revengerat | 07dfacdc603bb28beb153f81bb4519a7239bdcf8411e5c5f7c26b54ceb5a3865

Analysis

max time kernel
929s
max time network
929s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
13/04/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instaler.exe
Size

1.0MB
MD5

d123427182e9ec7b19765f32fc159719
SHA1

3c171e57af9aec12bbe63065149b9a63a7d53e11
SHA256

07dfacdc603bb28beb153f81bb4519a7239bdcf8411e5c5f7c26b54ceb5a3865
SHA512

7efea1b0914bdd4c29363ca782495cb88fc4a81bcde2ce39b7cae83bd57bf27334eef3e08c3131250f8bbc4b4f466fcacab1c22c1369cc860ba87d43a1fa8534
SSDEEP

24576:ozbQfQjWKM072B6PUppfZkyE3ScFYTYwYkPBlIpFIa:ofQfiZ7q/ruyE3SSY0wYkZ

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000028280-40.dat	revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	instaler.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	INSTALLER.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Executes dropped EXE 5 IoCs

pid	Process
5900	ANTI-AFK.EXE
1332	INSTALLER.EXE
464	1.exe
5840	2.exe
3672	2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\SysWOW64\\2.exe"	InstallUtil.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	InstallUtil.exe
File created	C:\Windows\SysWOW64\system.EXE	INSTALLER.EXE
File opened for modification	C:\Windows\SysWOW64\system.EXE	INSTALLER.EXE
File created	C:\Windows\SysWOW64\1.exe	INSTALLER.EXE
File created	C:\Windows\SysWOW64\Command.EXE	INSTALLER.EXE
File opened for modification	C:\Windows\SysWOW64\Command.EXE	INSTALLER.EXE
File created	C:\Windows\SysWOW64\2.exe	INSTALLER.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5840 set thread context of 5548	5840	2.exe	84
PID 5548 set thread context of 660	5548	InstallUtil.exe	85
PID 3672 set thread context of 1624	3672	2.exe	122
PID 1624 set thread context of 3336	1624	InstallUtil.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instaler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5840	2.exe
Token: SeDebugPrivilege	5548	InstallUtil.exe
Token: SeDebugPrivilege	3672	2.exe
Token: SeDebugPrivilege	1624	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5900	ANTI-AFK.EXE
5900	ANTI-AFK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 192 wrote to memory of 5900	192	instaler.exe	80
PID 192 wrote to memory of 5900	192	instaler.exe	80
PID 192 wrote to memory of 1332	192	instaler.exe	81
PID 192 wrote to memory of 1332	192	instaler.exe	81
PID 192 wrote to memory of 1332	192	instaler.exe	81
PID 1332 wrote to memory of 464	1332	INSTALLER.EXE	82
PID 1332 wrote to memory of 464	1332	INSTALLER.EXE	82
PID 1332 wrote to memory of 5840	1332	INSTALLER.EXE	83
PID 1332 wrote to memory of 5840	1332	INSTALLER.EXE	83
PID 1332 wrote to memory of 5840	1332	INSTALLER.EXE	83
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5840 wrote to memory of 5548	5840	2.exe	84
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 660	5548	InstallUtil.exe	85
PID 5548 wrote to memory of 4936	5548	InstallUtil.exe	88
PID 5548 wrote to memory of 4936	5548	InstallUtil.exe	88
PID 5548 wrote to memory of 4936	5548	InstallUtil.exe	88
PID 4936 wrote to memory of 5052	4936	vbc.exe	90
PID 4936 wrote to memory of 5052	4936	vbc.exe	90
PID 4936 wrote to memory of 5052	4936	vbc.exe	90
PID 5548 wrote to memory of 5456	5548	InstallUtil.exe	91
PID 5548 wrote to memory of 5456	5548	InstallUtil.exe	91
PID 5548 wrote to memory of 5456	5548	InstallUtil.exe	91
PID 5456 wrote to memory of 692	5456	vbc.exe	93
PID 5456 wrote to memory of 692	5456	vbc.exe	93
PID 5456 wrote to memory of 692	5456	vbc.exe	93
PID 5548 wrote to memory of 3652	5548	InstallUtil.exe	94
PID 5548 wrote to memory of 3652	5548	InstallUtil.exe	94
PID 5548 wrote to memory of 3652	5548	InstallUtil.exe	94
PID 3652 wrote to memory of 4520	3652	vbc.exe	96
PID 3652 wrote to memory of 4520	3652	vbc.exe	96
PID 3652 wrote to memory of 4520	3652	vbc.exe	96
PID 5548 wrote to memory of 6116	5548	InstallUtil.exe	97
PID 5548 wrote to memory of 6116	5548	InstallUtil.exe	97
PID 5548 wrote to memory of 6116	5548	InstallUtil.exe	97
PID 6116 wrote to memory of 2256	6116	vbc.exe	99
PID 6116 wrote to memory of 2256	6116	vbc.exe	99
PID 6116 wrote to memory of 2256	6116	vbc.exe	99
PID 5548 wrote to memory of 2688	5548	InstallUtil.exe	100
PID 5548 wrote to memory of 2688	5548	InstallUtil.exe	100
PID 5548 wrote to memory of 2688	5548	InstallUtil.exe	100
PID 2688 wrote to memory of 968	2688	vbc.exe	102
PID 2688 wrote to memory of 968	2688	vbc.exe	102
PID 2688 wrote to memory of 968	2688	vbc.exe	102
PID 5548 wrote to memory of 6104	5548	InstallUtil.exe	103
PID 5548 wrote to memory of 6104	5548	InstallUtil.exe	103
PID 5548 wrote to memory of 6104	5548	InstallUtil.exe	103
PID 6104 wrote to memory of 2448	6104	vbc.exe	105
PID 6104 wrote to memory of 2448	6104	vbc.exe	105
PID 6104 wrote to memory of 2448	6104	vbc.exe	105
PID 5548 wrote to memory of 5648	5548	InstallUtil.exe	106

