revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

1892 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1892	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

MSSCS.exe905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

32 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

32 powershell.exe
32 powershell.exe

pid	process
32	powershell.exe

pid	process
32	powershell.exe
32	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4508	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	1892	MSSCS.exe
Token: SeDebugPrivilege	32	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4508 wrote to memory of 1892	4508	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4508 wrote to memory of 1892	4508	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 1892 wrote to memory of 32	1892	MSSCS.exe	powershell.exe
PID 1892 wrote to memory of 32	1892	MSSCS.exe	powershell.exe
PID 1892 wrote to memory of 5088	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 5088	1892	MSSCS.exe	vbc.exe
PID 5088 wrote to memory of 3492	5088	vbc.exe	cvtres.exe
PID 5088 wrote to memory of 3492	5088	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 3452	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 3452	1892	MSSCS.exe	vbc.exe
PID 3452 wrote to memory of 2316	3452	vbc.exe	cvtres.exe
PID 3452 wrote to memory of 2316	3452	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 4456	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 4456	1892	MSSCS.exe	vbc.exe
PID 4456 wrote to memory of 2068	4456	vbc.exe	cvtres.exe
PID 4456 wrote to memory of 2068	4456	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 1680	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 1680	1892	MSSCS.exe	vbc.exe
PID 1680 wrote to memory of 3104	1680	vbc.exe	cvtres.exe
PID 1680 wrote to memory of 3104	1680	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 1896	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 1896	1892	MSSCS.exe	vbc.exe
PID 1896 wrote to memory of 4748	1896	vbc.exe	cvtres.exe
PID 1896 wrote to memory of 4748	1896	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 3576	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 3576	1892	MSSCS.exe	vbc.exe
PID 3576 wrote to memory of 924	3576	vbc.exe	cvtres.exe
PID 3576 wrote to memory of 924	3576	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 724	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 724	1892	MSSCS.exe	vbc.exe
PID 724 wrote to memory of 2032	724	vbc.exe	cvtres.exe
PID 724 wrote to memory of 2032	724	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 4160	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 4160	1892	MSSCS.exe	vbc.exe
PID 4160 wrote to memory of 4844	4160	vbc.exe	cvtres.exe
PID 4160 wrote to memory of 4844	4160	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 2396	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 2396	1892	MSSCS.exe	vbc.exe
PID 2396 wrote to memory of 3984	2396	vbc.exe	cvtres.exe
PID 2396 wrote to memory of 3984	2396	vbc.exe	cvtres.exe
PID 1892 wrote to memory of 3412	1892	MSSCS.exe	vbc.exe
PID 1892 wrote to memory of 3412	1892	MSSCS.exe	vbc.exe
PID 3412 wrote to memory of 4976	3412	vbc.exe	cvtres.exe
PID 3412 wrote to memory of 4976	3412	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-yrkmypm.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43335889C9674D778AE8C2602BA9E92E.TMP"
4⤵
PID:3492

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugpsdaci.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc114C8F9558164FDABEDEF82E6EDE7229.TMP"
4⤵
PID:2316

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\clun-vd8.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc862FF5E915DA4938A3E6BDBEC8EA50E.TMP"
4⤵
PID:2068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fjbjrlap.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCEDCE7A1FF145A9A04194BB82A5C7.TMP"
4⤵
PID:3104

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_yjl-yja.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0F271D59934C47BA8EAC406FE722C4.TMP"
4⤵
PID:4748

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqelrd7v.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8028.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF5B67C25C1B44A5885FBEE0C26CCE8.TMP"
4⤵
PID:924

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d3uguhnj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8085.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7443DA153424266AB82D50A734B7C0.TMP"
4⤵
PID:2032

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u49ryubc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8102.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc554A2D35D50F49FE9934E286FCCB7AB2.TMP"
4⤵
PID:4844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kfgmrvui.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8170.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0F648E43FF64BCBBA53B5F3767C83E.TMP"
4⤵
PID:3984

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rru3lgcy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D5BEE8CBD64FB5802D562E1675AF2.TMP"
4⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-yrkmypm.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\-yrkmypm.cmdline
Filesize
156B

