revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral28/files/0x000700000002345c-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
620	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	620	MSSCS.exe
Token: SeDebugPrivilege	1444	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 620	4608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 4608 wrote to memory of 620	4608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 620 wrote to memory of 1444	620	MSSCS.exe	88
PID 620 wrote to memory of 1444	620	MSSCS.exe	88
PID 620 wrote to memory of 4812	620	MSSCS.exe	90
PID 620 wrote to memory of 4812	620	MSSCS.exe	90
PID 4812 wrote to memory of 1828	4812	vbc.exe	92
PID 4812 wrote to memory of 1828	4812	vbc.exe	92
PID 620 wrote to memory of 1856	620	MSSCS.exe	93
PID 620 wrote to memory of 1856	620	MSSCS.exe	93
PID 1856 wrote to memory of 1848	1856	vbc.exe	95
PID 1856 wrote to memory of 1848	1856	vbc.exe	95
PID 620 wrote to memory of 4660	620	MSSCS.exe	96
PID 620 wrote to memory of 4660	620	MSSCS.exe	96
PID 4660 wrote to memory of 3364	4660	vbc.exe	98
PID 4660 wrote to memory of 3364	4660	vbc.exe	98
PID 620 wrote to memory of 1512	620	MSSCS.exe	99
PID 620 wrote to memory of 1512	620	MSSCS.exe	99
PID 1512 wrote to memory of 3600	1512	vbc.exe	101
PID 1512 wrote to memory of 3600	1512	vbc.exe	101
PID 620 wrote to memory of 3244	620	MSSCS.exe	102
PID 620 wrote to memory of 3244	620	MSSCS.exe	102
PID 3244 wrote to memory of 4068	3244	vbc.exe	104
PID 3244 wrote to memory of 4068	3244	vbc.exe	104
PID 620 wrote to memory of 2276	620	MSSCS.exe	105
PID 620 wrote to memory of 2276	620	MSSCS.exe	105
PID 2276 wrote to memory of 4332	2276	vbc.exe	107
PID 2276 wrote to memory of 4332	2276	vbc.exe	107
PID 620 wrote to memory of 1004	620	MSSCS.exe	108
PID 620 wrote to memory of 1004	620	MSSCS.exe	108
PID 1004 wrote to memory of 212	1004	vbc.exe	110
PID 1004 wrote to memory of 212	1004	vbc.exe	110
PID 620 wrote to memory of 3732	620	MSSCS.exe	111
PID 620 wrote to memory of 3732	620	MSSCS.exe	111
PID 3732 wrote to memory of 4072	3732	vbc.exe	113
PID 3732 wrote to memory of 4072	3732	vbc.exe	113
PID 620 wrote to memory of 5108	620	MSSCS.exe	114
PID 620 wrote to memory of 5108	620	MSSCS.exe	114
PID 5108 wrote to memory of 4640	5108	vbc.exe	116
PID 5108 wrote to memory of 4640	5108	vbc.exe	116
PID 620 wrote to memory of 3292	620	MSSCS.exe	117
PID 620 wrote to memory of 3292	620	MSSCS.exe	117
PID 3292 wrote to memory of 3172	3292	vbc.exe	119
PID 3292 wrote to memory of 3172	3292	vbc.exe	119

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1pjwfj44.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35DCF384D36C4908B9978BCA1F6DF03.TMP"
      4⤵
      PID:1828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7rcajstk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES967E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3981252844444785966076F7982A9D38.TMP"
      4⤵
      PID:1848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9tbnu83a.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE4CE925A270425691FCE5BEC02C339.TMP"
      4⤵
      PID:3364
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zxstx_ck.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9788.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83B64F76F43A4F5485DF2BA823245D22.TMP"
      4⤵
      PID:3600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-wjldepn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9805.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3ED1FEDE6D642A2BF35C9DBDBFE383E.TMP"
      4⤵
      PID:4068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vf-t1-th.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9882.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10DCF733610148ED9233C293EAEEFDB9.TMP"
      4⤵
      PID:4332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_9jvxaea.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26FE091C9BFC479D9AC773F981E8E381.TMP"
      4⤵
      PID:212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9co6ihgj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES994D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF1B2B186C984E96998C968430327927.TMP"
      4⤵
      PID:4072
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k5ane5kj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B0060A8EA214C1797791CB6B779128E.TMP"
      4⤵
      PID:4640
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\awcux-wu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2049559F797C47C8BE5BE6AE46A83C7.TMP"
      4⤵
      PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-wjldepn.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\-wjldepn.cmdline

Filesize
172B

MD5
d0adef7915437dea79ccd37f7f19bd39

SHA1
52eb318ae48e582fca61287be06a8cc15d824b8f

SHA256
60c57a4f870c6d126b82ac82d92ee4d0b7f34ed618f87906c942abdbf0424984

SHA512
a9fa784d41cbc842345090ac6c43038418b53915e80df308c69b462313862bd40aeeffff04a47dab034bff8d80197c1b87847d2d6a267b778ac2d40ca443036a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pjwfj44.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pjwfj44.cmdline

Filesize
156B

MD5
6b420c73c21fd26d2b60e75cdb71aaad

SHA1
f6a098d5c4fca9a2def9dd7673e56779bcca67bb

SHA256
e37c398530865fef1dd591f47d439d15b6cfec4260ee6afea3e46c18c4436912

SHA512
e8060e99d3d8b7f7829d3e7e6299b610534cd5483728212f7ef3de34ddf7bbb13142072a7df5ba35652bd5cae62d7efc8ae5b648f1f721282152ee0aa7f0f2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7rcajstk.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7rcajstk.cmdline

Filesize
162B

MD5
46161194cf76cc005568626fc7698592

SHA1
da5d7786adca785f39911f371841f96a271aa534

SHA256
def59154cff162c2250db25f24afaf8c0e7a87c8e2468b1aad2aa3e5fa8ffc3a

SHA512
d0d5b450f2f9e9963327e9056500b265c8ac1b441bcbdf079d7f55300ec8ff764b23ea305a738e256ca34a60161c006b23eee3029571ce684be24afe19b10546

Download Submit
C:\Users\Admin\AppData\Local\Temp\9co6ihgj.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\9co6ihgj.cmdline

Filesize
164B

MD5
0d63e3ac43563143735742a45288741f

SHA1
a4f4b385ef9eb5d90e8cf02455471cc6c56e5910

SHA256
a75aed2f599dbeb4a371bf9be1f0e3b07cafdd1375bd9c38d9b289e80afe4c48

SHA512
45799580ba95d171834f9ed3f687b3eb4999c5641f39eced84bc083d6d7cff663728973ce5969b2fd3553036f3d854969fbd4da08660cbeff4e0e6c53f9081fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tbnu83a.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tbnu83a.cmdline

Filesize
163B

MD5
976dea5cf78d52b09a8511d3cc0c7bff

SHA1
44e267a1d063629a2e69d5a501200c65a4d5b89f

SHA256
d7880847e404d3da90f7b6526173e18d6f08d59b1fdd4b41a990cb81be7526bc

SHA512
43a5017665f3ba6d0b5d429387c9055a2ecdd1a2d860975bd56e13a2cb13883dd13f36231f8a9b52cd2813d56ff7ec0a23f59e42c60e91b1d7cf23d3496cd36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95E2.tmp

Filesize
1KB

MD5
de1963755bf41f8729d327fa81f92f0f

SHA1
756e88ca8a658e84df7e8e8034ec4466d8175dd5

SHA256
f802d7b3f9db251b744f21cf643cd6476a143c889f6237b5910d332b7aa20229

SHA512
4c6747577d3da05de3863573e5812cf67b67372c46f257cd59b08366be640aa7578f90cd42ad9ee9620a6b397c3149f144d69b2c63fa92a77a11ca648b1682f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES967E.tmp

Filesize
1KB

MD5
2a4320147c7648851b3c6f633276a1eb

SHA1
98db73e5aaacbf569b88e4a4964064ed6afaf96b

SHA256
bc4971742cd8d15655bb48934ad0afc9001c9511bbc7f5a53f6b5fbebf306423

SHA512
f9175163f82c011b80f2dfce594374783129806ddce48542e4752c7d643c6430ea6fb4f2e6472887bf353f4c78153c7fe9957eb1fbd1bc3d46c0ccfa2b44a2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96FB.tmp

Filesize
1KB

MD5
07c1dc6f1fbe1f3dbb2420899f1b8bca

SHA1
f5921cc2d5818bab800f6c8ffbc5338d7881a744

SHA256
b43f26d9a45f9ce43ff49430b1059d1a5651cab00c409e157cafdc8f0a5c8494

SHA512
7ed7f49186d62a51c7a764f5d4096b6f9cbc65801c5622f4103593ffc6288ae539174f557e63eb271172e35e9dfa7bf5c7e8d1c8fb521e1c5e58d9857d5743c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9788.tmp

Filesize
1KB

MD5
c23f1b67a1d47b3e677a5a44f79228cb

SHA1
2595186eadf692dcec0fa247cf3a8f4758b55059

SHA256
0be0e9021cd50c58bc1de201b097ea10e6c39b6af9ec54ea2e8153fa0b76766c

SHA512
a184bbda2c2622a2d924482b0faccfb3d18f413ba8869110748c30b139c440e9568908c5419ff9c2847f1a7be6ff1d7c5668eec1b84d195ec1887b1f903ebe5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9805.tmp

Filesize
1KB

MD5
aa6b5b508949e7d9fed0ec7f990f1de6

SHA1
dd314b98a5cce76e13a8f7fde6b629b5fd14ac77

SHA256
adc0b6ef4f60f732162294174dc56df8fc8841c0dd4e62e05a65f83232d01543

SHA512
f00567837a667d344664540e912eae689c59de914dadecd3f91bea9c207bad9d166c5d2ccf944c151994d6243d39d3c946e072ced8bdb7a83c2b4b8d2408132e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9882.tmp

Filesize
1KB

MD5
f86d405b1e244350a1605f3a78e39861

SHA1
d768b5a7fd90a7fcde42eaeea61828ab98f134cc

SHA256
0ab6b11d3d6f6ed80c31482ca48e16f28080f164827b0ba5e2ae1c9c2abec8ba

SHA512
f4adef55b78a2d347eb80de0959b391c066bf782de74cdc7ada188a198d591837fb969e88ed740bf0ff49b69189ce2ed03b31385ebdcb41dad7edb640da15d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98E0.tmp

Filesize
1KB

MD5
f9100840ae30edda71627f77b6684d90

SHA1
1cd0e2607d3a076e93e2653e66cdc0b19a987468

SHA256
7c2857015b6976c1c26b6173694974c144da04130d80e54628b93944b9035b88

SHA512
a82376007352d731c87b95df829e0f2574363bdbc2d32778c8b29b8aef45b423fe315a2d9e60a243c6077b58ce8b91772b0b64cbe579de2aa255ac382f4db7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES994D.tmp

Filesize
1KB

MD5
f0da703ef7b3e7608f18665c8967929c

SHA1
302913c9858003be47991fecb915def523be3571

SHA256
8d1c808fdc1f3f6217578e547ff012d775675b0230e34f9143bc9bbc795f4817

SHA512
31af9d1a8d7e196c8466a43ecdb6be0eeeee605b009f15e854f1e0bc48e3cbd1af7de2b83eccfdbf57a7a23d5c41381fbf86c45761567b089b673c0c6c783ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99AB.tmp

Filesize
1KB

MD5
9383eaed4efd864e26183046855a5345

SHA1
acb45a7c24277defa2f168e9e91499b4751070a3

SHA256
0d0d7cc5e40c86d07d04ae906a11c2370654a3bebd8d96a435c9125c0ff6d6c1

SHA512
fdb816e4e59c66685bb106b8df6d316a17f0440f38632902921d5395b912d75602d505cb150c521a390ef4256f608b7b915baec88d2955f1fdf588271ffeaf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A09.tmp

Filesize
1KB

MD5
5b7039157423f8cae5efb41532b293f0

SHA1
b7d6da3e8f20594ec3b8d6e5853c6c9ab4f6fd5c

SHA256
1c3397384977a1ae4c969d8cbbd8585e8db86ca7c894866842d5fc512a671708

SHA512
2afc71b0bbe655933b0b4e2ff139c0c4ebd31ca9ee3999dc3fb36566a953e9a7bf23747139d24bd717b1c10497876a9968e332075e8a20a84a9ff1ab633bda4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9jvxaea.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9jvxaea.cmdline

Filesize
174B

MD5
b2de89604b7506a4a90be7a3023ee2cb

SHA1
a7e415b0b26a6f7038c3790fe61d7ad0388ecfff

SHA256
dc6584552bcefe3cebfea48c551a26b61ad19d95cf0b89a8d3fb12f89d0712bb

SHA512
9d9201e7812c0861812d2f68b6cdf62c23282c88b22ec4c745f9ca6e97b40581be114e728c33e8dcc4296909038803ea2fb181f78341fd347aa400f5608be1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyjx5jo1.n3e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\awcux-wu.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\awcux-wu.cmdline

Filesize
173B

MD5
6923e6ff518b463a3c4d82c5720f90a1

SHA1
f0185446661dc8d5f56da572dd82e4a281b89ce7

SHA256
63f705e38b77a28a0689b4a90d6e3ea1dc6e13d4c3b42d187d6c114f220addd3

SHA512
60247b9d6dde7ea7b704bc060892ebb37ddd32e3570a53425bcb06ee7a191e82256ea70723316c42971a5c83e50117a5af60a813d09101f73c5ef01fd891f6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5ane5kj.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5ane5kj.cmdline

Filesize
170B

MD5
cefc2407963f658deaa9b7ae063dcd1e

SHA1
56ec36bb764ee1ffae580bc06c1c4e0d34e4a02f

SHA256
119ee8f596b1e484bcbcec8824eca6854e71c415e703e3eeb8b07ba8eb1dc699

SHA512
264f5d78c47ee3653f79f229dcda44cec79db40ec3df9c1f64855652be4bf653c6f8870818e16f55aae368c65ea85fee8f0776970238d2369a3552bfcfb7d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2049559F797C47C8BE5BE6AE46A83C7.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc26FE091C9BFC479D9AC773F981E8E381.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35DCF384D36C4908B9978BCA1F6DF03.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3981252844444785966076F7982A9D38.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE4CE925A270425691FCE5BEC02C339.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vf-t1-th.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\vf-t1-th.cmdline

Filesize
171B

MD5
003dc2a0ddd9dd4acbc9a958a4acc8bf

SHA1
456d5317f69c3745880555a39d30d371a9ad0d5b

SHA256
a255ea6cb3aa5df1c27452d6b45c8e97bd55179cfcd73d147a86eced1e293e00

SHA512
7d14b46fef9de824d66e7d55cd9f34ba61e25c31b7065db139194196d7ecc81dd60c29b7d04cb910a39b8e8c2930a830a4b2dfdaef268d3b3610f04613b82e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxstx_ck.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxstx_ck.cmdline

Filesize
171B

MD5
34d8a9a1ae70834c5fe7c588c3604505

SHA1
b64b1bd3e1d11fbee1d38ed91b54eff13be6c9c3

SHA256
9c79f3660389bec9a0670900b32d1b8a592a0f66aa6cf4eff759aea60e5bad5c

SHA512
96b8cb7a23218a85f219e5530d8e551e7a6237f11323ab22544e278433e451d11e8899dd028f28e34a669a48ce87f5bd7a0a204c24f52015e708cf38f9b62b97

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/620-21-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/620-20-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/620-18-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/620-22-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/1444-31-0x0000025F9C1F0000-0x0000025F9C212000-memory.dmp

Filesize
136KB

Download
memory/4608-6-0x000000001D070000-0x000000001D10C000-memory.dmp

Filesize
624KB

Download
memory/4608-0-0x00007FFFF0225000-0x00007FFFF0226000-memory.dmp

Filesize
4KB

Download
memory/4608-5-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/4608-4-0x000000001C6C0000-0x000000001C722000-memory.dmp

Filesize
392KB

Download
memory/4608-19-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/4608-2-0x000000001BFB0000-0x000000001C47E000-memory.dmp

Filesize
4.8MB

Download
memory/4608-8-0x00007FFFF0225000-0x00007FFFF0226000-memory.dmp

Filesize
4KB

Download
memory/4608-3-0x000000001C530000-0x000000001C5D6000-memory.dmp

Filesize
664KB

Download
memory/4608-7-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/4608-1-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download