revengerat | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

05-08-2023 22:52

24-07-2023 06:25

22-07-2023 15:57

20-07-2023 23:19

20-07-2023 23:06

03-02-2021 11:43

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
RevengeRat Executable 1 IoCs
stealer

Processes:

resource yara_rule

C:\Windows\System32\MSSCS.exe revengerat

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

3428 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3428	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

MSSCS.exe905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3612 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3612 powershell.exe
3612 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3132 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege 3428 MSSCS.exe
Token: SeDebugPrivilege 3612 powershell.exe

pid	process
3612	powershell.exe

pid	process
3612	powershell.exe
3612	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3132	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3428	MSSCS.exe
Token: SeDebugPrivilege	3612	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3132 wrote to memory of 3428	3132	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3132 wrote to memory of 3428	3132	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3428 wrote to memory of 3612	3428	MSSCS.exe	powershell.exe
PID 3428 wrote to memory of 3612	3428	MSSCS.exe	powershell.exe
PID 3428 wrote to memory of 1616	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 1616	3428	MSSCS.exe	vbc.exe
PID 1616 wrote to memory of 2944	1616	vbc.exe	cvtres.exe
PID 1616 wrote to memory of 2944	1616	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 3972	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 3972	3428	MSSCS.exe	vbc.exe
PID 3972 wrote to memory of 4940	3972	vbc.exe	cvtres.exe
PID 3972 wrote to memory of 4940	3972	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 4408	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 4408	3428	MSSCS.exe	vbc.exe
PID 4408 wrote to memory of 3224	4408	vbc.exe	cvtres.exe
PID 4408 wrote to memory of 3224	4408	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 4836	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 4836	3428	MSSCS.exe	vbc.exe
PID 4836 wrote to memory of 2560	4836	vbc.exe	cvtres.exe
PID 4836 wrote to memory of 2560	4836	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 3732	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 3732	3428	MSSCS.exe	vbc.exe
PID 3732 wrote to memory of 1096	3732	vbc.exe	cvtres.exe
PID 3732 wrote to memory of 1096	3732	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 3740	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 3740	3428	MSSCS.exe	vbc.exe
PID 3740 wrote to memory of 1632	3740	vbc.exe	cvtres.exe
PID 3740 wrote to memory of 1632	3740	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 4960	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 4960	3428	MSSCS.exe	vbc.exe
PID 4960 wrote to memory of 856	4960	vbc.exe	cvtres.exe
PID 4960 wrote to memory of 856	4960	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 4416	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 4416	3428	MSSCS.exe	vbc.exe
PID 4416 wrote to memory of 4384	4416	vbc.exe	cvtres.exe
PID 4416 wrote to memory of 4384	4416	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 3964	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 3964	3428	MSSCS.exe	vbc.exe
PID 3964 wrote to memory of 4980	3964	vbc.exe	cvtres.exe
PID 3964 wrote to memory of 4980	3964	vbc.exe	cvtres.exe
PID 3428 wrote to memory of 4388	3428	MSSCS.exe	vbc.exe
PID 3428 wrote to memory of 4388	3428	MSSCS.exe	vbc.exe
PID 4388 wrote to memory of 2544	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 2544	4388	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpgsqkyn.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA738.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0211C14A0434609954E7B4B31AF6C6C.TMP"
4⤵
PID:2944

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xty7zyz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE42AC6B122FA441B9B6C3B939D6ECDC.TMP"
4⤵
PID:4940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2mqacory.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA841.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFA78637DB9E481FBE1F5D90FB576195.TMP"
4⤵
PID:3224

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ciptqcl.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC2590231E264B459AD6D91EC1E05240.TMP"
4⤵
PID:2560

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\at3seetc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA94B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96692F6EAE744D52B2FCBE2D83EA7C4.TMP"
4⤵
PID:1096

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n0qrtsnx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc276981774CC8448B908CB9771AF986.TMP"
4⤵
PID:1632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_itj8xrj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5177FD2EDEB4439FAC9431A3DF8BD15.TMP"
4⤵
PID:856

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrddyjsb.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BFC52457CEE4CFA9D307B226ED679C.TMP"
4⤵
PID:4384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjo3qhmp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc725CAC7FEBCA4442AD25FD1061FA4BCF.TMP"
4⤵
PID:4980

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcxezey7.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51B5F911777F4E6388CCBF94D45BC86.TMP"
4⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-ciptqcl.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ciptqcl.cmdline
Filesize
171B

MD5
a638b42fbb2628ea3907c6862dfb8f9b

SHA1
b90d65f35374315e5aa62c8ce44be2b8a327234c

SHA256
8336cce3d0570080df66f5c20d63e2cdcbb60225d3ddea56686a964db0d31f54

SHA512
d4e40c5b20afaecbed883036f54022accc8b323c1f40994b40094f73d4dd77f6b903ce19273fde88965d7808fb07d185a98747646f06d3cbe6b3cf537c7935a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mqacory.0.vb
Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mqacory.cmdline
Filesize
163B

MD5
8ac67305d9649fb5f8e5e3c99129736e

SHA1
1f82cfc51989f63e3d0da8614c80f3aee6626f66

SHA256
3e37a0cdebcf8ca8dd5f8414386352d0230649cf2740cf5f68ece1aaab6cca4b

SHA512
1ce24edd57680937221387df628504475d2d118705d10e63942be646afb03ad260f19944a234cf7f1faa43313e94f939af4d284980dbfd1b7e6b0ea66da18325

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xty7zyz.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xty7zyz.cmdline
Filesize
162B

MD5
938bddbde500297bc84e05c231d2a972

SHA1
0fa1b47b1b408a2fb435c351f11cf53e3bd1b3ae

SHA256
30a39fbcbded24263cc8d460ab652c9d06a67f1076fd55394886a4b7ddbf54a2

SHA512
7f1eedf842765b86436cf234753b4fa252ed3bb115699aa426856c85943447b45412c0ecbd3cbe84e55b536e877c9684b464e2f11cbffec8a94ff1e3137e89d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA738.tmp
Filesize
1KB

MD5
c462060c63a27a3b102809bd8cb72ada

SHA1
e32e6ad92c90e1f7b5a39050c3ac7736dbb45ec3

SHA256
4e04ae60088ac66283214658c355f56b080231a88deab1991742f46d410f3a12

SHA512
bb7ff63f708d8b053edd2528594881ac46016eefa47416189c03dcd4c10acb279c48760117726eeb1eb3e8ecbbcf7430ae39f9043449ac1a2f427fab112a584a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7C4.tmp
Filesize
1KB

MD5
837e8480ce332de7cf325c39916ce843

SHA1
24d9ecbb10bcdc7d243c5e4b67cd4ba7715b7773

SHA256
7bd1e53fa8ab719d975441b5bf0e5fbf8ff89b72ae097af60e362fdaf54a5313

SHA512
5646fad284e14bb19578cdbc6f7d5ae2183f169ecff1786603d621d4d223e9a137d613538b56161cee20b95dd44022e68830afdd87d5227b20372c7447943391

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA841.tmp
Filesize
1KB

MD5
f9e1fe054eedf5155c3a90365367c93b

SHA1
de8a98f38122d41463196259cf40a32101cea314

SHA256
225d1e9589e5078d6ee1c76d32d83a77fbe48447286d3946c7192c3311ad36e3

SHA512
190b95da07d5523478d22392541eb3de6e657ffd69e2210166e485d0cd5edc6184f6922465a2aab88ee209da96a2cfb6362635eb19df696dc8dd69bcea309caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8ED.tmp
Filesize
1KB

MD5
30766a89c2775716d9856ae63669393a

SHA1
106528f7d30cd052d2b7433eb5155b4820fb3856

SHA256
6c4a0a330a1323efcca60fea04948edfed07102f4435a827a4c8f28935f208be

SHA512
55316acbc73c5a94b7368d8651129579112c10037b94d603332f44792cc5c93d5240fbd023e80970e3f3c89098bd7c9c0eb46b1c457ddd5f64b3861af4437f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA94B.tmp
Filesize
1KB

MD5
54e40a23ba930bc2be002d32e049667f

SHA1
8d09abf9fd45ebf46409a0b62f38972d714263f0

SHA256
d1121e0c69ee2d0f0fe0209fd07e1ad456821a76a36fc08da52da9e045aa948d

SHA512
79fb46dc1f885e90845180fa22168bf2bee46df552e16bfe7dbfdb9f33981b39378f7a01c0e32026792add393c9f720a6814a682184b2eeef11f5e6e4660a2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA9B8.tmp
Filesize
1KB

MD5
f9e272fcba3c3eecc1a87aec8d81c1f0

SHA1
a6e5646f37984c572a5975bad7c464f0f337dca3

SHA256
7c4c75a2664ca6c6e9086fddf81c4f7c76f2153b09a3e773615da6f7c2ddaa27

SHA512
d94c894c9795ce4d1fcb1029f9e7b7355fa926ae8c2d0b89e39e59152b9d899b0b89e22bb14d3f4918080e15df98f351b98eba1612d3710e25e17175d8b65c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA16.tmp
Filesize
1KB

MD5
bdfec5258d5cf767dbbb02867ae2c18e

SHA1
b1a5af6c1c662dae724f8208724cf5c4540a37b2

SHA256
f498bb6453d3b72affff24b5e309c678b3bb881ee53900bd570682c0aa8e7b35

SHA512
dcee49ee3b3079aad77154851de4362fcebad417071b40327d216ccefdcb004094ec9e915f48a7cbcc2d323e6ad8b505bad193369045355173ebe9fee909f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA74.tmp
Filesize
1KB

MD5
cf1c0e81aabd32e2fb02bf22a0c07535

SHA1
36c32cd7d0450a8d9d9201d97b1b5d096ca41a15

SHA256
5cef803901b63a7f5173d8ed46a00611312611f5899823f23e56327dbde7f1f6

SHA512
405acf2d373ef5d808c932d3b4cbc56fa986a4758e212087dfea80bc09b196eb58e7220fad568b1d9878dc9c49238660abd760252b8c8e057af7c6bd3b1832b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAD1.tmp
Filesize
1KB

MD5
9f58d1fa211adcadeafc6a5cb15f25f1

SHA1
bc04e86486e6f5727ec076a22986aa5c88f910e6

SHA256
718371c92a08efeee6406674f3ddafcbb97577d86de2f1f4eb9bd35a3f0921a8

SHA512
d395a07ebc1fab0084228391f37a9f51617b8d8244e3d7deb1b2a5f1b19133ae90478d4034c88ff462161956610ee54a6199ea74b933fea76a8e2455cd70f025

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB3F.tmp
Filesize
1KB

MD5
1fd4b5018e66c1c27061266ac5a1bc89

SHA1
96d360d578e5316f38f4f5231f39ccc85413179e

SHA256
d7950b45cd37c92107bb1de0f35f6eb8c01de498e9421c1e7b85e1796ef573f2

SHA512
4318af1ff5b2d1dbda3b61d4f1dd146b590da3185590578528620132631ff39ba3adde9bce56cff070262fc8cfcdd3f21722380159bf534b9769f87c66a6ae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_palfwbmu.ed1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_itj8xrj.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_itj8xrj.cmdline
Filesize
174B

MD5
d6de1416329f1574b2205c70728fa1fb

SHA1
70c6c53571d9dd7a8460e9ef11895fa9d6ca4d7a

SHA256
75843ef2dd4873068717755f45f76432f395bfe638c591fcc3639f3b575c31b5

SHA512
a4853e5e5f8234005a01d95c322e431864b381a9eae751e30d22fc3f921842721a57b33410685983cdd6d7b012f8c358d3a34bab9c2e1bfe2bb70d1b585f93c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\at3seetc.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\at3seetc.cmdline
Filesize
172B

MD5
469aedc1d5672996b86d6708f1a70f68

SHA1
efa5947d3a79fcbaec46f17c19c521a3afe8ed68

SHA256
26af15e888d4712888ed3216ce418ad314e802f6f660d26f11a8defab3798611

SHA512
ba57d2b04af323e3e68328d58fe10ec6177253cf391f70b70acc4039b8a50dc5954a92223f32a02fdb8e04aeebc261e4d5cf77844909bcf2d69f4da39eb07abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0qrtsnx.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0qrtsnx.cmdline
Filesize
171B

