8d234fcb727055576b321e3950

SHA512
ec82ae97ca98d25b442d2acf61533546de9128ca73fd8c549bfbadd7b56a2c10363eba91f1ea422e7e7b8cce29f0c651f2eb458bd0c2fe26fae1e4fe1e4cc849

Download Submit
C:\Users\Admin\AppData\Local\Temp\vd0crw4q\vd0crw4q.cmdline

Filesize
223B

MD5
d34f95689484bba448861e0e6b9b575c

SHA1
133edaab81aa0c58d4ecb3786403114080326dcb

SHA256
673aa0fdc9a658869beadcca9b30261926fd1221123751f6d30d3a11ec19ddd8

SHA512
80e2318f97c706ce55761453e2d1b81552ed23a6857744ff28efd77120b50f8f424f989fb2bd83d85c868fd0d267ec037a6feb7e80c1dfa51d56694cb57dc5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0eyxunc\x0eyxunc.0.vb

Filesize
351B

MD5
f16a3586f811a0e6a05d626df2f17463

SHA1
e0c246250467ece7dfb722df40ec7bb37c235820

SHA256
420e78b201d5f5bdcf718625ddb53e8d69236ee7a77a4ca5226b0fd46542b35b

SHA512
632ef200f3fadb0e0de0f67f37eb974a0c1bb41a7747152f16dbd66af95b3999c0695ccb8ad860e89d2ab7b429581fdde25a8e0ee2107047248739d52d317dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0eyxunc\x0eyxunc.cmdline

Filesize
217B

MD5
af39a5687818b4077b653722b92578a7

SHA1
122c66e07ab2c07b2c27446b15b60d6148bb893e

SHA256
f9aacf9bc245d26ae9192402b3b2b0bda8a04b0b4893f13ec2cd5bf70e7e2817

SHA512
8c1a92af8020cd852275063058d11ec4c45a6bd82bdf77ef8be116a3aa67f0537807fe22e5ecbee17b8f9d6aa317ede557245a83eddb92bd246cd130168cf222

Download Submit
C:\Windows\SysWOW64\1.exe

Filesize
22KB

MD5
c217657dadbab82ae4f216299d9f63c0

SHA1
c12c42347c68182e15607bc4d44c4db9964c4e70

SHA256
c8b5dfcd40662c3d92b0bf12e6ba7fe8417a6438b84ff33fe7d4e486133c9d22

SHA512
7b9dc181c3a2da958a45066549ba13d89eb1997f94ac3a4b9bf015249bce4e5d59e683e0dc732a161e6e391f50a16554072a51a794cfc0fc55136d8ee2e95599

Download Submit
C:\Windows\SysWOW64\2.exe

Filesize
143KB

MD5
ed45d84cc5d0fafd5dd6372976462a5d

SHA1
6bf44c21677f1e9616300e93e3d62c18d85f811e

SHA256
efae476d241067b3ebc77f3b6c7e65c5b6c0dc1b956a8b460cd830123fdad3a0

SHA512
52d16f9378f62eada0f500ddad1fd321f0c3badaefa86f5b00a9fd222f99b8e642f3659587038dbe490f25e9fbd90890a33120fe0e6a6d9a0eef8c1823de72c7

Download Submit
C:\cd2be074b6f9ceb7c82a5635e25f.exe

Filesize
8KB

MD5
aa507fc5da09e54909b59eb03638f4eb

SHA1
b2b7bde2ddb07ba2b76004cd721ead218f267d3f

SHA256
a73bdec8c3e907ce79c936246e626d683ae0f4c016ab91849c0f6c62464a1628

SHA512
3bff91ddbdd92128e4b9a5b86ac8fd1b4d6cac93636134ed148b2a2389a84fd79460508c4bca727c1b12b62bf6f5797c625a717a0bce4f4fe1b577de0d1b5326

Download Submit
C:\windows-delete-winpe.bat.exe

Filesize
11KB

MD5
7f3f9070b3d31193bd318c42dadab2a4

SHA1
6380ed2bfce2726e033e421680162d002c72dc1c

SHA256
df7d83eb204db9da4ee0dfb6b381f2642a7d7c763804c07af9cd3013c5416926

SHA512
457c4ca38c4380eed9ddcc97c2b7e37fab78835b09ef6ec24cb0d634aa4273ebcec409420deb2498ceda1a7d91efdd389a963f763f814bc2df5df626b3182256

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
8KB

MD5
dcdefa749f37a41c7d4a41d3de9ba81d

SHA1
efb6f9f5f968dff5a4c5f1803de5ecd4ad8ad0eb

SHA256
f4b6676a67343ff0c8b2aaa507f3c1b1fcfd2d7e61242197480da5ef6ec0189b

SHA512
7c18e74e30270cd8a9c433747a4ae30c2adb8e1fcaca47148b7c34dfc2821cb5cd502d3f7493dfc0d75975a216237de46ba913474f7c3696b90084c67d248938

Download Submit
memory/2556-43-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/2556-35-0x0000000075242000-0x0000000075243000-memory.dmp

Filesize
4KB

Download
memory/2556-37-0x0000000075240000-0x00000000757F1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2732-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3380-34-0x00007FF930170000-0x00007FF930B11000-memory.dmp

Filesize
9.6MB

Download
memory/3380-33-0x00007FF930425000-0x00007FF930426000-memory.dmp

Filesize
4KB

Download
memory/3380-44-0x00007FF930425000-0x00007FF930426000-memory.dmp

Filesize
4KB

Download
memory/3380-55-0x00007FF930170000-0x00007FF930B11000-memory.dmp

Filesize
9.6MB

Download
memory/3380-38-0x000000001CA50000-0x000000001CAF6000-memory.dmp

Filesize
664KB

Download
memory/3380-36-0x000000001C1D0000-0x000000001C69E000-memory.dmp

Filesize
4.8MB

Download
memory/3380-52-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/3380-51-0x000000001D4E0000-0x000000001D57C000-memory.dmp

Filesize
624KB

Download
memory/5636-49-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5636-53-0x0000000002DC0000-0x0000000002DDA000-memory.dmp

Filesize
104KB

Download
memory/5808-48-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/5808-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5808-47-0x0000000005730000-0x0000000005CD6000-memory.dmp

Filesize
5.6MB

Download
memory/5808-46-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/5808-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5808-56-0x0000000006E10000-0x0000000006EA2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads