revengerat | 07dfacdc603bb28beb153f81bb4519a7239bdcf8411e5c5f7c26b54ceb5a3865

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instaler.exe
Size

1.0MB
MD5

d123427182e9ec7b19765f32fc159719
SHA1

3c171e57af9aec12bbe63065149b9a63a7d53e11
SHA256

07dfacdc603bb28beb153f81bb4519a7239bdcf8411e5c5f7c26b54ceb5a3865
SHA512

7efea1b0914bdd4c29363ca782495cb88fc4a81bcde2ce39b7cae83bd57bf27334eef3e08c3131250f8bbc4b4f466fcacab1c22c1369cc860ba87d43a1fa8534
SSDEEP

24576:ozbQfQjWKM072B6PUppfZkyE3ScFYTYwYkPBlIpFIa:ofQfiZ7q/ruyE3SSY0wYkZ

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000024207-38.dat	revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	instaler.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	INSTALLER.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Executes dropped EXE 5 IoCs

pid	Process
4208	ANTI-AFK.EXE
5220	INSTALLER.EXE
2368	1.exe
2344	2.exe
3972	2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\SysWOW64\\2.exe"	InstallUtil.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Command.EXE	INSTALLER.EXE
File opened for modification	C:\Windows\SysWOW64\Command.EXE	INSTALLER.EXE
File created	C:\Windows\SysWOW64\2.exe	INSTALLER.EXE
File created	C:\Windows\SysWOW64\svchost.exe	InstallUtil.exe
File created	C:\Windows\SysWOW64\system.EXE	INSTALLER.EXE
File opened for modification	C:\Windows\SysWOW64\system.EXE	INSTALLER.EXE
File created	C:\Windows\SysWOW64\1.exe	INSTALLER.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 4080	2344	2.exe	92
PID 4080 set thread context of 1352	4080	InstallUtil.exe	93
PID 3972 set thread context of 1204	3972	2.exe	132
PID 1204 set thread context of 3712	1204	InstallUtil.exe	133

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instaler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	2.exe
Token: SeDebugPrivilege	4080	InstallUtil.exe
Token: SeDebugPrivilege	3972	2.exe
Token: SeDebugPrivilege	1204	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4208	ANTI-AFK.EXE
4208	ANTI-AFK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5628 wrote to memory of 4208	5628	instaler.exe	88
PID 5628 wrote to memory of 4208	5628	instaler.exe	88
PID 5628 wrote to memory of 5220	5628	instaler.exe	89
PID 5628 wrote to memory of 5220	5628	instaler.exe	89
PID 5628 wrote to memory of 5220	5628	instaler.exe	89
PID 5220 wrote to memory of 2368	5220	INSTALLER.EXE	90
PID 5220 wrote to memory of 2368	5220	INSTALLER.EXE	90
PID 5220 wrote to memory of 2344	5220	INSTALLER.EXE	91
PID 5220 wrote to memory of 2344	5220	INSTALLER.EXE	91
PID 5220 wrote to memory of 2344	5220	INSTALLER.EXE	91
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 2344 wrote to memory of 4080	2344	2.exe	92
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 1352	4080	InstallUtil.exe	93
PID 4080 wrote to memory of 368	4080	InstallUtil.exe	100
PID 4080 wrote to memory of 368	4080	InstallUtil.exe	100
PID 4080 wrote to memory of 368	4080	InstallUtil.exe	100
PID 368 wrote to memory of 5292	368	vbc.exe	102
PID 368 wrote to memory of 5292	368	vbc.exe	102
PID 368 wrote to memory of 5292	368	vbc.exe	102
PID 4080 wrote to memory of 5580	4080	InstallUtil.exe	103
PID 4080 wrote to memory of 5580	4080	InstallUtil.exe	103
PID 4080 wrote to memory of 5580	4080	InstallUtil.exe	103
PID 5580 wrote to memory of 1528	5580	vbc.exe	105
PID 5580 wrote to memory of 1528	5580	vbc.exe	105
PID 5580 wrote to memory of 1528	5580	vbc.exe	105
PID 4080 wrote to memory of 2352	4080	InstallUtil.exe	106
PID 4080 wrote to memory of 2352	4080	InstallUtil.exe	106
PID 4080 wrote to memory of 2352	4080	InstallUtil.exe	106
PID 2352 wrote to memory of 5092	2352	vbc.exe	108
PID 2352 wrote to memory of 5092	2352	vbc.exe	108
PID 2352 wrote to memory of 5092	2352	vbc.exe	108
PID 4080 wrote to memory of 5500	4080	InstallUtil.exe	109
PID 4080 wrote to memory of 5500	4080	InstallUtil.exe	109
PID 4080 wrote to memory of 5500	4080	InstallUtil.exe	109
PID 5500 wrote to memory of 1864	5500	vbc.exe	111
PID 5500 wrote to memory of 1864	5500	vbc.exe	111
PID 5500 wrote to memory of 1864	5500	vbc.exe	111
PID 4080 wrote to memory of 5548	4080	InstallUtil.exe	112
PID 4080 wrote to memory of 5548	4080	InstallUtil.exe	112
PID 4080 wrote to memory of 5548	4080	InstallUtil.exe	112
PID 5548 wrote to memory of 4012	5548	vbc.exe	114
PID 5548 wrote to memory of 4012	5548	vbc.exe	114
PID 5548 wrote to memory of 4012	5548	vbc.exe	114
PID 4080 wrote to memory of 2788	4080	InstallUtil.exe	115
PID 4080 wrote to memory of 2788	4080	InstallUtil.exe	115
PID 4080 wrote to memory of 2788	4080	InstallUtil.exe	115
PID 2788 wrote to memory of 3808	2788	vbc.exe	117
PID 2788 wrote to memory of 3808	2788	vbc.exe	117
PID 2788 wrote to memory of 3808	2788	vbc.exe	117
PID 4080 wrote to memory of 620	4080	InstallUtil.exe	118

C:\Users\Admin\AppData\Local\Temp\instaler.exe
"C:\Users\Admin\AppData\Local\Temp\instaler.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5628
- C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE
  "C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5220
- - C:\Windows\SysWOW64\1.exe
    "C:\Windows\system32\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2368
- - C:\Windows\SysWOW64\2.exe
    "C:\Windows\system32\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zptafuln\zptafuln.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE213.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39797713C76F4A388CBE235A0A4AF8.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tq2vr3ng\tq2vr3ng.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5580
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE29F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F73EA2AC02C41959796D68148F44866.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxzh22om\rxzh22om.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE34B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB14A18B2E64835B94FCE31D51974A6.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znycpyfk\znycpyfk.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5500
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F5FCD2EAB9243BAA03633C9AE772.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5k4gzky\m5k4gzky.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5548
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE474.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB18B9074263543DEB313620AED76D34.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\me4h1m4b\me4h1m4b.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE510.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB3975A81914DA99E96F5ABBA7D29D9.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkq2o2dj\bkq2o2dj.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:620
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3543BE5C084476AA780DDADD10EC6F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymr2zlqa\ymr2zlqa.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:384
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc115F6CA9175B4246B779D260ACA2C978.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hivbd3bz\hivbd3bz.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES923.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73D27C25E9874ABC965362E686F86EE1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\2.exe
1⤵
PID:6108
- C:\Windows\SysWOW64\2.exe
  C:\Windows\SysWOW64\2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
8KB

MD5
a8b1af6437a481e0512b30149ec29a7d

SHA1
597dde4356aa63427f63ceaf1027cfa18b9e9370

SHA256
dabb21fef673e854e04df3a3abdcdc3cba64d127cc353538dc144af4a6b4b247

SHA512
c59925ab458701c5fe91888a538cbea6b7f63c4632628c5a5c1fa2ffecc6a642aa0416f590fc07f9a6173848abe789f17e5b449b3891b17f8e92e53136095e70

Download Submit
C:\2c882b9011f3c0b400a1bfc818.exe

Filesize
8KB

MD5
6cc77fcf9798943925de4de9744338c1

SHA1
a70e19b324d05e5893fdb913c18a6d34942624f0

SHA256
17e7c0db13bfaa47fe4c4a6b3c75e7b37890c528f5bc103dd187dbec580f74e3

SHA512
f9c731181b90cc14e4330e3febc20b706913797b1ffa41d2eabf024f541f83950098242e3e65ac929942dff8b8d8931497acb906b057a4477a538e29d4000acb

Download Submit
C:\501cea3ceb28a0a381.exe

Filesize
8KB

MD5
317d81b8e7523c7cb0326b0f07505c49

SHA1
7cf886c544a26c544c1f4afd30a6985a0d31ee1c

SHA256
51f171ef8b2da20752820ff912f95c4a1a2fcea30115a362a9798a3f7480ed9c

SHA512
8b7fce3aff1bd571b727c94dd75bcb8120cf3a2c464a4acb69e9493af808a321039494bf4810d58b5887ab1407d8fb631d4eb1fbf7eb9f484b0bb3d991cd3bb6

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
f9b7808f29961dc4114c25410b6d48d1

SHA1
a6a81740ffef5c3c1f0df53864f3c221fcdf9729

SHA256
ce1b1f11dd334aee3c089f7ac9de57d683aec06e5113b4aa8b094df21c1d06c7

SHA512
675c2a12f16e4759b3a193c204169db64f11318d9242277edd3422645da8cfd45cfd87b6ed4b91b2b7fbbcb46bc45afa1c11c660bde1363b0cd0b613e510c1db

Download Submit
C:\PerfLogs.exe

Filesize
8KB

MD5
8cff1d58e7d3dd0f3468fc2587ca6001

SHA1
e8329456354770caab867a854d1b348bd2f24d14

SHA256
aadf8b1f5f961aad85d081d562c573d87bcda9e56a04008c400545c1a64ff2f1

SHA512
8277384ba9bc2e272bbb94bb9de8d651b71bdd0f83f9a3848aef0bce9aa57e3038da163f1e6343515fba63d40105eae6342b2dda250945ded564a34315cfbbda

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
9b8730478cc772347bc627e0f7076eef

SHA1
a136bb353b6cd2c7ab9c96363f8160eb28417118

SHA256
d03914e0e0476fb0b5a097083be02d9b236e844d78f577cdaf0d9b6c7960a0cd

SHA512
edbbc186b111e0a93572a98c57f1b8d5b06b22a1eeee44b0b97ccfe9f7aa29910e3952cd08952916842598971684322a5421370157a9aead64d51e63c6e1248c

Download Submit
C:\ProgramData\svchost\duiGGjj.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\Recovery.exe

Filesize
8KB

MD5
080b83abbc3ef4fcb43283fb2835c554

SHA1
36de20d026cf55ebebc9bbd96d61040aebe8a98a

SHA256
7183cb18ee42daf0cafeaf789197552dc1de541c479c2425d2a1e4b115276a89

SHA512
fac200d9daad05ae8d93dab2ea53c1897d65da8c15f9a222ec9aa8b64a0c80e2545819bfb0d7d8b209c18e21a274339cdb74ef3839c0716cdc67b6e2723afe28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
950B

MD5
f7a49804289daba7de5b3b77408276f7

SHA1
43dc40ddb1d6e081d52671a56ecefbcb4545e32c

SHA256
6b79cf98a0976e2e43f4e9fae56b57910360503435ff027b87e481d5c3b68892

SHA512
4e0dd3d97bb9cab135c649fac821c9664cad91f4e22fa883b426e20620affce41878981c7f20a3d859027a890304886c186e463ea0df17a184562ee6a1e48d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTI-AFK.EXE

Filesize
846KB

MD5
22d6b214fa1182d58761509a09606da2

SHA1
3a642a9a2ab785ab8819eb0b8e3c6e8acc25fb26

SHA256
b8cb00078ec4cd8b88ef324e2a24c8aeea9d305b96b87e1e793d29be23fe79f5

SHA512
5aa9e22b083353079f12517f01302b76501939baffd0f54121ab28a64e28913d04a42d2ed937411c022d9b3ee538891d12e972714221527859bfda96c6586241

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE

Filesize
169KB

MD5
7722c519958c86885ca19a7d9940b9c8

SHA1
bb0c80aa03b1b9f3675f0a827a35f54d73b83a15

SHA256
c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb

SHA512
c0591c7f8682a643a5d41d3add9464a2bac2bc86b70b8b67613cb20f7f40d607deb64e9bf823c9cf4991547ff42c6f1279e548b54dbab954bad24cdc9b65006b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES923.tmp

Filesize
1KB

MD5
9f4615b89b56e4a1609727d6fb9e05b3

SHA1
e4d7a0e0570e4d846e2df44f11bb25538f6ec857

SHA256
f3544ae2f109f0971b46cf170b60972e87738775524aef95ca6b098987c988ae

SHA512
1fe2b369f707efa3b365ea0ffcf6856f7c386c0344306a09a1296c50df8a5cda8ce7f967b5f86f69b06d6482a25e399a192413fa52dfcd76be6fae8748c92619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE213.tmp

Filesize
3KB

MD5
8f857db85590b17efcd52b4f62b9e957

SHA1
31b7075f72df45fd476ee5c02eb6de895fbdf3d4

SHA256
a926b92eb149870267f7d610e1547248e6c8dfd4be708cc00c3bfc9d499d3a34

SHA512
b2069cb08eba18c313c0a32f9a82f7aa1564aab0d974b66f6cbf4de219ea679cb1a4ac5b275ebc42b28cef518f03aad5a69481e8decb839b481dc16a8a8d65e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE29F.tmp

Filesize
3KB

MD5
6a55d08a44f73f6785dc80b0e6266e0a

SHA1
ee549638dc677aa83d0100ce02443a7beafe4c5d

SHA256
ea7adb3f363191f6b4f9db2535425fc85b43514a2cec4d7d8297299b77ae8880

SHA512
d6d42515652cd48f4173353e7a2d97aa23bae2159eccf3945771cbee984cddcba984cb79b16f09ecc31a3f052fc2884ce10229a837beaa81c75683e114ad165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE34B.tmp

Filesize
3KB

MD5
584a8e088acf1c16c190c2557df7a682

SHA1
b6020b385fd6513ffcf02003d26f87ea8ef78a75

SHA256
9c4c7821a0eb11ba2e6d7f8da3890f7c8620d691d4d551c8da47de2febe848ea

SHA512
e4b91aa176a3642afeafb9ad1b4f5163063e89013831af48de42859d3caac25aedd41c14eea56e83182d02d22e35ef8dcc0349039fcaeb492da03c18ec49236f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3D8.tmp

Filesize
3KB

MD5
07d6cee94cae83803dd906cbff96d04a

SHA1
298ebaf354b25c7af46caf37d4c7a3037b1f3931

SHA256
776d5d849fefd677db0b2d0bc72832e5358a4855f658d09d90c4d51378f513d1

SHA512
fa35eae094662c7ff7ee2b213583a857000de0deb3e0676d52d6598ab549639285e53ef39867cb37a683e64aa00ce1a877fd31d7bb8a1786d24a724671034706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE474.tmp

Filesize
3KB

MD5
32a1cfd3cf2efd4af530178ebea805d6

SHA1
b5d3d487c0ef03005b1f8c246fc3693f78331851

SHA256
29fd09b75583633b54853190cb19b76ccd940d6e7f5cc7cf44884ddb3afc8888

SHA512
e94221718d65feeef943d0b57c2f284dcf0fac191c994f608d43b98a5ff5e59d6758f94dc75ca2ff5889f648aaa8b932c809045438f6f8788793dd61051a85bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE510.tmp

Filesize
3KB

MD5
66eb2b60b35d8c68777537afdeaa94e8

SHA1
5b66cf31cc5dea71bc9a49bf5d41e8e200aece8d

SHA256
88a81ec2bf7abef8873a150121d2f6a6d498457ca70fecb1896084cebba104bb

SHA512
9b0d53ed256b65b9aafd37c883dc847cf89fc30f4e409d8cd20a1c93fa00241a157f9f87dd20598e3661f04762566e46f0315461776d286ad82836285095cf1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5AD.tmp

Filesize
3KB

MD5
a2b87621b529ab5924d6ea64b4820f3c

SHA1
5b16b4448e8a0830f04cde77e9370f0f0ce924ee

SHA256
cccc14b73f0ed75c1b794d4466e7e5308b63ef365232e70a0e537c1c91eea7ae

SHA512
1acfa8edd7efe2fe6c20dbfe8c2342685793e951c66257e79665bbfbf38cf95c5e1e0626cd8df8505b7eeb64afbd10c66d0d80f43155774c3ad471bcd16636e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp

Filesize
3KB

MD5
46fbcc996bc8d6f52e33ed8d785125af

SHA1
5cd1d78a360df8726c26fad5e43de5ae45cf56dc

SHA256
719449053d29b4f219696006695daaaa7b3566dc95fd8d4fd0ccdfaae54ad92d

SHA512
95ec558e0b7c4c540f09b07b2b3db63201cc08e04395f152cc7cbd89c9cf7625968925045c287aa697d37d5a1da9face3156a74a2adf699962749165e346d12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkq2o2dj\bkq2o2dj.0.vb

Filesize
337B

MD5
7b04ca08440d68c89b297916219d9ff0

SHA1
ed65d6a92602bc30e05a2d5515726c53e9360c38

SHA256
135fe3cb45ffd85db002c75ea3c8ba84e715ed59a99d039d75bdba320269ff00

SHA512
1b9bd142bf9150f58af66d514619a1c61139e423d935b8385838fe87b45a66bc94408cca3d1c50f5ed038d99d9c48628bb9ced73cef983608d72931580391514

