revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
RevengeRat Executable 1 IoCs
stealer

Processes:

resource yara_rule

C:\Windows\System32\MSSCS.exe revengerat

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

3912 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3912	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

MSSCS.exe905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2852 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2852 powershell.exe
2852 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3472 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege 3912 MSSCS.exe
Token: SeDebugPrivilege 2852 powershell.exe

pid	process
2852	powershell.exe

pid	process
2852	powershell.exe
2852	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3472	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3912	MSSCS.exe
Token: SeDebugPrivilege	2852	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3472 wrote to memory of 3912	3472	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3472 wrote to memory of 3912	3472	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3912 wrote to memory of 2852	3912	MSSCS.exe	powershell.exe
PID 3912 wrote to memory of 2852	3912	MSSCS.exe	powershell.exe
PID 3912 wrote to memory of 2280	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 2280	3912	MSSCS.exe	vbc.exe
PID 2280 wrote to memory of 4844	2280	vbc.exe	cvtres.exe
PID 2280 wrote to memory of 4844	2280	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 2008	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 2008	3912	MSSCS.exe	vbc.exe
PID 2008 wrote to memory of 4744	2008	vbc.exe	cvtres.exe
PID 2008 wrote to memory of 4744	2008	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 2404	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 2404	3912	MSSCS.exe	vbc.exe
PID 2404 wrote to memory of 2964	2404	vbc.exe	cvtres.exe
PID 2404 wrote to memory of 2964	2404	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 2244	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 2244	3912	MSSCS.exe	vbc.exe
PID 2244 wrote to memory of 64	2244	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 64	2244	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 4424	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 4424	3912	MSSCS.exe	vbc.exe
PID 4424 wrote to memory of 2956	4424	vbc.exe	cvtres.exe
PID 4424 wrote to memory of 2956	4424	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 1392	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 1392	3912	MSSCS.exe	vbc.exe
PID 1392 wrote to memory of 772	1392	vbc.exe	cvtres.exe
PID 1392 wrote to memory of 772	1392	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 60	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 60	3912	MSSCS.exe	vbc.exe
PID 60 wrote to memory of 2236	60	vbc.exe	cvtres.exe
PID 60 wrote to memory of 2236	60	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 4208	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 4208	3912	MSSCS.exe	vbc.exe
PID 4208 wrote to memory of 624	4208	vbc.exe	cvtres.exe
PID 4208 wrote to memory of 624	4208	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 404	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 404	3912	MSSCS.exe	vbc.exe
PID 404 wrote to memory of 4476	404	vbc.exe	cvtres.exe
PID 404 wrote to memory of 4476	404	vbc.exe	cvtres.exe
PID 3912 wrote to memory of 2288	3912	MSSCS.exe	vbc.exe
PID 3912 wrote to memory of 2288	3912	MSSCS.exe	vbc.exe
PID 2288 wrote to memory of 1120	2288	vbc.exe	cvtres.exe
PID 2288 wrote to memory of 1120	2288	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfgxr3or.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9277.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C49F61C46474517888BFB887872EF16.TMP"
4⤵
PID:4844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o6unsaqt.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21997EDAB4CF48D9B4BA5F21BF533243.TMP"
4⤵
PID:4744

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\awebdsev.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES946B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8410E1C1CDA48E2927643B3FA3609C.TMP"
4⤵
PID:2964

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f4qekor8.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EA9FDF19FE548D6A889E11350D9AB3D.TMP"
4⤵
PID:64

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewulm4it.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9555.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc944D5A069EA541938E278E5A5FB26263.TMP"
4⤵
PID:2956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f0mb5evx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6BD141842F24EB590518BFA3B739C1D.TMP"
4⤵
PID:772

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e8cevkmx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES964F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA021F951E22D4CA3A240794F36636081.TMP"
4⤵
PID:2236

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuyohuvk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc802CE31630E14384BD2B51FAD8BC53A.TMP"
4⤵
PID:624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z_i9ntvp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES972A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc741DF8A641284AC49C2CB8882157448F.TMP"
4⤵
PID:4476

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1idxqzqx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93F4BB2426B4474BB99A84A7C5D5AE24.TMP"
4⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1idxqzqx.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1idxqzqx.cmdline
Filesize
173B

MD5
23798a0b5f6dbbc019a212c1c54591e8

SHA1
54659a31b0bf0f8d5b2b6019db5c47a8fe8bb28c

SHA256
01c11ea32db64568eee90d13a16cc690e0b3a504f200ed11befd3516347f72e3

SHA512
05df321849b85d6130f1dd3dc5ae34fa317bf6c357f489e952c22cde1e8fe18f62d6e46c43287b2f5fd15df675e14084fdfd64177187ded416097699f85abf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9277.tmp
Filesize
1KB

MD5
210d1802a893e3184ea7a3026d10f43f

SHA1
eb5c68fa6d86fa073c9c3bf02533f533cd2b8fe9

SHA256
0046a7db447a28d268e357fb56ca1244ae725b7e17fd2da47fa15d1c6721e9ee

SHA512
cdf5594ffe54dca83cb759a0392ab4b7113db6ba2188b830eea53c80189ab4b2adb7bf0d3cab0e05fcea9dcf4ef3766565166afc3443bfaef09beec5b0d2db53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93A0.tmp
Filesize
1KB

MD5
c51e60304e2260c1891ab34fe245317a

SHA1
2e288909ba443cd12643ab14529fea9dfb6fe412

SHA256
b4d51f80f9e3f5e981cd8facbde10f2fc01f8af6c4d86c1b859b99cbe945ab74

SHA512
6c7a94fc6980b5bf0c0c95860f07a04a13ed9701265ad499c07191e89ea5081d8cad83ee11e03e858c56e0ba381cc949b471e97147c6684b60c445dbae065c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES946B.tmp
Filesize
1KB

MD5
feeb7da1a8a46cd0404ed8ec8219bbab

SHA1
96e32be434b054ac2f1011f3374a328899dbe222

SHA256
c218c90416bdecd51d3cd2d9b9d0c3bb0dddb7a358b9710257d4b7ab5114ec89

SHA512
d8546828fdebae2c7433a0b6f876d1525e3aa11566e9e173cf70f053cf0fcafb72f939bdb4c8f45676c4c396b2a6bdebfbcb6f140ca0d955589c8ef552e4f97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94D8.tmp
Filesize
1KB

MD5
6c0f4b1b90a2af15ebaf21ae7db3e680

SHA1
90b30e06e4485b6d39434125f349c99bf126e829

SHA256
f632dcfecc4aba1fe2c26477e030cd3b117dfae399dfbb8f53e8fecea6161c43

SHA512
cbf47282af94ce06af12b8067db907621d1f2da8f519136bef2d88a2785595763f6ed74190405c566ee8405772700ba6593b35923fbfe22b181a23505aa605b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9555.tmp
Filesize
1KB

MD5
0b2d89ca8438d5e78d0ca60a6b95cfe0

SHA1
417fab38776d7abe31706829b290f99ef98fd34b

SHA256
f878a5ec2b1fd64f52afba247fe68a8ba689015d6deca19efa3f94d30e686819

SHA512
86a290c3fcd3732256e41a6f1f97dc828728abc731012e00a19dac80c7c7e41916f38e29a6511578612e5123543ce25eceee1f1501972a53f8827be740c2a1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95D2.tmp
Filesize
1KB

MD5
8e138b3dbb6bcb0f5f3ded9bc188973e

SHA1
29cc14b5e3d9e370ac37538cbd8d2a995539baf3

SHA256
5478fdcd9a300d4e37564d1a505c3fe830db64b4f8c7ae80761838d7ae4796fe

SHA512
3de45fddc1141675259fefc2d5c347a133cd6af8a388a485d4de815037785a5b494016558d4dc14294c789bec6f4f3a5b2ccb40f3c7cc6f74e3009356e06c750

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES964F.tmp
Filesize
1KB

MD5
f9e7ee913be4a937c3084d0dbb40b222

SHA1
48b1d3814bdf82d0aeb2703fc3753a4e607efd69

SHA256
057b9069640f3f35a67680c1b3ddb97719a0308e5646c6c513a412beda1c5fe9

SHA512
d2095ed21f18c81e4e8a34e64d8f6b4e533e229ce8a95820d399d53ce9a2df951060c70306e66ff77e214a7f36f2de66b1ff07101b3c1bba548d16ebdd4465e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96BD.tmp
Filesize
1KB