C:\Users\Admin\AppData\Local\Temp\instaler.exe
"C:\Users\Admin\AppData\Local\Temp\instaler.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:192
- C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE
  "C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5900
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\1.exe
    "C:\Windows\system32\1.exe"
    3⤵
    - Executes dropped EXE
    PID:464
- - C:\Windows\SysWOW64\2.exe
    "C:\Windows\system32\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5548
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:660
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4zrf1ek1\4zrf1ek1.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE242.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE33E7B7358B458CAA28C9BDA435E720.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\352gwiv4\352gwiv4.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2520CD6E2E4439C8C20DB6BF5D67.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3rfp0s0\d3rfp0s0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE38A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74CB91DB5734471ACA9C5C0949BBAA4.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3l5hnghc\3l5hnghc.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6116
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE416.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71B1B370C6444A0D9D3843EF6FB575B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfz2glfv\vfz2glfv.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE493.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc778A727D505E4354AD181F40ECE23111.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:968
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opzkafhu\opzkafhu.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6104
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE530.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB26A66B33C9F4B8B90BD966CEADCCDB3.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\34xwfrun\34xwfrun.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB79F373BC3E49F6B0BD1D6E7275A86B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kihmjjdr\kihmjjdr.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE639.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B96B2C578A446648CF3893C701CEE5.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqnqp35l\cqnqp35l.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBBDFE27409A4489978ABC4043F02712.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnemnkjm\gnemnkjm.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1824
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES887.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3872F66A9ED840FD873BBD07F7EC8A1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\2.exe
1⤵
PID:6088
- C:\Windows\SysWOW64\2.exe
  C:\Windows\SysWOW64\2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3336

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
8KB

MD5
fbbc7c57cbb5007de547ee39ebce5562

SHA1
0da87e8fb9e4511b4bd6c09e35407adbd7ccce48

SHA256
9f6e6ffab94b9e52b155262b74033a8f8daf7019e231f5fc89cb86f29fbac99b

SHA512
da0793ba2341ee23cee09f0e68efa7c73a1c1922a5dbdaee6e770d899fcce8f3e3e73b93fa6596a07f88ac04ea3a63dee1a3720f7a683c6d9d48a4471df427b0

Download Submit
C:\7819bb69b3861a95b3.exe

Filesize
8KB

MD5
6fbb34e4e95e98b079c1dab002808224

SHA1
a83240ddfdb01fa46479fc80cba9cc46033b023a

SHA256
130c768fe98c13831b83f913750779692b4c86734bb0f39ccc4eb243c277b7e1

SHA512
993d52b92cbe4e253118c5c65e41a5cf91b569d5884c48799f489a34011132de61b0178ccebd0f30b6fb4277553a345fbf75384771483742e83db546cc5f303b

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
fd5ac3409f1d71eb9ca3d4e41e49698c

SHA1
533e5dcc06bdc7757edbd8f0f6504c5e12c3ce61

SHA256
b3f7ee0e2293dfc4dc927893f61054310cec76faebcac80ad8c9a8fbef21c662

SHA512
44c53b8dd0944b0ecded42140eeb06e37b58d67996be576defacd9095bbd262ca6dd47fc7c10dd735c4d07335822020ef392c836fc6e747512563cf91d62d69c

Download Submit
C:\PerfLogs.exe

Filesize
8KB

MD5
6d36849bdbbcd01c88e2297aae059181

SHA1
30d969f5ca7923063fec463139ea6cd956dbabb2

SHA256
a544750c51cd343a4660c0f7c8eaa62b9e0bcd85274c2d199ced8093ca485329

SHA512
3b1b493505e2d3ebdaf4761d43c625621df97e9464a29583702f534358fd3b802edb9e759d032d4e0d187cfc04c7d0128284a65f7ea03afec3c415ba1966d7b1

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
b013fa398d08c226f49c01e044a1a418

SHA1
e6495f8e1862c6c5a62e593d75ab1aa526c758bd

SHA256
c1b0a6784cea4aa6e4fc748c6dfbf12daff1198c11dbde6e8ea0f5c097ec3ed2

SHA512
87e9e7fee035a5b98198431c5eee726e7862d1942cf2015008059764ecd89dd211ddb7c0f27cf81111118a87c75ecd9d33377b0601525fc7f627828d10ba834a

Download Submit
C:\ProgramData\svchost\duiGGjj.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\ProgramData\svchost\windows-delete-winpe.ico

Filesize
4KB

MD5
1f0ec21c4fa48137a0526c3c0fdea8bc

SHA1
d7868157fa33266e837fa897cdf281463cd9b2c2

SHA256
6bb158d3401976e135ed0b4d7bc4cc9f00771a9b1c2629e3fa3edfa88d2a921f

SHA512
5327893ddfc43910f482dc544faf1823bfccbb96816d7246f7bc91ce46f185b1c6677e04f99ae4c62d79fe5e3793b85f8d70957d6073e3e2fab385477d685773

Download Submit
C:\Recovery.exe

Filesize
8KB

MD5
85ba4122121e3de135ec97e7b8eeaa4a

SHA1
0d73d1ebb10ea2484ab27bc6aac3cf3caa815b19

SHA256
7acbe45ca8e556c56774b3c1995460c355860b1e55801cd6f83c295cb95af077

SHA512
a898c7249d6843a6454fd49015dcdbbc75e24db32b02f955b49408d18bd20ee5e357732599c5507ad3b9ff987a8e2f251f965a9cc878d336690aef56e9de8de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
950B

MD5
d84362b5da71e2c286d7a2ada40a5b50

SHA1
8db89c99e309294a8ece7175d4b8ec4ee8af7e53

SHA256
012451907b80be15cae381bf801d33689754d148741c228edc9d9a9c165b614c

SHA512
92633814e57c8bff649f2ab67462968e2ebf3e19bde5909f0212c88942917e41cb5779fe2a5e3f83f1d711bc505f438d1e8c9cfb70ee5c96f73dd73d1b4948e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\34xwfrun\34xwfrun.0.vb

Filesize
348B

MD5
d6b579c23dfa859f6c562045c18570d6

SHA1
d001abd98697e172a386df15b7c2b691896f4510

SHA256
b7eb521f9045649066ef4dd04985e03e42abc6c124fdff6330471ae3f08f8be8

SHA512
cd83c67e873922e905a37b46c4ae3863c6e8812ccce35dba89f642ba28394324d5aba58f5a75f51b9430e2212e0b3cb6d6365bee85294a6601131c405211f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\34xwfrun\34xwfrun.cmdline

Filesize
214B

MD5
ddb5b7ed939efecac655cb5a1e7664e7

SHA1
80b72680d27026e532ae94af3cacc2b1d417b4e4

SHA256
a41e2fe47fecd7cc21af5d35f010513fdd263a4c2d90c1f4551bfaf2826bfed6

SHA512
f141dffbd1ee5181f88aafc8997dc81c0a32c98d32dfb1ba8cbc217421baf516107c3300cbf246a7647922e9dc2711c84203a1353d977ef2f74db80654e1e9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\352gwiv4\352gwiv4.0.vb

Filesize
341B

MD5
87734aa074faab002b0989985e85fa8d

SHA1
7c55f9028564e574739736603439e1ffd4ba80fd

SHA256
0d261de23b8bc30777426d16939dd6a8822e059260945d6e0e7a9b6aa3def84e

SHA512
efb5eed5a6b687286671226ecf0a2a4b4eec9f4ccb67d82e228229a9c89da641d753f3cbab9870f943c11bbed983d273c78ea05305df5eca325277c610f6652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\352gwiv4\352gwiv4.cmdline

Filesize
207B

MD5
2a42d83a3605ea2dfa2c509ae831c241

SHA1
94210ba0d81c9d2a92372a3b10a8c52c9216014c

SHA256
d6a3877287bbe7f960143225ae360a92161058ac17b2fe1f96bb3fc0a53ef122

SHA512
3fe3742baa38575e95129f096b92bfc9a1c57ae1279b28aa95e2f07c5b7f5f60826b6e95bcd3a8d431b212caf6bf49951d99878d0fe8c3981cf30d16be9b3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3l5hnghc\3l5hnghc.0.vb

Filesize
357B

MD5
967671199e32a8d1ad1b1890a5727b2d

SHA1
706abcd836d50a13b974b2b63b866ea44f6ca4cf

SHA256
7374d0038bbf23dc9d56b6a904381072c20f1b8d234fcb727055576b321e3950

SHA512
ec82ae97ca98d25b442d2acf61533546de9128ca73fd8c549bfbadd7b56a2c10363eba91f1ea422e7e7b8cce29f0c651f2eb458bd0c2fe26fae1e4fe1e4cc849

Download Submit
C:\Users\Admin\AppData\Local\Temp\3l5hnghc\3l5hnghc.cmdline

Filesize
223B

MD5
df0ff625776eb395519a5a06310e31a5

SHA1
5b07e4040710dbdc971d048213e934bc961c1a47

SHA256
1667e032ea4484726f1a1958ce5bd970c5f9d59034b081b7282b21cb32080742

SHA512
f33eab4a0e7c414da4d430448712d79372dc98f824af1291c754d8bce7ba5cceb6da9548c8f11e09a12e7bb3de58be8000949bbca7f7fcd43472c96ba35b7f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zrf1ek1\4zrf1ek1.0.vb

Filesize
353B

MD5
4c756d9dd49fc8e4b7af1cd3fdca2570

SHA1
173139508da5953bbd2c6b1933461224683c68ab

SHA256
ac018e6e0dbddb444e9822085c137c759411936cacb424b77e4aff4c0c0d7492

SHA512
b76738583db0e5abd413945538f81743684eb794b7dffefdcdf98c91cda6a225807623c43ef4e2de63d8fe3d020d9bc49bc58a37350fa5fb2f8e342beea6514d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zrf1ek1\4zrf1ek1.cmdline

Filesize
232B

MD5
103463808ed136668eb6d9a71e9379df

SHA1
38f85fc7412515fc65b71c9514530434bd97f781

SHA256
85eb77a57609a7a8030a701012c39f1633778bed4655ed262a513df2a2b846fa

SHA512
7772ad4d26a9085a146f58f7ec4e8453baaeaf140b8855d2ad19740f7bc279d280b5b13916d056b02ca421789b1034dd195ec80050f97985841a7681e033304b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE

Filesize
846KB

MD5
22d6b214fa1182d58761509a09606da2

SHA1
3a642a9a2ab785ab8819eb0b8e3c6e8acc25fb26

SHA256
b8cb00078ec4cd8b88ef324e2a24c8aeea9d305b96b87e1e793d29be23fe79f5

SHA512
5aa9e22b083353079f12517f01302b76501939baffd0f54121ab28a64e28913d04a42d2ed937411c022d9b3ee538891d12e972714221527859bfda96c6586241

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE

Filesize
169KB

MD5
7722c519958c86885ca19a7d9940b9c8

SHA1
bb0c80aa03b1b9f3675f0a827a35f54d73b83a15

SHA256
c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb

SHA512
c0591c7f8682a643a5d41d3add9464a2bac2bc86b70b8b67613cb20f7f40d607deb64e9bf823c9cf4991547ff42c6f1279e548b54dbab954bad24cdc9b65006b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES887.tmp

Filesize
1KB

MD5
ed9099a19817fdad38463f1b67568f32

SHA1
bfdd60daf0416cfe131b7a649788551c12ffd137

SHA256
50345c7741a03f2b089601b51900dac0d51a4c2f8e27a3038a4ea1a6c38d45b1

SHA512
ff067a905b9e8b9e3235266fcc913fa920b65bb507dc543f4b14903080730fb8a737ece150235bbbea42e685f85f44ce2efbb828668b7c5ff5661a088a101913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE242.tmp

Filesize
6KB

MD5
bf9d2332a5feaf01ebccd22c6bc70284

SHA1
a809998e863656a9452852feb3e9de23716c595a

SHA256
fd735c19d3905d7517a345f51318ba8ef92171f418df97a0bb7b123fc8818a9e

SHA512
2a065cb623efbd9b7a2dd5dffbfe2366fc32cfdc5cb996b90fa2c14adf490302691515df8c28b3ee8479c44e54bafeaf613234d8c62d6dd0f920bc7904854ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2EE.tmp

Filesize
3KB

MD5
c53152d2736fc38c8bc98d214778f734

SHA1
247e1a784fe8ae64e0fb8412006522fdc6c2a818

SHA256
9e6e83eb079c2c1470fc4f660b99d338b623cf3a6dde4d14d42e47fd21071a76

SHA512
c3ddb48f3ed298159be6e1798e213a7a406057fdce9eba763d652ec8b8936edffec3a1aee75416d5c29fa5c64a68fbbd6ff4b879c3aa75ad160c4b0a75c55e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE38A.tmp

Filesize
3KB

MD5
c387d4384e1b34c318643634b0c11a6b

SHA1
da0c4f8eaaa01d5dd86a2d1dcf88bce09fc84245

SHA256
64f6099744d768b8a22878d8de96304b3bc3a3e1dac7cda77a52675460dc0fd9

SHA512
10ccb0ecc6d7b304d369b0e57804a99ebe876e634924f39c3462deaaa84536638c4c501129f995e14e3aef7f2a1edf276493f145d5dca5742680ccd4501c0d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE416.tmp

Filesize
3KB

MD5
2c046525c01c8f3675b44bcbbb0611e8

SHA1
dc09f21fcd822f991029b288fda802c18c51a023

SHA256
fa7946e1c891a3f9c63b7ab18a8d21c635f0c5af1d6c0e821a406078d2a1c103

SHA512
b53e59d1891a0939cbc77182de0777e809bfef97b331386a2671cf6a188e8b4da55a87c3b325f5140a90e3054d9e509fc269e8a853c8fb00b44258a62697dbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE493.tmp

Filesize
3KB

MD5
eaca27d3d2e5e1e53f449bbb55be0e75

SHA1
51a7577a0de9b03499ef280a7fdcbf6df3b14603

SHA256
b761a6d973a68da83db5fdf8eab28516129a57f5ec74d207444a354a85e81bef

SHA512
e581634d8a595647a68c7f35d23c628515a80e92223958d727dcd17ccafd71844b8c778268426de725bf615d2c5452fa9a5db4426650ca6e0918fc36f287bfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE530.tmp

Filesize
3KB

MD5
8d16fa006a8708f01c9e68f7aec3cfb6

SHA1
22944f9bdcc582581788dc1ffd5d2e4346cc92f8

SHA256
de0a7df683bc1b61c1184aeb91c70b32566be85abb6cc95abed6cbca0bc7b157

SHA512
83fc18c6593795e48f2e6c6ea09356016a604d72c81339fdadeac3d11c566cd403ed4bcc47e6637fb6285d993a3addb47d6a7fd233c00b8fb89e26f88c66c8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5AD.tmp

Filesize
3KB

MD5
a05962106d16eff280367f1ebb5e15b3

SHA1
de91441223345609ed51b8af7abceb70772742bb

SHA256
51c8fc354acf6111d02ff5ec428cf32a34bd8e7c61e2bbff6b0ea51ed39e68b4

SHA512
383eeaa8efa78b0c0e094ae8859c79d54bd0404e3a40310d2df94579605ef189da404d369b0b85559ad826b0a34ed6ff654c67d967504036ea37da97f0855d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE639.tmp

Filesize
3KB

MD5
df1d1d9397ac94d37e11a4404492324f

SHA1
c55bc391fdc3b0cf0e2110bc0f88ca3c29f5456d

SHA256
a10f4187fe90b41d8f6adc657627164ae706bbdb02012a5da9945bb013cfe058

SHA512
785b3448072038829184dddc3b55e7c4655b29c2f302e8d0476c3e4f26ee77561058fabd9bb5c5f489eb71da9cf9b6404eda97713de1090e9bde8c22619a5acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE6C6.tmp

Filesize
3KB

MD5
92e7c266dfba1bf2c5e3f6fb38fc2e1d

SHA1
3a4d4b50803204fdbdebe1084de0dd0769304c65

SHA256
adea9a9ae2edc4ceacf236a539f5a367b5ee389d34df2d48e7bc70674b670e13

SHA512
035a36721145c979d470aca0ca71c3594e17d2944f1c4037726f450e93acc81461e48d970d9a20f6fa3edb530b36ff7a2fb89149dd4d620a3cad9cf613411109

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqnqp35l\cqnqp35l.0.vb

Filesize
341B

MD5
b751035d7aa47775ce0e5d1fc25b5640

SHA1
161c89c59c140abe4e929ce78f0ff0b440d85bde

SHA256
929f4f4f063ece4353d9f7d5d5d1d4a5fd348cb1857129c948e7b5732efb7801

SHA512
d0b10fe4bedfcc9414a937b92dc9600280a6a6c3935db1b1e40cc90ff3653cc11cc14bcfc37e75d51af1940d82b7c203f9f2085ec6e179397f3ad5e293bbaac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqnqp35l\cqnqp35l.cmdline

Filesize
207B

MD5
57a8c6c2e66b6c9dcbc12ed198c2f0b8

SHA1
160013b07b11606869ff310a340122ba39cdc9a0

SHA256
29ce339e1a201613c0a8917d5738ed0f02b5670322dccead1c85ff902d0f5c08

SHA512
99a4c69c3c5ba6ef402e99744dc422a9e7136611e4da861e99227cf2dc80414dcc32a8ad7a1cda87620813606ea00dcd3a6863f2ed97c81e2c8c2bedafadcec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3rfp0s0\d3rfp0s0.0.vb

Filesize
347B

MD5
e0f9aa36c90879dc37c0dacc0cf47837

SHA1
f6fde4c6fe2bc3af043543321ae0e7a960ddd2e6

SHA256
5b6e22fce1e69742769a34d01131f86a547ab72f503eba2cd7e22f1f3ac3f5f0

SHA512
2ce4efe548e9501ed2ff9bbbbb0f0b8c1857c2433b51ac5ca0f50d108be5f36e5f2f6f4464de5469f52a094391f022c8d11f197da72e1d31482ae61aa3021b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3rfp0s0\d3rfp0s0.cmdline