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkq2o2dj\bkq2o2dj.cmdline

Filesize
203B

MD5
3cb6cdc45bb02ce85dee1398441e1762

SHA1
d1462b334a52600352903f219353b4c593de5502

SHA256
179ea4f308aadbfb83e63345b28d70b6835ca7d4c4372537c81132a9201da88f

SHA512
616a0a20c246c930ebe52a38ac747057b5e58c38d29fb16f4259b8c5b35ee802482dba0bd200affe69559e5cf17c8a5383f1f256a4a686767192d7bac85c413f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hivbd3bz\hivbd3bz.0.vb

Filesize
134B

MD5
175abe76c274ce5017fbf6e3f3ba2901

SHA1
225f707fd5f87e483de8489603a04c9987450033

SHA256
5b91f6d443114bc81073f6ebc787c1a66471544d7f247dc8bf2dd6c710235948

SHA512
614fbe4bf88037bfdf9c85ce36a7c2fcd0e6fc7e74ce071efdb11c53548b6eeb836c9216485d602ad626434646908eac7dcc888161bfb871b0c6a7135dd74f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\hivbd3bz\hivbd3bz.cmdline

Filesize
200B

MD5
77bed1ef75c78a87995565b515ec08c7

SHA1
cc794c166c579f2e0bcc0a7f70dadb2b7ca170f1

SHA256
57e84383882ca410ff2916155f45c385d6ef0683c32c949300eca90e64b6e81b

SHA512
558fc4c6a454337f295e3a0a7f0708ec982d977337c95f6dba24771cbd8e630561c8fa04be3aef4edde3a577a36d21ea9d541c82b892fff1a033aa54ad8dfd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifWfhaRClg.txt

Filesize
25B

MD5
fed77b04fcc09dd5149dba8693c0a813

SHA1
720ab3fc8e5c66f738e34d68761b11064b6ab1bb

SHA256
7d65baa7fd7dc3efc3efbed707780ddfd83036e7f4b5584598160e492f05ec52

SHA512
d3bb9ce9c20bdc766fc8b07ee2b0998da43e28fc2e267d7a06a5b1752d6a6bfad9f9bcc938f57cab22ff770f8ee38ddf4bc6d229fca1bbed7a423f167598dee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5k4gzky\m5k4gzky.0.vb

Filesize
337B

MD5
b474110bfc43d8274814f3b20afe1d63

SHA1
3ebf8ff04c779e0e01170b90645b09259ba94404

SHA256
a0b7fc43964ec3043807fa9cf4201ce4fb8b982df358296658c0d1940e997f75

SHA512
cf7e97b1003be7762bd6608903b3c26b5a3c648024015416ba8b9f3f02102d48170d48ea938d2bec5c456639a8e2a4bced2382a55b55c4413158c8171117483e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5k4gzky\m5k4gzky.cmdline

Filesize
203B

MD5
8e883ec5979237d5c89fb95fa739a245

SHA1
aaff74c10ba74e75482e537b8881e1c8c1e78d61

SHA256
986c2bbc011d1eae02cbdde4080a0c4bfcf788dea78a8e8604ab4d41a80b14cf

SHA512
a9970f9d01ecd1f9f7aeac150f5d8c5d438e43cccb20df2463f75d7274315ae8b22b72d84aef4d100bc3b8dd8573201d2b46f401d048cc7738dc3fe15a94f717

Download Submit
C:\Users\Admin\AppData\Local\Temp\me4h1m4b\me4h1m4b.0.vb

Filesize
348B

MD5
d6b579c23dfa859f6c562045c18570d6

SHA1
d001abd98697e172a386df15b7c2b691896f4510

SHA256
b7eb521f9045649066ef4dd04985e03e42abc6c124fdff6330471ae3f08f8be8

SHA512
cd83c67e873922e905a37b46c4ae3863c6e8812ccce35dba89f642ba28394324d5aba58f5a75f51b9430e2212e0b3cb6d6365bee85294a6601131c405211f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\me4h1m4b\me4h1m4b.cmdline

Filesize
214B

MD5
f4ab84966198223a21569583fd4608a6

SHA1
bee6504305460409f5d65933fb433a86cf359218

SHA256
286781a473591d0841422f38c38ad24ffb884413726300e09977b789ddabc819

SHA512
e73847f04461a848fb6d29665024bfc2d21128fc62a9149b7a24549170a4aad3bc16670539c6eedea366f76bb4cd8dd81867aadb7545b3fceb8dcb21817539aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxzh22om\rxzh22om.0.vb

Filesize
347B

MD5
e1eb06c07dff5f964983eac5ac40cc27

SHA1
d801a12f8e78532a57fb837e2f5d12f081be5231

SHA256
47640b1249145026ecf5dc92b76c53b0f2c67cbecf5ec337fd7b9a2a483a484a

SHA512
1d55597f73a322154437af9882633a80187fca3611177447c1570fc5a4ac985be97809dc025d526e03a63e6d64fe65cad3797635e49136f20caaa4df26d1f3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxzh22om\rxzh22om.cmdline

Filesize
213B

MD5
9b304e079bdc02c508ea99a419c851d4

SHA1
d76b27b3b9ef670dcc9b2a21fbb75135932a8dce

SHA256
50a1182cd29caa3a5d227489f6a90d2d43e6ba503b0cd5920f64cfcc8a818f1a

SHA512
7d5a8c589ec4e7eedc092c4bb8d1433fa202c74eb94701390e477399be763274c0dc5f0a4536735b638b63b74bef9a2b88ee2676e824233eedcaf77407773003

Download Submit
C:\Users\Admin\AppData\Local\Temp\tq2vr3ng\tq2vr3ng.0.vb

Filesize
355B

MD5
342c649e24434568550e3ebab4fa0633

SHA1
1cdb174a585163d1a057e242caaedd9322161d22

SHA256
1e056a6e86492efed6fcceed49b282dac9ac6f91cdf956fe26f47fff51c5d516

SHA512
3291eb2bea739bf836872c1d773e9586395a71d24215d8ee24f6d01ecbc1502a99fba2f8c663bec17c26998dd02f201096d2b001fbec72b4ac51a0429d2648ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tq2vr3ng\tq2vr3ng.cmdline

Filesize
221B

MD5
8058d82714e6178dfdbc57fda3c53022

SHA1
d98bc0fd24271bb689b97146a8ad757baf5172ad

SHA256
36479821eb75734c879228942ec2cbd7c789d64312e30435d84a0b4361cc5279

SHA512
5f1c9efe52f42fb0ef0a35aae8a62dec102d8e6cbdce917dcf8de6f6507d08e16f98f1534a36364be351e2081b2a28508d1d592385964da902784cfc05206fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc115F6CA9175B4246B779D260ACA2C978.TMP

Filesize
2KB

MD5
fb593222da189e1d004db43464d0738f

SHA1
dc76bc8c3352fc4a79f0b9a50081cf9cc990601f

SHA256
4710a1fc3359e9cb2cdea62221058513cc5c9d55700ff7d328533303b7822b71

SHA512
7b23506d3f1b245770084a7345f4a2cb0de687fb9bf64e2035eff9fad6a70c9d2aa3b819b6de6f8483020eaba70172d082eca57bc10b9ee67f8c4d83fc140798

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1F5FCD2EAB9243BAA03633C9AE772.TMP

Filesize
2KB

MD5
24205f9d5a6220831ebc4266d0a79da9

SHA1
b3bf5dd73472293ecf21eb007696e77e4dfe78b4

SHA256
4d71011f331866bf490949ad9d7c72a63fcbca53f0ca96ff15bb16df78c99b1a

SHA512
6a4acf350cffd2870344d1ea201dee54f2308fbdca822e4977f02cf00febcac17443c8d298d26c64d1e762e395594a3edbed95486404822673121dbbb1226d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1F73EA2AC02C41959796D68148F44866.TMP

Filesize
2KB

MD5
b482a7d97269f011b70dbfb7078c7b38

SHA1
44775a518065e7756caffc66bafefc80d70c50dd

SHA256
fba685ee43fd09bed65047d0245f44f7a8eee0eb21f97b206c951bd58c724423

SHA512
c73de24ea343cbf60ad68fe775a85a4fde19b7aeb47398772a59ac07fc291744352ecda247c838836adf6aa33a68ec8868ea4559ced007e6d702c1af8694198c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc39797713C76F4A388CBE235A0A4AF8.TMP

Filesize
2KB

MD5
5c02804700e8ad0a8800a5b9e0887bf6

SHA1
642b3fb03f852ce61f2554addb27fb366d562d60

SHA256
38e85e72d0f9b5777e594007dd8d9886b54259da3485a62198468baac3d755f8

SHA512
37b42957243b5c3819e6f65f2811362863d612dbdcb3ae6141b3da4358d91d1fae0ad4f837d38024c28f18d6d44d850b4213f4830a10fcac11e3636176684e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc73D27C25E9874ABC965362E686F86EE1.TMP

Filesize
1KB

MD5
b10290e193d94a5e3c95660f0626a397

SHA1
7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

SHA256
75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

SHA512
6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB14A18B2E64835B94FCE31D51974A6.TMP

Filesize
2KB

MD5
5039bc0bf1b2ca80edf8d27a59b8edec

SHA1
ddd935c4a5f773320d4a0f5386c79956bc922699

SHA256
6c11763f84f9f58ca48a1c8fcaa06a2fb6486af1c74e0ff31f800936b1f2e3f2

SHA512
1fdcc569829e5c0d7d5a1ef2d23cb175b109ad8d08d3e3deb7b347d812de6a53b28bf70d8b9bef82b28c225ba4d89b1f6cc2cab19064d99d39c7634e958ee657

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB18B9074263543DEB313620AED76D34.TMP

Filesize
2KB

MD5
79e7e97ed950a7c84f507af8f6b4dc1d

SHA1
508e279aab0ad8b087184e04fde84fad64955e22

SHA256
27b065706f4f5670ff6cf8a432fb6f21eb42bc85428269b96da60a629ae0de29

SHA512
de4ae4b4108f248fb2327ef78b348af2c23621ada4e0367314fc3d18081da60d68eb33073c80e2a60d3d4a3821c82308797dc8726cdd3979963dc4ffb47b56c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3543BE5C084476AA780DDADD10EC6F.TMP

Filesize
2KB

MD5
05f9c89c04c8e5eae5c4b54d0d99cbe2

SHA1
4509983f3211bca7d1982d686e1ab69549740e3c

SHA256
fdea1e612dcaf2b8d580456d6aa351f759821dd155197026217d27e45a2d4a41

SHA512
8cdf1e883e2cd0c2bf4f7dc04353fc12168c05ca9cf1075fc42cc06fbf6dfc135ab64392501675cad503245351b850224c4f6bdfcc078ccf1fecfe58727242ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB3975A81914DA99E96F5ABBA7D29D9.TMP

Filesize
2KB

MD5
078ac7e403b58faf7a94044865726693

SHA1
e5480b6398ca33c94b19f7a388cb09bb03018f58

SHA256
dae3822d9d2ca8c1fe9b3984fc338660a759ead91e62a8e295f46bb9c4102ec2

SHA512
e24876b736f1a6caff253c558ac0da17c7ebd08fcc86addf368fbc6414b9d667e14b59ba3b01bfb107791ed50c42bba0d3d4eeeb21d5181d1b9da914a15c3b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymr2zlqa\ymr2zlqa.0.vb

Filesize
341B

MD5
b751035d7aa47775ce0e5d1fc25b5640

SHA1
161c89c59c140abe4e929ce78f0ff0b440d85bde

SHA256
929f4f4f063ece4353d9f7d5d5d1d4a5fd348cb1857129c948e7b5732efb7801

SHA512
d0b10fe4bedfcc9414a937b92dc9600280a6a6c3935db1b1e40cc90ff3653cc11cc14bcfc37e75d51af1940d82b7c203f9f2085ec6e179397f3ad5e293bbaac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymr2zlqa\ymr2zlqa.cmdline

Filesize
207B

MD5
545bc5221b6d0c3b6520ce5e2f881566

SHA1
23be01f40e7761b3c0284c1e0be09ab933e1b92d

SHA256
3f77066d1a76eb56b6852faab44ff177ebdb856b6801c0d0ea5d73fae82b2589

SHA512
057254ba6f769a327cc89ac51d7163877b397accb930680160fcb1a5ab7c732a3fe8d055ab68a9e0a31e4cd7c76a07f6add53f8b8d8da2eb078e201bb4d5d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\znycpyfk\znycpyfk.0.vb

Filesize
351B

MD5
f16a3586f811a0e6a05d626df2f17463

SHA1
e0c246250467ece7dfb722df40ec7bb37c235820

SHA256
420e78b201d5f5bdcf718625ddb53e8d69236ee7a77a4ca5226b0fd46542b35b

SHA512
632ef200f3fadb0e0de0f67f37eb974a0c1bb41a7747152f16dbd66af95b3999c0695ccb8ad860e89d2ab7b429581fdde25a8e0ee2107047248739d52d317dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\znycpyfk\znycpyfk.cmdline