MD5
ebb7fafab0fbc9b70b30447263c02f1d

SHA1
f38d11301c3308df88f6a15e0208ba84e701525a

SHA256
b47fe5d69dd9c36e32135fcf924cf86a24eaac51f7e3e66039c53c3351a729e9

SHA512
3b43bf0311b558775911f9e03dae8d24e650d0ffbeb6762a253719497cd3acb2cd10a18ea7989d95cd6fd6ae66dd783b9b423a93d05af7339f1145f7df0bc742

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjo3qhmp.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjo3qhmp.cmdline
Filesize
170B

MD5
b8364a47cc43278ea128cc794e91f2d8

SHA1
1f02684cf33832e5edcac73e28b6c0a321099ee9

SHA256
b1404003a1b135a56480ba67d6e61c487a33ed25a088438f80f63a47d5eba90b

SHA512
4d997eee76c3ec7a5878f893655e366840824ea7ed369a460c896578194a29fe183fcc4597329624e5e56ecfc1215f111de0bcb4e524b4dffb0971e93b607248

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5177FD2EDEB4439FAC9431A3DF8BD15.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc51B5F911777F4E6388CCBF94D45BC86.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0211C14A0434609954E7B4B31AF6C6C.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBFA78637DB9E481FBE1F5D90FB576195.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE42AC6B122FA441B9B6C3B939D6ECDC.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpgsqkyn.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpgsqkyn.cmdline
Filesize
156B

MD5
8798381ed6127b8e3f3e8de2e6929a39

SHA1
da805c4e057a2b511f98dab1ebc2c717f16bcf68

SHA256
0b5579ec2985e81bfa80674405cca444c24cdae33a6f5229b7b99f5dce5f0f35

SHA512
77a523cb3703f9e8afd44613f58b853e2ca86e9d5c1d4803ad7da880ca76c78fbdf7a07b563169ad4862168428f4c3dbb11fd6837104c8fd4eba1f566e7916f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcxezey7.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcxezey7.cmdline
Filesize
173B

MD5
86009310d75393261e267568ab85c89e

SHA1
6bc84f38dd9507aebcdecd1c5bc598555cb6973e

SHA256
4003966bd86a68e5882e9f0282ec344c033aa63dd176993d59f0983cd8414eeb

SHA512
85e3cae5672315f5a9af627e7e2eabf056ec5172a172751c33529fe699c7684641593ee5524376febfe71ad7a077da31fb0032ca6d82e676ce5c1255730c5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrddyjsb.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrddyjsb.cmdline
Filesize
164B

MD5
8f41a00ee5f887d03b394d335ae61bb7

SHA1
61a5c6abd5aa585a8e3fd80819342d9f979f95d8

SHA256
483a832c82d29e8e2764e8c88f2f015c29488b1e8d6ea981082f9925612ecf30

SHA512
121c01f620625d3497c9473a0b241f0beafcafab74b90401d4651d4810790c778e886f5843ce7310eac7c63c3b535970701c032569c5513620e75d8d070f00fc

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3132-3-0x000000001BE70000-0x000000001BED2000-memory.dmp

Filesize
392KB

Download
memory/3132-0-0x00007FFB79995000-0x00007FFB79996000-memory.dmp

Filesize
4KB

Download
memory/3132-4-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3132-5-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3132-6-0x000000001C660000-0x000000001C6FC000-memory.dmp

Filesize
624KB

Download
memory/3132-7-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3132-8-0x00007FFB79995000-0x00007FFB79996000-memory.dmp

Filesize
4KB

Download
memory/3132-2-0x000000001BC90000-0x000000001BD36000-memory.dmp

Filesize
664KB

Download
memory/3132-19-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3132-1-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/3428-17-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3428-20-0x00007FFB796E0000-0x00007FFB7A081000-memory.dmp

Filesize
9.6MB

Download
memory/3612-30-0x000001512CE20000-0x000001512CE42000-memory.dmp

Filesize
136KB

Download