revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral28/files/0x001100000002336a-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5076	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5076	powershell.exe
5076	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4528	MSSCS.exe
Token: SeDebugPrivilege	5076	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4528	1996	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 1996 wrote to memory of 4528	1996	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 4528 wrote to memory of 5076	4528	MSSCS.exe	95
PID 4528 wrote to memory of 5076	4528	MSSCS.exe	95
PID 4528 wrote to memory of 4668	4528	MSSCS.exe	97
PID 4528 wrote to memory of 4668	4528	MSSCS.exe	97
PID 4668 wrote to memory of 8	4668	vbc.exe	99
PID 4668 wrote to memory of 8	4668	vbc.exe	99
PID 4528 wrote to memory of 2584	4528	MSSCS.exe	100
PID 4528 wrote to memory of 2584	4528	MSSCS.exe	100
PID 2584 wrote to memory of 208	2584	vbc.exe	102
PID 2584 wrote to memory of 208	2584	vbc.exe	102
PID 4528 wrote to memory of 1960	4528	MSSCS.exe	103
PID 4528 wrote to memory of 1960	4528	MSSCS.exe	103
PID 1960 wrote to memory of 4896	1960	vbc.exe	105
PID 1960 wrote to memory of 4896	1960	vbc.exe	105
PID 4528 wrote to memory of 2948	4528	MSSCS.exe	106
PID 4528 wrote to memory of 2948	4528	MSSCS.exe	106
PID 2948 wrote to memory of 2216	2948	vbc.exe	108
PID 2948 wrote to memory of 2216	2948	vbc.exe	108
PID 4528 wrote to memory of 3320	4528	MSSCS.exe	109
PID 4528 wrote to memory of 3320	4528	MSSCS.exe	109
PID 3320 wrote to memory of 4964	3320	vbc.exe	111
PID 3320 wrote to memory of 4964	3320	vbc.exe	111
PID 4528 wrote to memory of 3344	4528	MSSCS.exe	112
PID 4528 wrote to memory of 3344	4528	MSSCS.exe	112
PID 3344 wrote to memory of 4464	3344	vbc.exe	114
PID 3344 wrote to memory of 4464	3344	vbc.exe	114
PID 4528 wrote to memory of 3452	4528	MSSCS.exe	115
PID 4528 wrote to memory of 3452	4528	MSSCS.exe	115
PID 3452 wrote to memory of 2720	3452	vbc.exe	117
PID 3452 wrote to memory of 2720	3452	vbc.exe	117
PID 4528 wrote to memory of 3160	4528	MSSCS.exe	118
PID 4528 wrote to memory of 3160	4528	MSSCS.exe	118
PID 3160 wrote to memory of 1588	3160	vbc.exe	120
PID 3160 wrote to memory of 1588	3160	vbc.exe	120
PID 4528 wrote to memory of 1392	4528	MSSCS.exe	121
PID 4528 wrote to memory of 1392	4528	MSSCS.exe	121
PID 1392 wrote to memory of 4916	1392	vbc.exe	123
PID 1392 wrote to memory of 4916	1392	vbc.exe	123
PID 4528 wrote to memory of 1000	4528	MSSCS.exe	124
PID 4528 wrote to memory of 1000	4528	MSSCS.exe	124
PID 1000 wrote to memory of 1020	1000	vbc.exe	126
PID 1000 wrote to memory of 1020	1000	vbc.exe	126

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5lhy63kv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD0AC3CF52824EA6A69A57B65EDB860.TMP"
      4⤵
      PID:8
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5id7prmc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1591CB8E120B4839A8462FF928641E9E.TMP"
      4⤵
      PID:208
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5orgezsc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68C954C817F24831A6464E6864564237.TMP"
      4⤵
      PID:4896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z45nmev3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E2DB887BF2842F59AB8C3B8CC8FC54.TMP"
      4⤵
      PID:2216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrtmzjhd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61EB9A67603149B7913587E8E6C646C2.TMP"
      4⤵
      PID:4964
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l2g59ud1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1A4D61CDA4D4D7C83BFE465A5776517.TMP"
      4⤵
      PID:4464
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h9wtbtfm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EE8BEAE38B84A07982C668802DF343.TMP"
      4⤵
      PID:2720
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvyebafr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9006.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7C3B761FF3D4844B81629B576825455.TMP"
      4⤵
      PID:1588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqfaummk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9064.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76287FC195034341A44CD55C546972E1.TMP"
      4⤵
      PID:4916
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9wezdeuj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1651FBB8C8B94ADBBAD753F7988330D2.TMP"
      4⤵
      PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5id7prmc.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5id7prmc.cmdline