MD5
cdbe4ae593ba385c179ccad7662ac6b5

SHA1
59e63198743aa858fbc5aa6b16c23a97d3906a8f

SHA256
e6d990dba247a4fc19d8ff6c3dce75aa48b2175252256d8072eb2e8530f08f62

SHA512
7a54680f35f3b337e679ba4397fc53a1e4e8ce1f48782a3f5ab054d8e9afcca15b7f9b510caa33ab45e720c822f86b946ccbc7797f7d8bd0a44559a562f1ce60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES972A.tmp
Filesize
1KB

MD5
a7d92235927d17d2005d9150a8d89200

SHA1
226bb93930c7434a5e4c1eb598b3ceeddee80b9b

SHA256
963587cfd357a2711628ac99667ea630ad10998d6b6b30637d0d473d8886341b

SHA512
c0b5ab8dde366d636ef76e19014d42132bf2e5ce080a906aefb6623f9ed7955dde425a8b9181a602bd3fced126f6d0ec7d20226eeabe10cc9ab684c50992af8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9798.tmp
Filesize
1KB

MD5
9c29ea1de5ae2763956d053757a8c08b

SHA1
14a50dfa41ec65daaa9fc150dd97b57c9b593e27

SHA256
cd993ffd74d9c492870d9a2f7f600414980fdbc59efad225093f27b30d5965c4

SHA512
406c2ccaece94331d469f05eb3938d76b7d5cce8751d22c84ab488587c2f370b29daf51cc6ce5a55adb0799a4fd9feb3fec7a1f0edc8556e66867b206ffd1178

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2br044x.y0a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\awebdsev.0.vb
Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\awebdsev.cmdline
Filesize
163B

MD5
ff52bd9b069167109dab43d9d53a5f9a

SHA1
4c4375fd142586861e20905a769fd3396f8f0987

SHA256
df945c7bebf60d93708b728a44c5598201d167e1374d231b042a08937eb295b7

SHA512
880347bd168c599f5eb4f86f16ea85882d07b7677e9c1ad55778ff62bc67e4e851f5890328bc9724627c06adff27c4d0fd0e8723cd52c4690a1200a13447a636

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgxr3or.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgxr3or.cmdline
Filesize
156B

MD5
84507ce9119aa4de075627ba0c15e6b8

SHA1
4506d3fa2dadb0c3cbe3cfe44e0b3f79508e1970

SHA256
db6860a7fc38142230ff03ca1fd3891c605d0d34c87f5e22360951b7c238b971

SHA512
77591e69f45ab634247c7233962a108618b360c0b54d8054079585cd61e4a801c1bdec3742765e22d21d65338d7bcabe96ab285db6075fdebb3924e671089a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8cevkmx.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8cevkmx.cmdline
Filesize
174B

MD5
0e798e78566a497343a55c1edd32e44f

SHA1
f46e049182d045849d5f54c4ba434f2f80c1d21a

SHA256
dcb89c9e3770955625793a662d125068471610ad1adc47218769a9133d124125

SHA512
f899c9c58dc4d593694880857a6fb2b2c3b52785c2d6d0570d392f130b2603c0fc7730df435b1aa31fbd6ce25d3e9fcec1b207cbadf42bba494898cfb586164a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewulm4it.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewulm4it.cmdline
Filesize
172B

MD5
3cb3c90121d4437f4e08e46b5e53ab49

SHA1
38a718ce8acd69a0001413b4180757f8b52896d2

SHA256
9544cfdcca067538fe5576defa555a256d11ed33383fced561d4cbf17bbf1fcf

SHA512
f329b68c48663a612cae96d4f5e1465ade0ca333af00991e13b0434ba34fc1f621a565d129aa6c74564a3cecf9c343ad327206187d6c8a6819cfe8a446d020c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0mb5evx.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0mb5evx.cmdline
Filesize
171B

