revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

4180 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4180	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2148 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2148 powershell.exe
2148 powershell.exe

pid	process
2148	powershell.exe

pid	process
2148	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3144	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4180	MSSCS.exe
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3144 wrote to memory of 4180	3144	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3144 wrote to memory of 4180	3144	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4180 wrote to memory of 2148	4180	MSSCS.exe	powershell.exe
PID 4180 wrote to memory of 2148	4180	MSSCS.exe	powershell.exe
PID 4180 wrote to memory of 4844	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 4844	4180	MSSCS.exe	vbc.exe
PID 4844 wrote to memory of 2836	4844	vbc.exe	cvtres.exe
PID 4844 wrote to memory of 2836	4844	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4492	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 4492	4180	MSSCS.exe	vbc.exe
PID 4492 wrote to memory of 3240	4492	vbc.exe	cvtres.exe
PID 4492 wrote to memory of 3240	4492	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 1012	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 1012	4180	MSSCS.exe	vbc.exe
PID 1012 wrote to memory of 2208	1012	vbc.exe	cvtres.exe
PID 1012 wrote to memory of 2208	1012	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 3936	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 3936	4180	MSSCS.exe	vbc.exe
PID 3936 wrote to memory of 2160	3936	vbc.exe	cvtres.exe
PID 3936 wrote to memory of 2160	3936	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 1980	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 1980	4180	MSSCS.exe	vbc.exe
PID 1980 wrote to memory of 4488	1980	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 4488	1980	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4600	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 4600	4180	MSSCS.exe	vbc.exe
PID 4600 wrote to memory of 5004	4600	vbc.exe	cvtres.exe
PID 4600 wrote to memory of 5004	4600	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 1660	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 1660	4180	MSSCS.exe	vbc.exe
PID 1660 wrote to memory of 3580	1660	vbc.exe	cvtres.exe
PID 1660 wrote to memory of 3580	1660	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 2244	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 2244	4180	MSSCS.exe	vbc.exe
PID 2244 wrote to memory of 2460	2244	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 2460	2244	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4408	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 4408	4180	MSSCS.exe	vbc.exe
PID 4408 wrote to memory of 644	4408	vbc.exe	cvtres.exe
PID 4408 wrote to memory of 644	4408	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4848	4180	MSSCS.exe	vbc.exe
PID 4180 wrote to memory of 4848	4180	MSSCS.exe	vbc.exe
PID 4848 wrote to memory of 4800	4848	vbc.exe	cvtres.exe
PID 4848 wrote to memory of 4800	4848	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daeiibl7.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES878A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B996A20D26547B4B7C5DCE5E2CBA0.TMP"
4⤵
PID:2836

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrvuq3-2.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D188377989C42A1A367CFF24F2D1C91.TMP"
4⤵
PID:3240

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jq87rzoe.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8894.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67B46B1BB01453881362E3320C399C4.TMP"
4⤵
PID:2208

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rjxusxgf.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8940.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD7497281F547E1B6738348F425493B.TMP"
4⤵
PID:2160

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8mfbnjw4.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78B065CD8AEF42D9BF95CF190DAD684.TMP"
4⤵
PID:4488

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ns8x1m9t.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5E60C7F2C5E44DD814B1FD8CB539C93.TMP"
4⤵
PID:5004

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbioncrw.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9F87494D33D4B97B878F5732448D256.TMP"
4⤵
PID:3580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i8qchtas.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc531717E16C0C49918A27697B15C1FE2.TMP"
4⤵
PID:2460

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zdxi3tn.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57BE68B84D264A78BA731DD5E938E1D9.TMP"
4⤵
PID:644

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r018qrko.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FC7C03C79749A1B1AE6BAC3967BC.TMP"
4⤵
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zdxi3tn.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zdxi3tn.cmdline
Filesize
170B

MD5
ed06d837db098a84c2148738436d2341

SHA1
005d2878a2695a3ce7a10338a0b143efc8134e04

SHA256
e623303d417b426e06aa5c7d83b94a423309a0626ba0c94de430750956f532bf

SHA512
065b27c43b77c46776a165c72723a8894b0d71f8679bd777ca5d4cd09aeeedb59aaff384945c8b494e06e5234c203f72d4bb1faf986285b2d35258c88d1f87fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8mfbnjw4.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\8mfbnjw4.cmdline
Filesize
172B

MD5
ca303cb294def0d11797e23289f11cde

SHA1
e483da1d565d0080b5ec0bbba2cba116f3041f6f

SHA256
11d39cdcbbb94e1400e55a24de437ac410bb37b2ca9d10a1ec0c18006b40cdb5

SHA512
c75a6307a067e912a63abda03a2a6ea41f51a5121e4b7df597cde20041834c1a623c2f0afd861a95fc350b7b72f6e2546c13223f7bf689793d3caa1c05c3ae50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES878A.tmp
Filesize
1KB

MD5
5b8f49055729e9009cc9c930a4af0481

SHA1
58a3ff9615805cca3db9f5e519614e102c88dc13

SHA256
4ef1b2183629ee806896e7f61f78db257c5270852d51b8ac8920cd2afcf01b77

SHA512
19dfdd2850572b2f2f4499808513e525bb5f9836e15e3263b89a567ed5fe956bb8051174c1c918bda3eba4f8ec86d9b031949d65ffd913bc6134276f74baf414

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8807.tmp
Filesize
1KB

MD5
3218233e211121c94adc0b1417c03d5f

SHA1
8327b7816583830a84c65798f1025b8cc7bfb0db

SHA256
2297a7e6b528c0ad2b5b8751523ae3a5c4d8f10a862cfd202612285c2be46103

SHA512
82fbc0d2fb6fa27799981a10f052e81aaa408d0f0315a8ced9b5eca0dcce3a18f407051efbebdbb757f0a81463b53d73570f1f2b5db999a3904f567c12539188

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8894.tmp
Filesize
1KB

MD5
1d2790ef5df60321f4e5f15a39f21d34

SHA1
2d4e656faf7d33baf136d1ef7977624dde2afe07

SHA256
5ea4c4ffc1213df58a2d9daa812c097f0315bd967c8511b74acaa8ed24b3081f

SHA512
c179a943ff9427a5a17f7a8679f3c6fd6de8290a19c35d4cc638156d2125c02256cdaa6b65bbb46605c5b7865f7822bb4d38dca487bf9a9975278e128e81c454

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8940.tmp
Filesize
1KB

MD5
99042a139f8118e22e767e882448c806

SHA1
6e83f78d657fede6fae77fa7886a74a95db01afc

SHA256
a8e426ce8785cce90107c2a1e031e6a77387539f8e2adfc0ff5c567d5f9c1437

SHA512
aaa04ded0b6b6a10ea21502a81077ba3e413cc0548469eb7c09aef54e9f82119f70c9fd7a539fd614b51252042d1c67b4f15929a5e48f19f3205ed4f7c0e05ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89DC.tmp
Filesize
1KB

MD5
aab6d56b9166358f97df4457544c0d00

SHA1
7d7119da97232bde2c15cbf1fa12a69a0d2b81fa

SHA256
2b54f7c008a48934ad57d1901548bc48f24d0681e583a5b174fdf147089f3e75

SHA512
13b6871e9ae4da24483f652275d421b38a8ba24420b13e6a70be71f4abd9d57896ea03105f240ec170c59bd7ca2239f24c216552bcf35977707392dcc828c2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A69.tmp
Filesize
1KB

MD5
86e1a9faf2509d033ea153b00db93616

SHA1
832573db67b3db7ae22e7dff84a3c0be78043f04

SHA256
1b1554b7c9ced547d9e9462ea79c07560247076b56c659ad2e5e6f294a8df129

SHA512
e3ccc9bd276acb4712b68de2f4e299d58e36b873955e33b8a3e9ff34de0ea71c084db574938c5ece7c852f82f1e7eb386de4f05a0c43153e2a4de986d4f19db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B05.tmp
Filesize
1KB

MD5
e7bcd32d39ae32affc1a25631864a67a

SHA1
14f5016a5c247e389b8b8e35453f5a01a3c36539

SHA256
a426a794490e26e9ccabf7570d77fe5d70de856b75c4833faeaeb974e027b7b4

SHA512
ec282c839fd9e077cc281bd58e935f7ebfab8468ae6ff9364436372dd7b4c4602f7b5af529ec7539b652ea36ae443de702e05291fd11734865d15e3cb15f4a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B63.tmp
Filesize
1KB

MD5
e727640333a09b957361f875444c97d8

SHA1
9af3d9761aab10e1507da773fe4dced64ca2a90f

SHA256
3c78e4b07410a60134d5a68ad537daa12151439ee3bddd0f3df4de836ede109b

SHA512
69e40c1663caf8cf7bf50b5cf506b88b233c989c0baeaf9fca3b03abb2e8b17c85b1accd734c010825e5432e72cdc3e8e1da5de49d1b029081d2540e9d0af200

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BB1.tmp
Filesize
1KB

MD5
af692fedf5bf2c9b105bdab2171ea646

SHA1
871796b3a668783f60006aad8a155187d5c29cf6

SHA256
a9c7739c223cc371ad182f14682ef30a9e89b134e91d26d0a11b723a03b7f385

SHA512
26de96bb3ada3ee217103b612f4df7fcb4c678ad9b6d83a71e32de5bd51704a5be11c97eae50fd0b93cdcab64795c2d279a953e353904513240f8b8047d2ab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C1E.tmp
Filesize
1KB

MD5
d73de69fc96768adb1c68436a124ee94

SHA1
6ceab5236b935f1b2f5c3dd2d0e666353bba7155

SHA256
2d62f0b3e7e4d553a84c04ec64d8de6b9b82ed48d87da58acff30d41635b8f4a

SHA512
1f346622eea5c6834492104e3a725ddcb86607be32de36ce9d212e22a33363c3f892b16cfe8b9ea34e37da07309e6e34eab9b49ea2ea0d85202d768c29b5b61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlvu1qk2.txf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbioncrw.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbioncrw.cmdline
Filesize
174B

MD5
52483b03aa2739be57026a72a062c572

SHA1
d8ba27fb341678df4b4c77694b8df3802c027750

SHA256
7f6e9e70f284820ff5774b3e9f6bdc13d745c8883696deb3b8915cf597108f58

SHA512
4494ad66c979c01269427cd6d186db8ba30b7d1bfdeb9431bb5f88f079c73961d1ea6ae853efa2dd586552068f0dc50b5994258b57dd8be2cac77950bf592e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\daeiibl7.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\daeiibl7.cmdline
Filesize
156B

MD5
07be6ca249bec7f2dfea9ae852b673e5

SHA1
cc1cf4eb5716b0c10f7844858cfb88573752df7d

SHA256
17300c869a261ee2c82753077988c42af3e61b2c6fa37930cf7735aa70fc2017

SHA512
8045173abdc750e0829ca24000152505c7bf9071592e5f0d8944253a2b2dc42ccaf81b4337ab32a2621628a5649163e0ec7fd51086a31edbd9265a6b2e18592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrvuq3-2.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrvuq3-2.cmdline
Filesize
162B

MD5
2e0b4f8a809292de8890d0d68231e434

SHA1
ab07865286e9471424b273fd68226da72c725a5d

SHA256
45f6e5f0278fba2845027cdf099e5b5c3757ab3cdc0d3b40f1676500d8a54658

SHA512
fb85eeea153f24e315725fe348c9ecf55219b0686b118fa796cda0d65d2c1623928097b31dffafdf7e550d2b265044565ec165d3829c3d90aa5c2d5c9974253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8qchtas.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8qchtas.cmdline
Filesize
164B

MD5
872b3424790c0c030938598e3a77b20b

SHA1
183afa514144d338567b92901e543771a37ab615

SHA256
96f08341c93ddef70608c78131bb8f3341b6ba98ec1648ae7514c5219a164cb4

SHA512
71b5843db19c5e28167addea3cd72dfc0cc2b811cd1e16f3071d6b975ee57f0aa3194f5f29df0bf0515b7ad6fb6e5ebf91019276795ee2b9f373d6344360872c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jq87rzoe.0.vb
Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jq87rzoe.cmdline
Filesize
163B

MD5
b9ec63b5413523f3e14ee3d077639ca6

SHA1
a02da58e30bd801130c0c2f5bc0e72b2aa1cee2b

SHA256
589a5cf48317c087bf797cfa40e3706bf51386cc4cdbe8934ca5ba863cfbf966

SHA512
aafd3f926a82ab65eff0de77dfc819190a0f1c1927c44445650344d42f2fed6e7f5847f744d13052381607153bdb076b16386b97193fbc72c0dc024513ade741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ns8x1m9t.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ns8x1m9t.cmdline
Filesize
171B

MD5
3f5a06d54bff12e88f28c96b30dd5059

SHA1
1f55d09325fa923347dbf61e66df3fa19d23c849

SHA256
b1a1bb400b915e6379989425eefe8a0784735438f488a63875bb2932fcd265a3

SHA512
9122f99d242c1be701ffd8112abe5f04d085fa5cdfb5d7afbfb63f2b3db41bc0d0268095c528366a482e70488a04bc95df06e3a7f3863d6a1b1b60dbca3963b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r018qrko.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\r018qrko.cmdline
Filesize
173B

MD5
5b60de1026614eacfd28b8fa8e6e5500

SHA1
74843b81e5dc2cf67c73e42acc264475f5ea3d32

SHA256
13db726413e62e3714d40b900b1c55132b7767d9e04990b4e250b10ec7cf615d

SHA512
98e0d602ab24d30945eb60017d86c43324bdbe9c709c6bc30f14f52a893d3d868f527b8362fd130e4b0db65742c802bbdee51d9a6fd1bd13e1660726885a5889

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxusxgf.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjxusxgf.cmdline
Filesize
171B

MD5
7daf1b3987d9f5b20380f44e4bc56210

SHA1
f245e8074e7d44085fc18453330361583ac1c171

SHA256
1698dec639c7392db106013af69d67391436271dcc8d58a2581a42da362b66e4

SHA512
903f4e084225a7a6e1cbbcdc9e425d0079b47a1fba92d89f53f7f13f6e33ed245c5a37a4f2389153a0e947061604a7ec10669bf21bf0c1c9ec12e735b9f3265d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67B46B1BB01453881362E3320C399C4.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D188377989C42A1A367CFF24F2D1C91.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B996A20D26547B4B7C5DCE5E2CBA0.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7FC7C03C79749A1B1AE6BAC3967BC.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9F87494D33D4B97B878F5732448D256.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2148-36-0x00000290F94F0000-0x00000290F9512000-memory.dmp

Filesize
136KB

Download
memory/3144-6-0x000000001CFC0000-0x000000001D05C000-memory.dmp

Filesize
624KB

Download
memory/3144-8-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/3144-7-0x00007FF93AD75000-0x00007FF93AD76000-memory.dmp

Filesize
4KB

Download
memory/3144-5-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/3144-4-0x000000001C6B0000-0x000000001C712000-memory.dmp

Filesize
392KB

Download
memory/3144-3-0x000000001C540000-0x000000001C5E6000-memory.dmp

Filesize
664KB

Download
memory/3144-2-0x000000001C070000-0x000000001C53E000-memory.dmp

Filesize
4.8MB

Download
memory/3144-20-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/3144-0-0x00007FF93AD75000-0x00007FF93AD76000-memory.dmp

Filesize
4KB

Download
memory/3144-1-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/4180-18-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/4180-19-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download
memory/4180-21-0x00007FF93AAC0000-0x00007FF93B461000-memory.dmp

Filesize
9.6MB

Download