MD5
5ef9584fd54ccd15c5cab733e071e9bc

SHA1
abaddf7b95e5124ccf5b3e626c2f7ec58fcaca26

SHA256
62f980a2a6ba2be397436fb3d327c4e0cee1a9eede7151fc9b97b54cab991a7c

SHA512
6c9c989ae63903dba973e3faf26a0fb98d42fe4c4c1a8f1739201d7e84634b3855176f38cb8d1a661a25681802a64e628b5addf9f0f32872589ceb7fee5933a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D3A.tmp
Filesize
1KB

MD5
96023c9915e2fe1f1554aed9c8fd5ba0

SHA1
23b7bca3b52a7236692de0484c2583e9dfe3c50f

SHA256
42b3a7b278cfad73f9fc8b5b48475b9488dd0bbc8dfbf7c53d10604257394b00

SHA512
aa3deb053c3aa2005d167326aa577dc00963ecfc7ea8e73c5ac1497f129cd7b813c2756b5bc069b589eaa29af5fe29c2272b5ee1f2284a2b37ae29e291c61990

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E14.tmp
Filesize
1KB

MD5
5cc54cd5655534165bd5bf01485c9f19

SHA1
9a4d16221c8c9f57bd3927b3c714e9e7f82d5c27

SHA256
b75d1ed495f064596be9d2b0a1babf14b8a6a465d0ab19a913a474dd5a2cfb0a

SHA512
9e1d7516f56e96745124de7cc660e4cf878772dac4584d53d31dfab54187625e190dd3e2e5620e87f1fa901b0b51ae3a6e65380cb29c1593a949dc1818be5ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EDF.tmp
Filesize
1KB

MD5
e898a755200f7cf64e5088bd14e84c4d

SHA1
6853b7491bfa1650af0f2a78ac6492686e66d1d9

SHA256
5f363a22153146800dd85cecb85c651c43693aa4f4a7fa8ab886f701b626e95a

SHA512
5aa27f7ca9438e657dab1bd58f4aad37daba1a6e4030120ec3f90398034736c76a99b0510a8a59c57df7ffa9f806464daf3f0f12b0ad22c83cb3d6f41c740c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F4D.tmp
Filesize
1KB

MD5
eb34f93b96b4054071117935ddcb000b

SHA1
948107ab0a7f7caf46b925280a7d90ce9370f641

SHA256
00d4c17d91419824614a6aaf8cf8836c74f0bf8817cbefc5b123c1207ff874c6

SHA512
a83ab2277323cbea094ef790026c852ce09a72c843495c152513b979afc259055bda4541aa58a2f2473429246a2924459497fbab9a02e4acdf809abe67a66c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FBA.tmp
Filesize
1KB

MD5
7d72e937969d8f0ce7ffa5d3d9f4ee2a

SHA1
5e399c1470929efde753b43f4b5688bc36e38432

SHA256
25c02130d5157becd1fb0dec061f14034d0c7beca48fcf647511194fd326575a

SHA512
988b2b0ef5d985370f67487a113d1f7e472c3d4f489e1c8f39e07949d944a69ac10dd05d122810eb495a7e054cd9b6b9c1319f8b410808c388d4bbef65e9af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8028.tmp
Filesize
1KB

MD5
061bd5d468a3c5d7ca79b23dcfd0dab0

SHA1
88667a8a299ac7f99eafaa8f8a7bd569beb76105

SHA256
be2282b1b640003cc38f659a8641273153edd1453ba5ab0967ac04c012d690eb

SHA512
625f5908e2ac0fcb76f54dcf4331e99553e2846108fa2c362ad49484ffcbb6806093fb938d383fccd401642991c701df976709390e204b32fffa59adb87e7092

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8085.tmp
Filesize
1KB

MD5
fee6a7a0ec3210f8d349e475a76a26f9

SHA1
0ab8a515e80bc152ba92aaff2cd701eba23ecb5c

SHA256
6d431d9e35d63135a2d3df2e8ba5a90fd028e79b16d4dd331fc4edbdb84d42e3

SHA512
39fd934810e492af72ff56b12369c530199e5570b178c15a8a438c7c8b0711c75c9d6d0b886985e593f4ad248b904dfd58ccf54b2969e9c47412c68944dc65ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8102.tmp
Filesize
1KB

MD5
a1c5dbb1a877ee4229e017476ef83c5e

SHA1
ad29fff98389747e3f8b325fda11cd4d121df562

SHA256
880cea1a6caed0160fd71e7b77261da4824579bbb021f7e2596a0e0813e1df32

SHA512
48cd380a77c6e73c487039185c5df50b9b53cf04ed34637d34f1fc1fdd969fc4aa3b78ba76904be1fa7589571e9c931230f1620a1c91ec522bf594332d0fcfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8170.tmp
Filesize
1KB

MD5
a529ec30961482409ce77064b5d5bd2f

SHA1
7628898079054a61f171f1d3288e5b2ae1d8ffe6

SHA256
55e335ae5f56fcc03e87132de0e9fa40cb2312295619ea9c467f99f06f3d0e6a

SHA512
57097e89a207fb5f398458699af010f286f435743f5ca1a6ff8982f70e5863d4fc836de10cb0e2d28ef4c4207187933c8ab3ac134d6a81b36633d0e89c60eb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81ED.tmp
Filesize
1KB

MD5
7b68773a07b04952a13caa981f78e387

SHA1
8f029796d05aa7b5859579768430eadec4262c12

SHA256
3bf096e0bfe511fdfff90dd65176fa011d53fbab9a69a91a09f599462fbe8400

SHA512
beacc4b1312f005dc46b00bdf44052b5e5f8cd2383f44ecf6d74a2e5c9447019de2408391a6d66fcad36215dd3f57a8a1dce31a257eff50456f5f52a9c5c6169

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgl5503k.gff.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_yjl-yja.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_yjl-yja.cmdline
Filesize
172B

MD5
a23bb515d3f83ad0f69b117298504a51

SHA1
06244347cbf5302bc503aefa348f5998dcf31c81

SHA256
4d964bd1b21fced4301afdd87577852bed1ac005a4ce8b6af657504c435c9079

SHA512
fda5ced3e9bb4ddda52450b78d3eed3c3fbeae359d8ca5ca4fdb2dbb7dbcdd9a0214c9df6581d1da378cabfa942bfa978622726bdbd98991f100beb854a1c12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\clun-vd8.0.vb
Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\clun-vd8.cmdline
Filesize
163B

MD5
3ac7b4ef44cbb04f56d489caf2e14829

SHA1
1b5f11457ac81f45fd181e262c1999f13109ce42

SHA256
5f4b9d89c4dfa3f9194060dd990d18a91a299cbfb9402b48d3290713360316c5

SHA512
36e55db2ab4a278bbcedfe9251087fb8abd31fb4a64a5c1f00290f9e7b1e12019cb5d120566ad39616273a656e6d28df97fb358b6b2037226d474cb34b1834a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3uguhnj.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3uguhnj.cmdline
Filesize
174B

MD5
9d7316365a868c17b039a9bfaf748657

SHA1
c20ecabb410de1caa1cbbdf7c1e2eb1887937711

SHA256
5c667a2ad7c20bc7061153758f7081387679c33192f843a382ddb6e49f967c9e

SHA512
18e978cd52ecf7c81f818db199bc076955de8ddb21733d17d28bdefe6682c9efd3b88afcba2b694c9bc3f174ba3d41af70b9e1aa73fc637d2fdbd7046b8bdabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjbjrlap.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjbjrlap.cmdline
Filesize
171B

MD5
2518caf15cfea0ae2907c16aab04dea5

SHA1
910cb65ca4112cefbee79128531e0bd43207351e

SHA256
7821818fe1ec4985758c88f66bb2d4bebb945933983f6fa8bf3d0d67ea3d8520

SHA512
7c8988976fe0b2422590b12b005efb896d103fe3527ee21f4d73fd8252d473093db8314b26533799616742dc700b58905babaff4e89ff488c480be19ef12907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqelrd7v.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqelrd7v.cmdline
Filesize
171B

MD5
eae47aebbaa61c952f0a3b74f6d9edd5

SHA1
0d2f9ebebf08ddf0260d2e3d0642c691a11ead9c

SHA256
ad9733377818c9130b747d450ddf55d0c4d31a84eb1a972208e06db6fbd5976d

SHA512
88b7fc7f75a2007cd4206ef511e278b83a900675bc2d13150b828078aa036fa54db0faf1612885d4e0ff15664836ad00d2a067cc6c161542b0f83c09b244b01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfgmrvui.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfgmrvui.cmdline
Filesize
170B

MD5
e490079d1802271d5ceab69bddb087e7

SHA1
83ca6fc633e58dda1cb709e598e76da0239caa30

SHA256
9ab6ea5e6906f005a3299f9c678fabaee7c8e2aa044b0a36fe8ef355e5b545d3

SHA512
5c6bccd53a4601ec8f381f3982150ece39d30497df589ba39093bcc3b97cb96e1505a3783b9da13f566f3367b897a4068ff4cb7fb997789a4a41b1f8459bef35

Download Submit
C:\Users\Admin\AppData\Local\Temp\rru3lgcy.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\rru3lgcy.cmdline
Filesize
173B

MD5
d04679684ae763c3714f77c4b3d41a13

SHA1
8b6a6f730f6aa9351201a3e598b9cb09ec817096

SHA256
ad463687bdf8c5245441f3adfbbcfebd83640a25cc84da783367a97943757231

SHA512
80bdbfcd46d47e88858ffabe95f0f06214f880071e679fbc873490fbd2e02a6fd474e5eb9e30e23894b1d45e10f38c5b91e263f9b810ab8153af68962d7df3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\u49ryubc.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\u49ryubc.cmdline
Filesize
164B

MD5
71ca43348426a69d37c3b05b986a8e95

SHA1
7bd9ee0a955105de6631de6a980deb7a7c956009

SHA256
30153b3a400d3c293918be70fea29c54eb187eadc2b9a86926a9b7c09815a2fd

SHA512
3b0ae0d80e9ffee5eb75ab3d160623cfd80452e9e679409572a51c2536145e04f6ce4940df73d70fe359c5dcdf8db2a2bb0b3fafc640300f148b72b8b9c0236a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugpsdaci.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugpsdaci.cmdline
Filesize
162B

MD5
d9a01b5e2d8427b87136106eb46fe1c7

SHA1
60ea6fbf4efff009928969eb628594bf0a235e91

SHA256
ce79970288ad5f44c6399f5b10f847ef03765021cdbc952a3a94e385864f7e7e

SHA512
d303ed38624be1a14107732002efc6407463fd2e6eadd99af9e601dba8311097ede3455c4fe10ccdef99c77f17e4d21ff0f42c2089d7aacc68c69a77581f4810

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc114C8F9558164FDABEDEF82E6EDE7229.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D5BEE8CBD64FB5802D562E1675AF2.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43335889C9674D778AE8C2602BA9E92E.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7443DA153424266AB82D50A734B7C0.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc862FF5E915DA4938A3E6BDBEC8EA50E.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/32-39-0x00000188B7530000-0x00000188B7552000-memory.dmp

Filesize
136KB

Download
memory/1892-18-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/1892-17-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/1892-21-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/4508-5-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/4508-4-0x000000001C420000-0x000000001C482000-memory.dmp

Filesize
392KB

Download
memory/4508-0-0x00007FFE70845000-0x00007FFE70846000-memory.dmp

Filesize
4KB

Download
memory/4508-6-0x000000001CC80000-0x000000001CD1C000-memory.dmp

Filesize
624KB

Download
memory/4508-3-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/4508-7-0x00007FFE70845000-0x00007FFE70846000-memory.dmp

Filesize
4KB

Download
memory/4508-8-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/4508-2-0x000000001C2B0000-0x000000001C356000-memory.dmp

Filesize
664KB

Download
memory/4508-20-0x00007FFE70590000-0x00007FFE70F31000-memory.dmp

Filesize
9.6MB

Download
memory/4508-1-0x000000001BD30000-0x000000001C1FE000-memory.dmp

Filesize
4.8MB

Download