MD5
3d7594dd0ec1b9af6577d0485e07f145

SHA1
126147f0dc89d9525c1df0cc2e29be29946766d6

SHA256
f4a956921ce246ac667282b13bbfe78210c03860d8847ca005b54bdeb66ab018

SHA512
c41fa50cd5893fdbe704c82dc3f86ba84fb06fda694466992fce847ea8e8108d02cbcd51744a4c38c7470119a90a16d6d915a67f6aa60d32fed5401a1e59e8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4qekor8.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4qekor8.cmdline
Filesize
171B

MD5
e13e77525f3aafbae8328f1df51b396b

SHA1
76441c888a6e69ea29e31aacb24238dc0dc6f5da

SHA256
ae3a026835ababae9045d896f332c064257bca9ae4de8ac0e5f82930afe92271

SHA512
e0458e440b540d7386def3179ef2258c40eb9236c17bd71185748a1aeb042b120216bb4fda5994ac4df316bffda2f8881dc6da061cf6fbebac24b360711bb9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuyohuvk.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuyohuvk.cmdline
Filesize
164B

MD5
0c128233a2b44ba0fa14cdb5dfc166e9

SHA1
80eb2f6fe129c02b2fd09c40feddf7f1ab4546b8

SHA256
8154089930ef9fd5d5b9e59f62860edd234ffed82efcc160d4837393c69b0e1e

SHA512
9cd22674f45fb4ce8eb62a9a7596b0d5119573f26ff665b5de79e3d738239ab214ebbf00680a7b447b27c173cc2e75a85e872754e5c5ae060b5b04cfc081d440

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6unsaqt.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6unsaqt.cmdline
Filesize
162B

MD5
af74069f4b7a5e16468f91a9b62de28c

SHA1
37dab84bddda65bfcd5484e997f533a4cf181f0f

SHA256
c0c9c77cfac4314d81ecf94374e795471ba363586821312915ed385d80084224

SHA512
749906e4df922576d15848a8d79c3faf9330a96860f39c337ded78f795e0afc33f2c84f050e1d0cda0a5b2f6097f80cb9e0e134aa9e842a90d2cb66a28ce4e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc21997EDAB4CF48D9B4BA5F21BF533243.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C49F61C46474517888BFB887872EF16.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8410E1C1CDA48E2927643B3FA3609C.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc93F4BB2426B4474BB99A84A7C5D5AE24.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA021F951E22D4CA3A240794F36636081.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\z_i9ntvp.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\z_i9ntvp.cmdline
Filesize
170B

MD5
daff27b55a766ed99f643c95f775d0fb

SHA1
96afc5dbcf5c6c08419706eecf967e326e98f4d8

SHA256
8da02fc0a7ae4282a403f2817ee25028d6654d05ff9ad37be6b50287360e7e8e

SHA512
6f8b8a1a0b52cab6c061262e2d82d8ce108bb21569f37f1683c2012db620c4c83679ed83e37ff11f96e7c87d901876821616066d402e74540ffcaa97192c3a79

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2852-29-0x000002A8FEF50000-0x000002A8FEF72000-memory.dmp

Filesize
136KB

Download
memory/3472-5-0x000000001C070000-0x000000001C0D2000-memory.dmp

Filesize
392KB

Download
memory/3472-6-0x000000001C940000-0x000000001C9DC000-memory.dmp

Filesize
624KB

Download
memory/3472-0-0x00007FFDE67B5000-0x00007FFDE67B6000-memory.dmp

Filesize
4KB

Download
memory/3472-7-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download
memory/3472-8-0x00007FFDE67B5000-0x00007FFDE67B6000-memory.dmp

Filesize
4KB

Download
memory/3472-19-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download
memory/3472-2-0x000000001BBA0000-0x000000001C06E000-memory.dmp

Filesize
4.8MB

Download
memory/3472-3-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download
memory/3472-4-0x000000001B4F0000-0x000000001B596000-memory.dmp

Filesize
664KB

Download
memory/3472-1-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download
memory/3912-17-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download
memory/3912-20-0x00007FFDE6500000-0x00007FFDE6EA1000-memory.dmp

Filesize
9.6MB

Download