Filesize
162B

MD5
40f605827af8124cf7ee12051babc3d8

SHA1
1d60f96588ce63abb093e787a9055cc8ac5f213e

SHA256
d97e1be46c93478dda70cbce00e1aa78ea90b787656aeafc4ec2c02d288c1616

SHA512
f9205e5feae3cc29642de13ce1ca6cf21299e0d641ad43e2b86c5b2a38c7025486f6ef5e91b45e64b3584bf58430ebf198acc77708135e926f2efa66384a1714

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lhy63kv.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lhy63kv.cmdline

Filesize
156B

MD5
d8d2ae44dfffd4111d2429f63825a0b4

SHA1
973fc0f180d63d8de0aec69ce3967093b6631aa9

SHA256
5a8666d3f30682f3e44fc8f3d26940e82790d7cc958664650cf5013c483e4450

SHA512
73d3fdcbd9ff77df2f63971c2e8570c736fbae528b7669fc30be281d003d3893ded4e68b5c22fa11115ae209d13b2ec1f9aacd4d53112c7c86c7476452116b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5orgezsc.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5orgezsc.cmdline

Filesize
163B

MD5
be9b6e153b42029e3a3db36ae7aef8a7

SHA1
1bef783463b742fe11c858f22a662dd3b70ee165

SHA256
64efd7bc816f038d8c0453214a326e7474dd10b4dc68336e34c6f44f0eac587e

SHA512
1e6f8e7df7053de4fb48de9a455d53afa22c1c5884993e0d5f24ff3b53013612db6dedef326c3efb66e6504090f5f469ffcb752f423dab3231beef01c1e5d0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9wezdeuj.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\9wezdeuj.cmdline

Filesize
173B

MD5
36215c4252f502517df7b6bd27de2138

SHA1
375517664b7d30b5f39ce4b1a1f3c7f93280a00e

SHA256
f980af0624c715af02ee40312c9de7a2f1e480d76480700dad0563012785df6e

SHA512
cff9c34b4784f26630aff142930f45d2387a7a32bbd5912eb06cb504a2109f75fe8c5a09f526bda0fe0c1869cb9f19aaa5f824492237cb8753722aea56324fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C6C.tmp

Filesize
1KB

MD5
1a6b8f45eee36c911f66fbf3462c5a34

SHA1
93ce099c1348f772c0b162e9dde260db331d46c1

SHA256
6c6235172b98d682ce5cce47220d4e5b201ce26bfb1b2e0015e03913bfdb4408

SHA512
b8c038d9b542df2923ea2f5ddc3fb3c9d4807f8e88da0a480fd83048cd5e1f50e87a087e6effc1dfed0759eb14b44e2cccfb5617894cb95ce15b74cd669d8473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D47.tmp

Filesize
1KB

MD5
d51bb133a04f65a197d7dfb749f6daa7

SHA1
e6dfb6e6da8d238338d4377cb6de11474e79a9a6

SHA256
ead0274e8a8195020a4b6915ddb36235fd188acc9f1f06276dd206b2af5f9190

SHA512
02b7f79e7689cd0c19f013958d52bfd745728931f2091ff5a22c6832843a17af3a9c080def3a4b214843ef02e272b73c6f18246650d8cb67f939a0c9d37ff269

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DC4.tmp

Filesize
1KB

MD5
6d6e35c82366157317bfe2df31424c8a

SHA1
918ec14745f0ff3215ff3b3a21076aa9bc05afaa

SHA256
ab96b5956d8bf10573c394140a3feb487fdd6f608221b68109419a18c5d7229c

SHA512
f93bbd64365c486dee1ae7764d19ced0ac0191924c4cd262ef170ffc6bd557bff25122795ea7bf5c9860fe716affa1ad903148c44d3c6206ffdee89c855d1e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E31.tmp

Filesize
1KB

MD5
a1829fde1e5ac7b24a888a615c5783c0

SHA1
af5a350d71be66b3cbdc6523b47dbb9f26024e18

SHA256
f6a65247b4da05067eed9cdac672816ca7359295882fbdc02ddde23a9ab9d955

SHA512
d13c30fdc32feb3c73ab143e72802ea20ac932ef62679fca6d52f954118e13aeb9eb8c401b5958f56f25e6818769baa30a5f568cc09746c4345c78aa51dd01c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EAE.tmp

Filesize
1KB

MD5
0d2b50fc4ab14a510a2d8c948c7f040b

SHA1
96c851104b00bdf76a9f1c071a6d38f93f6b411b

SHA256
6c6057fd0899f9f9978908b96a97d0b089315ebc5679d23259df8b980188bf0c

SHA512
01f3bc2279a04c935fcdeadc72f8103b133719f8b7263d6d6d7551ba1052d53e7eaad07ab76afa069a171b8684bb61b2f7c006e8b38d1df8547814e1205596c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F5A.tmp

Filesize
1KB

MD5
1aa92a8952a45a0f828529d9baafc807

SHA1
2c8525fd6ff4d432e1d58c5d0e7799c5c0a7fd11

SHA256
c3b4903391786184a30508b3eb0ce886c759360bbc885b25caff9a394934f216

SHA512
5ef29378009f4d89bb61434353f9ee70c0e44884411b97eb77765c9ed1d41baff680fcf9e2ff65c28a1c7b96d405d18aea70ba7d227598fc22efc6458c82511d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FA8.tmp

Filesize
1KB

MD5
3532089e159a8d57d26a0147847786e7

SHA1
3df25b44311fd593daa8524ecf4d2fab0c0687f7

SHA256
51a143c12345777133bd1177cbbe92306c17cd3d57dce175001d097763472b3a

SHA512
97144b82e69efdd5cac8d64bed92daaf129872d5e7104afa13e0d48bb7b51ccb6521ee692283e4c005a6060a8b5623e160d88d059bb838b8dbc7c1f142396578

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9006.tmp

Filesize
1KB

MD5
64a57b9ae13ade9c9b501bbe2c75aac2

SHA1
2c6a1128f2ffd1dba792b2a37323ccf6b5b6b24f

SHA256
c5e95d73804a2fc8c60effeef61b6af435ec791fccbb5c7ee7dfdeace88e5b26

SHA512
3562b6425cbe55e5e6f99446e9dca4973f77bf27a4e205a7e4148e2c084109fa87aa5a9c16489dee311ea0cf7bc3d60f7661f583912e9c82c5cc8f042b9a718a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9064.tmp

Filesize
1KB

MD5
4b548bfee2d7418b0a1aa4af17047d7a

SHA1
b21748829dc7ce482f94e199ce8b2e96a560171d

SHA256
b6e03f2ea4edc482bf874d2a89f65cec4ad81015a5ffa34d92b06f02ed62bf8a

SHA512
88bd23168e51c68ea7e352fa764b2c43f784245cb653bfcb10cdafcf7fc431f7f65108d14ed1687f0a2b7281f4e0d426a75f938b70ed3476b716d5bec897dc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90C2.tmp

Filesize
1KB

MD5
f8256b5824ed70c1d3ef8a966b0795d0

SHA1
62076998efb0f20485827b61a2fa64bee86746dc

SHA256
5ecef7ad41b4c5247f8204ca03a0a8928525cde24c85e98e26d4cf25d30b08c9

SHA512
e9f922c6b41faabac43dec8893b000b60f25c188552df31f2adc340fd9fd1e6fc249c2904677e0fde7d001274d7d86c50b0b7d2f3dffe7468c9cef7207551ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gv3irae.laa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9wtbtfm.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9wtbtfm.cmdline

Filesize
174B

MD5
5c1f94510b657530f1218babfed30293

SHA1
4df18597111aade2a69ee177228c98df2042f79d

SHA256
e38461f76759eaccb22f11f97b34eaeeeb3768a6066ba78d3e976eecf0b4c10a

SHA512
5b124e2f8fc1a1b398779e9d1f453dbade58a97fe416360a8ed10bd349a982c6ceb5863acbbf6383eb52bafc549ad2bed639d76a7aac3cb4bba4c349d6c24bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvyebafr.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvyebafr.cmdline

Filesize
164B

MD5
76da4c216132de6ceeae4a630dc41752

SHA1
6241b816ead8068e6d8969212d4b63efd46ace25

SHA256
18cba14f083ed11eef8c0be1ad73a12d21a2554726d6d1101eb02d4d1c206990

SHA512
b0a394c54ef4ce2306a183d00d7c90e176d1b3fdeb47539d42652a16251d199237a6bfffc7925161d4c2cf654cfd529ef9443520cc6c3f0c92a763b0e85af402

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2g59ud1.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2g59ud1.cmdline

Filesize
171B

MD5
0400a809c2d02aadbe0372435a7ecda2

SHA1
82da05645aaa7c2c2d80a3c649b1fc9dcbbaca20

SHA256
fc7e48f83d59a9740565d79a5c102a3d96f689ddb008d80c5217b040ae3c6f41

SHA512
35efef77e514540796d135e3c914300694300391852825a278e6653b2242dee65c38aaa376c000509ac2a972aa01cfe2411b5d3ea6ae820aa1ae15261e5f2cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqfaummk.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqfaummk.cmdline

Filesize
170B

MD5
1a44d7a824a26da8da831c1dab9aeee1

SHA1
e4970d2b5985f9334bf847360788ad258bfde6ec

SHA256
b63be078e570cf5494183eb76391b4b08233ff275cfda1b9a72e8b9ad4b78f1e

SHA512
b30645e6fc765d5954b5c7948af60e4cec574a37102eb2ccd97756ec9fa6f201c29ebb0a8d8974ee5af7ea693b54f0cebad1ca6d7ec38f4e2e1f1758e0fb79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1591CB8E120B4839A8462FF928641E9E.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1651FBB8C8B94ADBBAD753F7988330D2.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1EE8BEAE38B84A07982C668802DF343.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68C954C817F24831A6464E6864564237.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDD0AC3CF52824EA6A69A57B65EDB860.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrtmzjhd.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrtmzjhd.cmdline

Filesize
172B

MD5
4b600c1587989dfd9e1e780e9abab99a

SHA1
5a2adffe55a7f30c438b4b2a456046a3656fb3e0

SHA256
bb58081fb5fa05ce612a30a9e49f1599aa94c316b22df56089d948992fe2882b

SHA512
bf027620b6641eb6d03e15470b91e55567089a45426190c98ee321f5cf611ca464cd44a87a5257f4fcebff8a872f4903b8a64c6f3e3228b4f8794cd45d3b8956

Download Submit
C:\Users\Admin\AppData\Local\Temp\z45nmev3.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\z45nmev3.cmdline

Filesize
171B

MD5
702f8cc863292278ed3c6cd0c8565b4c

SHA1
42fedbcf50b49a0ae9aa3bf825268a7e88b9c037

SHA256
91440a5a679a114a59838355891552fd67bef03aa126929689931d493e629077

SHA512
6d31e63b07bc3385d0338f0be553b4a03dd5668aeac17ccc96b41d9e4b36b11b0b2b794797f908b6368ad96f7337705a69ec80ae89180cd7dc12f875c3d2a6ab

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1996-0-0x00007FFA9C9D5000-0x00007FFA9C9D6000-memory.dmp

Filesize
4KB

Download
memory/1996-8-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1996-7-0x00007FFA9C9D5000-0x00007FFA9C9D6000-memory.dmp

Filesize
4KB

Download
memory/1996-2-0x000000001C170000-0x000000001C216000-memory.dmp

Filesize
664KB

Download
memory/1996-6-0x000000001CC40000-0x000000001CCDC000-memory.dmp

Filesize
624KB

Download
memory/1996-4-0x000000001C2E0000-0x000000001C342000-memory.dmp

Filesize
392KB

Download
memory/1996-3-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1996-5-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1996-19-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/1996-1-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

Filesize
4.8MB

Download
memory/4528-18-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/4528-22-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/4528-21-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/4528-20-0x00007FFA9C720000-0x00007FFA9D0C1000-memory.dmp

Filesize
9.6MB

Download
memory/5076-36-0x000001EF73FA0000-0x000001EF73FC2000-memory.dmp

Filesize
136KB

Download