Filesize
217B

MD5
b69ec2991e899e7c247e782bbbeef455

SHA1
90ecf6b20e324e3fec84baa94ecd80c4d9d6fcc2

SHA256
5b3dbcc6e52e60214058b2185137e207f374bcebf1fc4a785d203de8ac43fe0f

SHA512
1c42df0620eed0bc0d96390fb0738dc0357bfafd58c554c4857efec0024fbc31d0ad06e4a5c723ad08d78ae90d314c0e99bdc1d578c72dc93f0660125c283eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zptafuln\zptafuln.0.vb

Filesize
341B

MD5
87734aa074faab002b0989985e85fa8d

SHA1
7c55f9028564e574739736603439e1ffd4ba80fd

SHA256
0d261de23b8bc30777426d16939dd6a8822e059260945d6e0e7a9b6aa3def84e

SHA512
efb5eed5a6b687286671226ecf0a2a4b4eec9f4ccb67d82e228229a9c89da641d753f3cbab9870f943c11bbed983d273c78ea05305df5eca325277c610f6652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zptafuln\zptafuln.cmdline

Filesize
207B

MD5
e6b1b3cae6ae1402f4c847ccbacf5160

SHA1
c909edc2aaa67dc9b5ec9da7e7affb79afe591d2

SHA256
e9c6f5de3f665552dd9561bd6a7725ae9a27bcba81a0b836bf39bb26e508515d

SHA512
21bfbb6d26504d5d442f7b791e465c2a5e69334a64a78d5e242ec7c4efa3e79f1ed1f5540b1d17ca19ebf52bae8195ea47320b576ebbadfa3039747429942f13

Download Submit
C:\Windows\SysWOW64\1.exe

Filesize
22KB

MD5
c217657dadbab82ae4f216299d9f63c0

SHA1
c12c42347c68182e15607bc4d44c4db9964c4e70

SHA256
c8b5dfcd40662c3d92b0bf12e6ba7fe8417a6438b84ff33fe7d4e486133c9d22

SHA512
7b9dc181c3a2da958a45066549ba13d89eb1997f94ac3a4b9bf015249bce4e5d59e683e0dc732a161e6e391f50a16554072a51a794cfc0fc55136d8ee2e95599

Download Submit
C:\Windows\SysWOW64\2.exe

Filesize
143KB

MD5
ed45d84cc5d0fafd5dd6372976462a5d

SHA1
6bf44c21677f1e9616300e93e3d62c18d85f811e

SHA256
efae476d241067b3ebc77f3b6c7e65c5b6c0dc1b956a8b460cd830123fdad3a0

SHA512
52d16f9378f62eada0f500ddad1fd321f0c3badaefa86f5b00a9fd222f99b8e642f3659587038dbe490f25e9fbd90890a33120fe0e6a6d9a0eef8c1823de72c7

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
8KB

MD5
ba788f05dce4d0b891dd68c2290b89f2

SHA1
fc897bdca54726cf66b51bdded63a894a56caaea

SHA256
98ce961c02b56c90e21e899a90f1ce18821e8e1644ff9f134c3792553b85bc15

SHA512
53fb6513a5ebd7b4551107b3842ed6aa5e8e4b07f5ea46ac817a011f355036be000de57de6ff60282378be61911f060efd464bc27eecdd2e389f1b95f82903f8

Download Submit
memory/1352-56-0x0000000004CE0000-0x0000000004CFA000-memory.dmp

Filesize
104KB

Download
memory/1352-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-47-0x000000001C950000-0x000000001C9F6000-memory.dmp

Filesize
664KB

Download
memory/2368-57-0x0000000001520000-0x0000000001528000-memory.dmp

Filesize
32KB

Download
memory/2368-59-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/2368-43-0x0000000001510000-0x0000000001520000-memory.dmp

Filesize
64KB

Download
memory/2368-55-0x000000001D350000-0x000000001D3EC000-memory.dmp

Filesize
624KB

Download
memory/2368-45-0x000000001C180000-0x000000001C64E000-memory.dmp

Filesize
4.8MB

Download
memory/4080-49-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4080-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4080-50-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/4080-51-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4080-52-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/4080-62-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/5220-42-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5220-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads