revengerat | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

2044 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2044	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4156 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4156 powershell.exe
4156 powershell.exe

pid	process
4156	powershell.exe

pid	process
4156	powershell.exe
4156	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3288	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	2044	MSSCS.exe
Token: SeDebugPrivilege	4156	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3288 wrote to memory of 2044	3288	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 3288 wrote to memory of 2044	3288	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 2044 wrote to memory of 4156	2044	MSSCS.exe	powershell.exe
PID 2044 wrote to memory of 4156	2044	MSSCS.exe	powershell.exe
PID 2044 wrote to memory of 2188	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 2188	2044	MSSCS.exe	vbc.exe
PID 2188 wrote to memory of 5080	2188	vbc.exe	cvtres.exe
PID 2188 wrote to memory of 5080	2188	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 1888	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 1888	2044	MSSCS.exe	vbc.exe
PID 1888 wrote to memory of 388	1888	vbc.exe	cvtres.exe
PID 1888 wrote to memory of 388	1888	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 1456	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 1456	2044	MSSCS.exe	vbc.exe
PID 1456 wrote to memory of 2376	1456	vbc.exe	cvtres.exe
PID 1456 wrote to memory of 2376	1456	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 4676	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 4676	2044	MSSCS.exe	vbc.exe
PID 4676 wrote to memory of 1308	4676	vbc.exe	cvtres.exe
PID 4676 wrote to memory of 1308	4676	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 4848	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 4848	2044	MSSCS.exe	vbc.exe
PID 4848 wrote to memory of 1892	4848	vbc.exe	cvtres.exe
PID 4848 wrote to memory of 1892	4848	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 856	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 856	2044	MSSCS.exe	vbc.exe
PID 856 wrote to memory of 3756	856	vbc.exe	cvtres.exe
PID 856 wrote to memory of 3756	856	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2064	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 2064	2044	MSSCS.exe	vbc.exe
PID 2064 wrote to memory of 2500	2064	vbc.exe	cvtres.exe
PID 2064 wrote to memory of 2500	2064	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 2840	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 2840	2044	MSSCS.exe	vbc.exe
PID 2840 wrote to memory of 1928	2840	vbc.exe	cvtres.exe
PID 2840 wrote to memory of 1928	2840	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 4304	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 4304	2044	MSSCS.exe	vbc.exe
PID 4304 wrote to memory of 3984	4304	vbc.exe	cvtres.exe
PID 4304 wrote to memory of 3984	4304	vbc.exe	cvtres.exe
PID 2044 wrote to memory of 3288	2044	MSSCS.exe	vbc.exe
PID 2044 wrote to memory of 3288	2044	MSSCS.exe	vbc.exe
PID 3288 wrote to memory of 3408	3288	vbc.exe	cvtres.exe
PID 3288 wrote to memory of 3408	3288	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kc9loviz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA62E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F8D9F8052F748339810C896FE2EA0A4.TMP"
      4⤵
      PID:5080
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpwu186b.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21E92AB4FF094559B8A3A8B948D21018.TMP"
      4⤵
      PID:388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qiho36fm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA709.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF5F07E484834AA4AE8D2E713D1B6CAF.TMP"
      4⤵
      PID:2376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myn-j_fh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA757.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0C36136B8E5486AB75AABCC2677128D.TMP"
      4⤵
      PID:1308
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0sph0rtw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57AC6DB445A144C0B1D2ABF0404788A0.TMP"
      4⤵
      PID:1892
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ra1zf_tq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9CE3E6493A00491C91642EB5CF21EEF.TMP"
      4⤵
      PID:3756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvdrvima.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA851.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75C71D47303D4B4B8ED99237B49C9E1.TMP"
      4⤵
      PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zktlb3at.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A9F15CF1DC14CDA84A12A79BF34553.TMP"
      4⤵
      PID:1928
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lzvbkmzr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E08E184C4714FC2926BD4779617775F.TMP"
      4⤵
      PID:3984
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0_5a-0z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2101352C4AE945D9ADD1A518A2E01F37.TMP"
      4⤵
      PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0sph0rtw.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\0sph0rtw.cmdline

Filesize
172B

MD5
e541aef2016bfaff3c73d579ff5e2662

SHA1
cb611384a7fb75211235efd80321a70ead0785d6

SHA256
0df4b83f7e834fe11cb3e2a92dada7e51eca6093b7cb3942445d77aa76c12102

SHA512
89edf92b6b9f20317b35bf15832906a0eab41c47f8091efe731dccf31641715960a80c6ffd6aec01eff242dc83bb254d67e0814fac43d35ecb3ea72f784b13f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA62E.tmp

Filesize
1KB

MD5
5a137534a8c59f51b8a8c78f6c9c07db

SHA1
e43336296d1d1048ab4672d7e0097aabaab53a1d

SHA256
6b34a179b8e0666c174b0425bfee80b902b0fe4740dbed3ff1387a5decb5b604

SHA512
1202f8fa172e07a3934a0c43a805f7928d4f9405be91b5082ef5b796eefbd8553e3d47575377eb213b5ffcbb93d53ca3e0c47d28d9656e7c45d53c2ce8e190d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6AB.tmp

Filesize
1KB

MD5
79e07716a6e12b9f57b101a323277e87

SHA1
0df9f371f6924e45a7ff4a14e3b45ca8d3d39122

SHA256
d03eeeccc2957b330719a3987b379d3d93d06246cf156eda58ea6d12a951fe2c

SHA512
ff62a1e485a79b78b45fdf3c1b29c7726b96c0f51232afe8acf49b80a3ab7bc178f3a16bb1ab7b4b05a339b93de49cc40334f7137cf7543ec528b2ad44bbfcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA709.tmp

Filesize
1KB

MD5
fcdcfa00000732534bf8e453456d71fc

SHA1
4c0db2d3f2fc7a07212c1336aea4652ae50d3c34

SHA256
5d2a6094501b19d41009c6a70d5c84e66dcedacb03db8b88729fd495791e2669

SHA512
b3c3f163efea3e172dc5fe9fd9de9d26485cc324267cbf1f303a3bdf19809c662bf408b60ec4b70a488f1495a4a9c50648c384e7053854e757760ff26f040d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA757.tmp

Filesize
1KB

MD5
e8b4c558016187dd6cb8bc5986d5e329

SHA1
fb383688fb525aec77afecf1b2471b3c71df5bbd

SHA256
e9c0e653b7bd63ba0dedeb7d451e142977faa65fbad688b6ebc72a1b83931179

SHA512
923e207e599be1edccbe68d4f80fca647c13cec3faccfac3b173adbd4e3a47d5476d4b8581df22231dbe07e21e84993a47b2c0c7a02e1c8ad94ac73aadc841d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7A5.tmp

Filesize
1KB

MD5
ef4c212025e7e1fbbf376d27e282983a

SHA1
7620ebb92aff63e938a2985db220b1b9d4a550d4

SHA256
9dcb31e4eefae2cb174e8c77e45f82db1d6dd4074f727dd4e57fe4cb036990d0

SHA512
0a348e5f85a3917efaea4646d866c844bda6f5da3388c777c01c657160de9dc675a4ff51f54f7078bbd8828df24836fb17e264d596aab7edf1a617f24202a76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA803.tmp

Filesize
1KB

MD5
c2ecfa2af98abaa6642aecb9798cf7aa

SHA1
baf95f9d9fe49a25d6cec14fbc5c9a534b694cae

SHA256
2657f733d9e25a94ccfe2cf5b34469bbeb703648b4a00498784fe0c7a731fead

SHA512
4fe77df89d5daa3a3b295e5ccdbb593f81dd8bde8cae0c1c7af2b11698c917cd63ba9c43a375e58c18458303b03af2c24e12be0e8f46cd3da0c689ed4b6e043e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA851.tmp

Filesize
1KB

MD5
bc94580604e4cb8e71a5f6c2d9347f10

SHA1
ec6f2526ee96332704ac932a19377cee10e63961

SHA256
9d1b1cfc19848aea91507c6b77ad7c67a33a8609c781118a71ca6d61a90e2b25

SHA512
ea3ff82abf76fda2730488f842050540a19874a7a39551f10a6b858898538d3558fe767e1694117d7132f5e6649e9ab4cb395499edc43e1ac6eeeca2b0ba961e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8AF.tmp

Filesize
1KB

MD5
b9905cd71ca72758dd73f65b3c96ba7e

SHA1
a829275f8e8e3c9ee9264a4bf375e697025078ca

SHA256
568dcba7a8e1ba220a26a6eb0852164218cf2d511c5970cbdd9ff840ca0da29b

SHA512
636ce611254410b94dcedf124f6bec5c89dd6db99a9232a736d021b184591ab1d7ae8a63085d13cc0f921c2542d5a65b803e638e306d608810bcab9374d967b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8FD.tmp

Filesize
1KB

MD5
9fc97162e85935d2b351991933e3d42e

SHA1
0377059c9ec9a1e8da41902fa2295fad9527ac09

SHA256
9b69c5f9d264a9dd1efc6014d0f20c49beeac56390cdf78a917c12e02f797326

SHA512
de30da029aa95a00c0cf6079543beb9658e5812dd40934a79b9eb153305e9258ccc9bed63120ca8811c385ae486691de58af4cff76bd638428993e8581375ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp

Filesize
1KB

MD5
49de93ce94974d7d27fa15d59388b1ab

SHA1
dea55ad80823c3f71a3672d9681ad2db5813d5b2

SHA256
b9ac93e5b2b8b55c375dcd6d6e4723a9d3d2d2bc60d438c8866ddb012e666eb2

SHA512
94fca30a4f6fef5e399e12d39d50c9a41eea2172a257a49c986a03ba62d8d96850c442f9dce9a3776205fbebc0bff53c3ae0319acc8619e20cd544fef51b7822

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lt42wl1v.elm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kc9loviz.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kc9loviz.cmdline

Filesize
156B

MD5
db1c718530d06c855ef4a30f4052ac0b

SHA1
b7dd2a220398ce3482208ac7dcf5cf0668c74444

SHA256
016ae23c89a80c09449a390eb76fb1054118b926c08996a3643f020cd6a056e4

SHA512
d8cc5fcea5247c1ad52730fc26bc79d34c4d1eca9278655af96d494a5e11aa74fe101a93c45cfb0c782d0f44e7ed2cedd9d4e807f0bae8d3b82ff7497a23a58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpwu186b.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpwu186b.cmdline

Filesize
162B

MD5
50dc7e73b439370855b6aa411889d950

SHA1
c0bf2d0eca800a82a9d1f1de955dd2e2429bfd6e

SHA256
6dd140150a231b363510ebdec6bd0355ec06c8367faf0906e024f4d945e2d06e

SHA512
977115b72cf64c8376a69ba5e1a09fe94a33276e03c17ea463b0aa9e173ede7095cb8fa40357af68183f80cce4aed3ec0712da393c917d256e0298de8bd6012d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzvbkmzr.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzvbkmzr.cmdline

Filesize
170B

MD5
161c2ecdcd9323ec1bdcd196b4d0e583

SHA1
0972d051c04bffa760265371cee55a83166e02de

SHA256
841cdd54a4b9a8c5940fec0cbacaad3a25d1d9cad9dfbc25784d852b2f0192d3

SHA512
fedf285e9c376c145bcab30c6845b61b9e2548f91af7944b2924463711d2380c77fcdbc7a6490bd4661f3f013667828c6bf1e8fc94f485e7653a6c4059f410c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\myn-j_fh.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\myn-j_fh.cmdline

Filesize
171B

MD5
4307ab5846c98c8ffa571b446f1a55b2

SHA1
4267d04cb5da638b40b558fb9269b5d403d169bc

SHA256
d6bb4c11fd5dda636a581a838e17194d21523a9a954d4ed63246d936b78c9d11

SHA512
828b92329b4a4009854378cee8d96680dedd0a5e5e23a11ead17f389a53ef9a77b5831a93c12f2d1a63127f98e622fb0df4c82cf2a9f55d4e1cce2879b5b1d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiho36fm.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiho36fm.cmdline

Filesize
163B

MD5
d8ba3a32a604e5a0dc084ffc8835cd96

SHA1
fc16f636ca095f1f023140f19d97dc797827ddda

SHA256
d86eb03b6a8ca08164b858ec4fb870479a51344a33902725604677224ad9ecc9

SHA512
c85346e44595ec7355b1b220617ce394ad029c7fb1f468e2a10f04a6cd84b3ba4804d1c6eb033aa60cdf31fab8ad2738e619361324ca8aae6a6a190c60cf955f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ra1zf_tq.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ra1zf_tq.cmdline

Filesize
171B

MD5
3b4c3ba356aa4fe0f04954adda5124c1

SHA1
153d7bcc242bfdb8ed882386483fa0d705109116

SHA256
ce88abc61f0f71267dcf321311b556ba322715e753863193fa074acc0adaf7e0

SHA512
abd5593718f9a689bf4f5af596dfd9c930cc40747538bb2be8d02a73b920f719c6612ce7f423ac0518420be28a12d227a5995ea83077a272ed445a0d31fea33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2101352C4AE945D9ADD1A518A2E01F37.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75C71D47303D4B4B8ED99237B49C9E1.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A9F15CF1DC14CDA84A12A79BF34553.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9CE3E6493A00491C91642EB5CF21EEF.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB0C36136B8E5486AB75AABCC2677128D.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvdrvima.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvdrvima.cmdline

Filesize
174B

MD5
56c9053ad1da6330e4ca3be1300a4b1c

SHA1
fb9fa65b00f7e55d05c5796352fbe328ad8a1709

SHA256
d551fa1aa251847d88a79957b2719fd0928d8c62a192b5b52ab031304d9b24a3

SHA512
70ece564112bef74663c48079c2214ee88763239f82e9d33ce4ab0459ee5c2c8617ca45866d6879c4894b97d833a953ac191a492bc0dd5ba5fa9652a64362a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0_5a-0z.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0_5a-0z.cmdline

Filesize
173B

MD5
f001393a3d63b1b949321fc6bf46dbb5

SHA1
66d559ca78faf8b8a9eb5b8ce064dbbe431b90b2

SHA256
702f70ff50eede870c4d9ad81ac84f5dc056f5ed26396767e069f7579cc851dc

SHA512
6c24600121e31ec8c18f4f302238c1fe9328f9c6d82add0c3223cd222c323b8efa4090e687d055602020c6466e502ff6e780440e0a3a1855eda496e3d93e52e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zktlb3at.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zktlb3at.cmdline

Filesize
164B

MD5
2da7307e359ac01fc18205dd2e85bce7

SHA1
1c79462628d20288a6d798ab5a1006bfb4cd1a34

SHA256
26af27437d2dec84710a90b5f34840575ef27272df543f5706935ddd8f088411

SHA512
ab325863c16cc40157faaed58b288dce779b73b3ad8a551fa30c6817261773a2c0383d2a472828828b625fe2d6f1113bad6908924d5a65eaab4d78e8f17650e6

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2044-20-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/2044-18-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/3288-0-0x00007FF9F6985000-0x00007FF9F6986000-memory.dmp

Filesize
4KB

Download
memory/3288-19-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/3288-8-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/3288-7-0x00007FF9F6985000-0x00007FF9F6986000-memory.dmp

Filesize
4KB

Download
memory/3288-6-0x000000001C770000-0x000000001C80C000-memory.dmp

Filesize
624KB

Download
memory/3288-5-0x000000001BE50000-0x000000001BEB2000-memory.dmp

Filesize
392KB

Download
memory/3288-4-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/3288-3-0x000000001B310000-0x000000001B3B6000-memory.dmp

Filesize
664KB

Download
memory/3288-2-0x000000001B910000-0x000000001BDDE000-memory.dmp

Filesize
4.8MB

Download
memory/3288-1-0x00007FF9F66D0000-0x00007FF9F7071000-memory.dmp

Filesize
9.6MB

Download
memory/4156-38-0x0000020362EF0000-0x0000020362F12000-memory.dmp

Filesize
136KB

Download