Filesize
213B

MD5
41cdbf49a330f837bfe960cf3157f65d

SHA1
00d9d148e3a34e5d3a1e656e4caf1c8b2a3ee879

SHA256
61b43bd53958284dee91cad9a11ebabea42e49e35cfbd3fff96b16a7e54fad44

SHA512
54cd29a5f1b0ca9b33003420bf959a293ff3e1b7714056c1732955d3ea09b3d0746788b12798aa0b7fa4fc0a3b186781b18b9f7296820df1aa2e3d7c220d1701

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnemnkjm\gnemnkjm.0.vb

Filesize
134B

MD5
175abe76c274ce5017fbf6e3f3ba2901

SHA1
225f707fd5f87e483de8489603a04c9987450033

SHA256
5b91f6d443114bc81073f6ebc787c1a66471544d7f247dc8bf2dd6c710235948

SHA512
614fbe4bf88037bfdf9c85ce36a7c2fcd0e6fc7e74ce071efdb11c53548b6eeb836c9216485d602ad626434646908eac7dcc888161bfb871b0c6a7135dd74f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnemnkjm\gnemnkjm.cmdline

Filesize
200B

MD5
b801b15dbbfd3f2d9b1cb383f63118ea

SHA1
a0c72ef92ae871d29f28326eedab3c96b1e4acea

SHA256
8291d1e978cae19c3ca294e558932fd12296a68711bc48bc31e68f6a97703e7d

SHA512
6a6f422d7058dff8d162ce6231d4d2106536a252bc305f539cbd96dd57cce71fb0661ac69834887e2031b18e30d16e4f8f9ee19cf3de57b2c7278e1196e93415

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifWfhaRClg.txt

Filesize
25B

MD5
fed77b04fcc09dd5149dba8693c0a813

SHA1
720ab3fc8e5c66f738e34d68761b11064b6ab1bb

SHA256
7d65baa7fd7dc3efc3efbed707780ddfd83036e7f4b5584598160e492f05ec52

SHA512
d3bb9ce9c20bdc766fc8b07ee2b0998da43e28fc2e267d7a06a5b1752d6a6bfad9f9bcc938f57cab22ff770f8ee38ddf4bc6d229fca1bbed7a423f167598dee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kihmjjdr\kihmjjdr.0.vb

Filesize
337B

MD5
7b04ca08440d68c89b297916219d9ff0

SHA1
ed65d6a92602bc30e05a2d5515726c53e9360c38

SHA256
135fe3cb45ffd85db002c75ea3c8ba84e715ed59a99d039d75bdba320269ff00

SHA512
1b9bd142bf9150f58af66d514619a1c61139e423d935b8385838fe87b45a66bc94408cca3d1c50f5ed038d99d9c48628bb9ced73cef983608d72931580391514

Download Submit
C:\Users\Admin\AppData\Local\Temp\kihmjjdr\kihmjjdr.cmdline

Filesize
203B

MD5
5c74d72818052720dc1d6ae269af3d68

SHA1
64e160ae21896fe8078f7b9f70bc4bd711d3b520

SHA256
7b34801d6ac1e4c14869f376ed9a0035240f1359b8eb999cfd5d4c194b084f82

SHA512
1c65e225dba0dc6872bb2dba3fc9ae231bf177be4d16d7201f999aa840f586e990c0dd0631d6b312d97fa0f8ebec732c31c166c47e2a99d57a09b6f58a3f9589

Download Submit
C:\Users\Admin\AppData\Local\Temp\opzkafhu\opzkafhu.0.vb

Filesize
337B

MD5
b474110bfc43d8274814f3b20afe1d63

SHA1
3ebf8ff04c779e0e01170b90645b09259ba94404

SHA256
a0b7fc43964ec3043807fa9cf4201ce4fb8b982df358296658c0d1940e997f75

SHA512
cf7e97b1003be7762bd6608903b3c26b5a3c648024015416ba8b9f3f02102d48170d48ea938d2bec5c456639a8e2a4bced2382a55b55c4413158c8171117483e

Download Submit
C:\Users\Admin\AppData\Local\Temp\opzkafhu\opzkafhu.cmdline

Filesize
203B

MD5
439258ba413d364730b6cb69d09e8750

SHA1
365963dc17d5d8993e641e72b5462e33366f923b

SHA256
1f82ff4aa12a784d0afd98a8d7f5ebd5be2ec04584b6312202f36dbf8fc37320

SHA512
758637970e06e828d5e6ac19243d1847ab2c359f11d3ed32df84b667561955fd3e300158b4cc33ebbd0002e69899154d6b602cbf93c84badc82179e1fabee0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3872F66A9ED840FD873BBD07F7EC8A1.TMP

Filesize
1KB

MD5
b10290e193d94a5e3c95660f0626a397

SHA1
7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

SHA256
75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

SHA512
6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B96B2C578A446648CF3893C701CEE5.TMP

Filesize
2KB

MD5
05f9c89c04c8e5eae5c4b54d0d99cbe2

SHA1
4509983f3211bca7d1982d686e1ab69549740e3c

SHA256
fdea1e612dcaf2b8d580456d6aa351f759821dd155197026217d27e45a2d4a41

SHA512
8cdf1e883e2cd0c2bf4f7dc04353fc12168c05ca9cf1075fc42cc06fbf6dfc135ab64392501675cad503245351b850224c4f6bdfcc078ccf1fecfe58727242ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc71B1B370C6444A0D9D3843EF6FB575B.TMP

Filesize
2KB

MD5
2e1db6cf622fbeca83053b9967996697

SHA1
fdc4cc343d1cef1313976c63433086f23898d37f

SHA256
9ebef3db42ea5af8132d79f904ad4e7bcaa9aa4bc4f71c8becf8455d3ac637dd

SHA512
a3ac7e34a7cb456d0cdd12f085e05126395e209faafea2e0bcd7089cdf2138d4d3c41fd8d285ea7c581a4366059851bc34853bc6da7233919769dbfd01ea45f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74CB91DB5734471ACA9C5C0949BBAA4.TMP

Filesize
2KB

MD5
0284fadd9fb81f63e85387440915e175

SHA1
de794f6a2b6cab17e9659d906a87fa92e0d9552b

SHA256
cb3657b9658414639976e5929144826e3ee4cfd2e36bbc9a966bfe1483cfa195

SHA512
aa500da13b912582c29f3821213adf29363874a8f3f6242eb8a33b85f5f21eee5e3d2fb4cd462d4dafd6ddb4f82a214277c926c69d289b083942763bf36d09e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc778A727D505E4354AD181F40ECE23111.TMP

Filesize
2KB

MD5
24205f9d5a6220831ebc4266d0a79da9

SHA1
b3bf5dd73472293ecf21eb007696e77e4dfe78b4

SHA256
4d71011f331866bf490949ad9d7c72a63fcbca53f0ca96ff15bb16df78c99b1a

SHA512
6a4acf350cffd2870344d1ea201dee54f2308fbdca822e4977f02cf00febcac17443c8d298d26c64d1e762e395594a3edbed95486404822673121dbbb1226d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB26A66B33C9F4B8B90BD966CEADCCDB3.TMP

Filesize
2KB

MD5
79e7e97ed950a7c84f507af8f6b4dc1d

SHA1
508e279aab0ad8b087184e04fde84fad64955e22

SHA256
27b065706f4f5670ff6cf8a432fb6f21eb42bc85428269b96da60a629ae0de29

SHA512
de4ae4b4108f248fb2327ef78b348af2c23621ada4e0367314fc3d18081da60d68eb33073c80e2a60d3d4a3821c82308797dc8726cdd3979963dc4ffb47b56c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB79F373BC3E49F6B0BD1D6E7275A86B.TMP

Filesize
2KB

MD5
078ac7e403b58faf7a94044865726693

SHA1
e5480b6398ca33c94b19f7a388cb09bb03018f58

SHA256
dae3822d9d2ca8c1fe9b3984fc338660a759ead91e62a8e295f46bb9c4102ec2

SHA512
e24876b736f1a6caff253c558ac0da17c7ebd08fcc86addf368fbc6414b9d667e14b59ba3b01bfb107791ed50c42bba0d3d4eeeb21d5181d1b9da914a15c3b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE33E7B7358B458CAA28C9BDA435E720.TMP

Filesize
5KB

MD5
529df8b20e900e2b7e1e8b88485337d0

SHA1
6fa99ec439190b53539648d220fc3ad465a69a40

SHA256
0bf01fae0babaf61e81bbce0a7639e8d13dae01b9b59ed0f0dd4e7d6ef9532bb

SHA512
7e51a0da11f87db816b829d310f448105732ab24a5c157d5a651c90a0273783d713d5b346b8155a18d01f9db873125c8bac60e3d652de957f5e32e3ad9cf4e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEBBDFE27409A4489978ABC4043F02712.TMP

Filesize
2KB

MD5
fb593222da189e1d004db43464d0738f

SHA1
dc76bc8c3352fc4a79f0b9a50081cf9cc990601f

SHA256
4710a1fc3359e9cb2cdea62221058513cc5c9d55700ff7d328533303b7822b71

SHA512
7b23506d3f1b245770084a7345f4a2cb0de687fb9bf64e2035eff9fad6a70c9d2aa3b819b6de6f8483020eaba70172d082eca57bc10b9ee67f8c4d83fc140798

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2520CD6E2E4439C8C20DB6BF5D67.TMP

Filesize
2KB

MD5
5c02804700e8ad0a8800a5b9e0887bf6

SHA1
642b3fb03f852ce61f2554addb27fb366d562d60

SHA256
38e85e72d0f9b5777e594007dd8d9886b54259da3485a62198468baac3d755f8

SHA512
37b42957243b5c3819e6f65f2811362863d612dbdcb3ae6141b3da4358d91d1fae0ad4f837d38024c28f18d6d44d850b4213f4830a10fcac11e3636176684e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfz2glfv\vfz2glfv.0.vb

Filesize
351B

MD5
f16a3586f811a0e6a05d626df2f17463

SHA1
e0c246250467ece7dfb722df40ec7bb37c235820

SHA256
420e78b201d5f5bdcf718625ddb53e8d69236ee7a77a4ca5226b0fd46542b35b

SHA512
632ef200f3fadb0e0de0f67f37eb974a0c1bb41a7747152f16dbd66af95b3999c0695ccb8ad860e89d2ab7b429581fdde25a8e0ee2107047248739d52d317dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfz2glfv\vfz2glfv.cmdline

Filesize
217B

MD5
e40483c47d29a9b99247d65e2b4ea842

SHA1
d01e0967fa805f597dc6030ea9cf2eebbaa78047

SHA256
514e2ee7a9bb18d3bed44406ad07e249d3c73b25fcf7c8d84e871111a1cabf32

SHA512
bb65dadd98bd0d2f295e47e1c2eca61c1220024d00a1e9724045e234bfe3ee28bc99d54bb63bea3c03b8a3602f2474590b8714d64fd0a1f3e27f626bc6ba0199

Download Submit
C:\Windows\SysWOW64\1.exe

Filesize
22KB

MD5
c217657dadbab82ae4f216299d9f63c0

SHA1
c12c42347c68182e15607bc4d44c4db9964c4e70

SHA256
c8b5dfcd40662c3d92b0bf12e6ba7fe8417a6438b84ff33fe7d4e486133c9d22

SHA512
7b9dc181c3a2da958a45066549ba13d89eb1997f94ac3a4b9bf015249bce4e5d59e683e0dc732a161e6e391f50a16554072a51a794cfc0fc55136d8ee2e95599

Download Submit
C:\Windows\SysWOW64\2.exe

Filesize
143KB

MD5
ed45d84cc5d0fafd5dd6372976462a5d

SHA1
6bf44c21677f1e9616300e93e3d62c18d85f811e

SHA256
efae476d241067b3ebc77f3b6c7e65c5b6c0dc1b956a8b460cd830123fdad3a0

SHA512
52d16f9378f62eada0f500ddad1fd321f0c3badaefa86f5b00a9fd222f99b8e642f3659587038dbe490f25e9fbd90890a33120fe0e6a6d9a0eef8c1823de72c7

Download Submit
C:\cd2be074b6f9ceb7c82a5635e25f.exe

Filesize
8KB

MD5
04b5a14a339d1dcdfa031698d9f9c94a

SHA1
4e9b5e42338c633ff651b48530e64d2dba1b9901

SHA256
22395fb3a74ca5e75a301d0b2e0d52e99027b9ff951fe722a0bea6b3243f3817

SHA512
34fedbeccc14df0c4d9d68607804f75c8e191086da5ca96558bfde9647e286686cf22046282bb013e6e5d32258f044b020e9f238a89006744c71efe6454f068c

Download Submit
C:\windows-delete-winpe.bat.exe

Filesize
11KB

MD5
bf9caa74f70dcb05d2ac4f2751388b24

SHA1
2cae3f4696fa2492432f76d7f98083071e8dc635

SHA256
01d64f5a68fabe8ffd1a1f37692333928810d4479c2efc1b7ba4067aa3715fa4

SHA512
7678fd599d0fb7189c04e884b7713bee9f0f708796b96b26e85c35f65d521efbf072403254c1ca9891d91049b7baeb272547d1d2bd197bb54b3a0f35b9fd4200

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
8KB

MD5
10014e99a5ffd0d281a8869633d71571

SHA1
290da257e5b404d82e6b99e4b6b7469beb5a95ce

SHA256
9c61284d345c57fc077943dd5d9c7cb22ceee8d782f93f434de532b59f1be9d6

SHA512
72b416a3d8ec60ef1d97339d7ff6444962403a299802edd5359ac6a74a889f3e2bf8f92397881ed5a0b61cf61595ac296c526b2a060b6279af064ba35f8af0f6

Download Submit
memory/464-68-0x000000001C840000-0x000000001C8DC000-memory.dmp

Filesize
624KB

Download
memory/464-57-0x000000001B6E0000-0x000000001BBAE000-memory.dmp

Filesize
4.8MB

Download
memory/464-70-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/464-61-0x000000001BE60000-0x000000001BF06000-memory.dmp

Filesize
664KB

Download
memory/660-67-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/660-69-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/1332-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1332-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5548-64-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5548-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5548-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5548-62-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/5548-63-0x0000000005EA0000-0x0000000006446000-memory.dmp

Filesize
5.6MB

Download
memory/5548-72-0x00000000073E0000-0x0000000007472000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads