revengerat | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

05-08-2023 22:52

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

1772 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1772	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4292 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4292 powershell.exe
4292 powershell.exe

pid	process
4292	powershell.exe

pid	process
4292	powershell.exe
4292	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4760	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	1772	MSSCS.exe
Token: SeDebugPrivilege	4292	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4760 wrote to memory of 1772	4760	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4760 wrote to memory of 1772	4760	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 1772 wrote to memory of 4292	1772	MSSCS.exe	powershell.exe
PID 1772 wrote to memory of 4292	1772	MSSCS.exe	powershell.exe
PID 1772 wrote to memory of 4348	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 4348	1772	MSSCS.exe	vbc.exe
PID 4348 wrote to memory of 1044	4348	vbc.exe	cvtres.exe
PID 4348 wrote to memory of 1044	4348	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 3924	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 3924	1772	MSSCS.exe	vbc.exe
PID 3924 wrote to memory of 4936	3924	vbc.exe	cvtres.exe
PID 3924 wrote to memory of 4936	3924	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 1280	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 1280	1772	MSSCS.exe	vbc.exe
PID 1280 wrote to memory of 3168	1280	vbc.exe	cvtres.exe
PID 1280 wrote to memory of 3168	1280	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 2220	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 2220	1772	MSSCS.exe	vbc.exe
PID 2220 wrote to memory of 2696	2220	vbc.exe	cvtres.exe
PID 2220 wrote to memory of 2696	2220	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 2624	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 2624	1772	MSSCS.exe	vbc.exe
PID 2624 wrote to memory of 4872	2624	vbc.exe	cvtres.exe
PID 2624 wrote to memory of 4872	2624	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 1496	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 1496	1772	MSSCS.exe	vbc.exe
PID 1496 wrote to memory of 5092	1496	vbc.exe	cvtres.exe
PID 1496 wrote to memory of 5092	1496	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 720	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 720	1772	MSSCS.exe	vbc.exe
PID 720 wrote to memory of 5060	720	vbc.exe	cvtres.exe
PID 720 wrote to memory of 5060	720	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 4876	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 4876	1772	MSSCS.exe	vbc.exe
PID 4876 wrote to memory of 2284	4876	vbc.exe	cvtres.exe
PID 4876 wrote to memory of 2284	4876	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 1536	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 1536	1772	MSSCS.exe	vbc.exe
PID 1536 wrote to memory of 4992	1536	vbc.exe	cvtres.exe
PID 1536 wrote to memory of 4992	1536	vbc.exe	cvtres.exe
PID 1772 wrote to memory of 4764	1772	MSSCS.exe	vbc.exe
PID 1772 wrote to memory of 4764	1772	MSSCS.exe	vbc.exe
PID 4764 wrote to memory of 4728	4764	vbc.exe	cvtres.exe
PID 4764 wrote to memory of 4728	4764	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ikmljig3.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4EE38D98D9341C38820596EC394181.TMP"
4⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\optpecbq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES943C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc523EE7183EAA40159563E1D712A21CB.TMP"
4⤵
PID:4936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ezcudepy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64DD6469DF5643B6A2B686D69C28E974.TMP"
4⤵
PID:3168

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0z4fpyc_.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9575.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2665B51DBB64225B22F77D6A8C720.TMP"
4⤵
PID:2696

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ma43vz2-.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC27CC5E294D4AC89314CA38ABCD9094.TMP"
4⤵
PID:4872

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqwjxgtc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES965F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A38F842834D464BA0737CE96611F870.TMP"
4⤵
PID:5092

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p7t39h53.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B5A58E7B18D43569FAF47CCFCDA1F86.TMP"
4⤵
PID:5060

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\toi76dvt.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES973A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB39E8F1DCAB40BE9A58A6ECA6F2CA82.TMP"
4⤵
PID:2284

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1n0a0jj0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC1CFCBC24674A7181E7E744D5B11AA9.TMP"
4⤵
PID:4992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lttcjrme.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9A495CCD5F34B34AA3FCCBE11B01682.TMP"
4⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0z4fpyc_.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\0z4fpyc_.cmdline
Filesize
171B

MD5
73b3ea4e88a2515b1d4f5aa5d7097427

SHA1
73f1206a5046c0bcda68990b858851e448d143e3

SHA256
a2ccc6d4bc721c453995476b19b97d28d1061b41b199e9b5ddadeefd8467863d

SHA512
157c0484c9bc4d182ad32b0a06bab5ada7639296b8896bc77f2afd629a681d237fa1b0f2e8ad4db3e1dba8f0f7556004c6bece46671c53389dfec6111377d47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n0a0jj0.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n0a0jj0.cmdline
Filesize
170B

MD5
9476139e30d6c8064c35540fc91955ed

SHA1
737d182c78ef298dcd154f5bded5e706223effd6

SHA256
dce73fce4a4b105ea7c0b15cf2687d0a1102949c654354f57aa7d0128aa94f0c

SHA512
a0523bad4ef801c4b5592a8b2bd2bfcd0307b032796e6a03f255c5ab2d9a312958e6d33067416f972ecde0ec6ed9f806b9ee653dafd2c4c641c73e3fe9cd88b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93A0.tmp
Filesize
1KB

MD5
858e740d2623a4d9e4a0de256e1707a5

SHA1
8b9da3ab59bcad2d68b2d9047ffb655c256cc949

SHA256
cca1b61702a8d7951491406084a222e7728590122b34afeacfa01ace70b39cbc

SHA512
e96907110477abffc9e006538751c597873586e9a109e2acc63190380241c5af6ad278fb13141a05ee54e264c4d4af706bcf8afb67294f97b4c2ff4a9db7ab57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES943C.tmp
Filesize
1KB

MD5
cc96b0149852fe8784f0d3736b7c91e5

SHA1
069fe03530d3ab4bd0672c411448db63a97c228d

SHA256
d428c8da9b7ccc8bf519989c212e681e3ca2645bf44ebc8febf41662ac297430

SHA512
57f8c2f407063c924759998a3a7850b0724e7ff364f948dcc7dc0071c138b6c0f1d2957612c55679fd4133be92146207f784f65bbe5278a82871d2d24bcc9e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94E8.tmp
Filesize
1KB

MD5
a239224ee0dee9cb3ff57be670fb42e9

SHA1
07456a1516dfb46f4333827a60e4d3a941505149

SHA256
e2797372b52beb6089a1d656dd78bbd7664eac59dd1d9a1237afd8cd32f0e22f

SHA512
b05540e0c6a0ec1fb4e15069271929cf9343c17a17f0daaa713749c0a5d835f993472cdd095b54261cec3f26aae9e81389de525a9b6b55162cec9af94ccfbba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9575.tmp
Filesize
1KB

MD5
8a61e6b33825c5bb88c592e27224f9fd

SHA1
1e4354f8ca3edcdc91fca3dec96f98869c41b355

SHA256
5b3cb60b3a2a1bed5f4ce8567b4872c903318e48bd2696eff5a4d670b8370919

SHA512
26a7c4482f081f5e66c2478c761af8c1d3826595b18a058609539dace601dcd7f31d51674fdc2560c26845abbc73f1d7a2fbf2bc6a57fac355632423998a5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95E2.tmp
Filesize
1KB

MD5
1a8716dd676118ead0bcb0cc16b25c61

SHA1
3eef60c5ba8b4969ce1ede0ddb940be97e0e2d94

SHA256
dab68bcd0693977a3ca4e1915dc4e25eee0d435b8c66404bd215785642fe9314

SHA512
59193781a68d2527de48bbbcd1526055b84dc7876026c0aa7b8ad754eaf38e49ede3f207c5bb439e707257d73244d5a6aff0b6352bfca68375719efa042935a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES965F.tmp
Filesize
1KB

MD5
e007237a069c62933880928ffbdc8f51

SHA1
6ce5a382507636d204ccb592fe1ea6b7184ba4ee

SHA256
3cde9674a301bc4ef9591452b46dcd4f7c208476d69433da286e84dc3d98f6eb

SHA512
ec66e329b06e54c48a7e2402d4da0315d5e35dadd4cceaea816d970812dc8cb326835c569bea6fb109ff1d3a1b640133d1a55ddf166ebbfda72de68893a9d6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96DC.tmp
Filesize
1KB

MD5
807ba4ed8cd8c5fd66b7a75d069b10cf

SHA1
695c42cdac9b7237bd3e4e1c2db899967ec6e7ba

SHA256
61bfacab08c8644b17466c14e524bdb957f81c13d36be91bc90041d294b97b41

SHA512
81a2d623472dc76e886215ef88b2937d09e742707eff3a491340d1399c53aea8414cc86d003c82bb7ef299a4df83833ad1b5fa1d5a09601850f5c7d9d6e03649

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES973A.tmp
Filesize
1KB

MD5
d53e6dde200b33002a585e9841e41d00

SHA1
973d89e4fd096e94c656d1d9e054fe03efdf1613

SHA256
467f917ad4cb7387923826ec51b62a455ac9ddd25da7f8303fa29583f8c41e53

SHA512
281f1ab6c571c0c8210d9093b2fcb22e5d543f1822bc37040f8907a73126502e82bf9635521ac10b9c34dae507f72385ec10fce15f9750692cfaa903b402a929

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9798.tmp
Filesize
1KB

MD5
080af47f62d4a25ec3f151e3813e17ab

SHA1
804095859177fa5476af7166f0ebe37ccaf7374a

SHA256
14912a54cccde8c13e2851727ea305b43616f2e0275f623cc9fc67a000f9b133

SHA512
d830c70d76da797a939132ffd379ff41fb704e43937a555137bc7b2efe04e8064d1d84a27778eda093b1de676b16529e2890ed8352aac8c40fc0247559cb75ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97F5.tmp
Filesize
1KB

MD5
23af0992f832861d2cdfcb394dabd63e

SHA1
9b32c1f0cf4701f836fa9d1f803b6a88e02abbc8

SHA256
88e8ecd4ad95f517a112c3a92ee88226c9626d087c3e7e6dcefff90f0621f36f

SHA512
4e282d40ca32502b0f34afa4292549a291cb813041279a530e0ca49ad476fdd2faa3e2dc583857776f48614e7a0e81e1c63d79594df5c012d5bdd5d5efed1934

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0uhwe5ev.he5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezcudepy.0.vb
Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezcudepy.cmdline
Filesize
163B

MD5
8f378dc4de51290a1567cb10a262f163

SHA1
dd422d171a99e1611a7c3a0818121bd4f3c9ea47

SHA256
e747a845a9d9bdbb387300c53718f359e39ab974e1bfadba65f98e279e971e6b

SHA512
de250274fc65e30fddb10f7da55830788b7adcd6aa6c056eb4dd4d3b7e27cdefc003b93b78711019ff196c523127335972e0111f0a1d68a21faf8b06f5fb5607

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikmljig3.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikmljig3.cmdline
Filesize
156B

MD5
babfeda96caa8e1b87508fd7608f76e2

SHA1
26880d64aac43f5899cca1cc8c180276f88af8d0

SHA256
23e3919893e02f501b745883fe5d72a0dbe61d36962c25d45926209f795cee75

SHA512
ca69c7850cc8df044aa40c71ec42240c7d57a99ed0b64be12b1c8debd462668dfea317e3d05212dd8ceaf632c4c2aaee7abee9de73de642d9b39a03e83da73c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttcjrme.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttcjrme.cmdline
Filesize
173B

MD5
6a28771dc73a80d71b0c36e6b536fa8b

SHA1
4dbc4a9300ee33ecf47b9e1d1c33ee4142e03df9

SHA256
806865a35f66217b63bf4d6fbff4d0b4ed5463d0767813a05da2128f294d132b

SHA512
c06b55c2a0a14432e11005102fffe719c7a9ec8d76764f0a077377a788bbc5a403591736a9afb0c5fd78651cccfa787ab4a9192f61f8e103efc03b7f29c33fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ma43vz2-.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\ma43vz2-.cmdline
Filesize
172B

MD5
52dcb0363d90ad74e7962cac0aadc644

SHA1
a96809945e51f942eeafb4a6a8a4d0b2ef204cf3

SHA256
4c9f1e95f4c9541e65c9803541d6708f5c3d596d68a0646af25e73f71224b4b2

SHA512
f3a365c47b09ccf6479c9927239a71ce95611d48ed286402287edcf7d29052e78ecbfc58d1b936a47bec55c62d24de3c97c1dd2d7ff91998f1d3a83c220f9610

Download Submit
C:\Users\Admin\AppData\Local\Temp\optpecbq.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\optpecbq.cmdline
Filesize
162B

MD5
deab377667202ae9797bd1dd46460925

SHA1
9606bf09378c8c28c98b8fc549281a4907281acf

SHA256
e1755212e60cd94a7d74255bf7bbcee2042617c04ae50d8e471c77f9f911ee9c

SHA512
5e43def91a62c7143095bf1f948b0604e864ba3dd04f0324154d3c65691c6b871fb876e6a42dfc400ca3bb7c38ae9047dc79b3a33e441c7b85b323ebb9c2cd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p7t39h53.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\p7t39h53.cmdline
Filesize
174B

MD5
1dd0f2e074bb2957ae08f1613be6384e

SHA1
d66ca0a013d1e0c6c46d0edfd42e2460432cf2dc

SHA256
4faeb8879167bbf7461044c009c9feb70340ec50f687be084b7c68c2cb58b305

SHA512
651ad94d702108c4ddbf301b477a7b1195b5212922063fd94d06bf12507cbde377b7c22f88817ac69e022b105c360925d54f5153546e850a056c9560702452b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\toi76dvt.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toi76dvt.cmdline
Filesize
164B

MD5
752dfafb46dcdf9e31f910d2b3fff276

SHA1
4537b5c32ec2ff2b640df2b719deb6ebb68771ee

SHA256
cc9bae1216e87a14073dbd81d1d1db0a8ddd4faaf44213fcc0547a547a4bef40

SHA512
f47f94da83b25c3339f6db49536dfdeaf9dab0d6e08de34c9a8bdf1063076200dcb21f8d250aa6bd36500667f365dc7d07bf40ac826382ee6c099cf2019e33f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqwjxgtc.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqwjxgtc.cmdline
Filesize
171B

MD5
66dda5289f3e25ac933439f48daf276d

SHA1
6bff2466bd3816232c2470db5f6c632fd0fa0ce7

SHA256
6b2a244bb0a8c25c50713b0980eb31fcadd1060d92f2f6c9cd2c076e8e01e522

SHA512
0438af902b421706ca5eb751b2ce272427229364e460758a0e62051143ddc7d7018be186d0002ec20908aa87000961246758adba810da8438bb56d18cfee6b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc523EE7183EAA40159563E1D712A21CB.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64DD6469DF5643B6A2B686D69C28E974.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B5A58E7B18D43569FAF47CCFCDA1F86.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4EE38D98D9341C38820596EC394181.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9A495CCD5F34B34AA3FCCBE11B01682.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1772-19-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/1772-21-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/1772-18-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/4292-36-0x00000226F79F0000-0x00000226F7A12000-memory.dmp

Filesize
136KB

Download
memory/4760-6-0x000000001CA00000-0x000000001CA9C000-memory.dmp

Filesize
624KB

Download
memory/4760-20-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/4760-7-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/4760-0-0x00007FFE77475000-0x00007FFE77476000-memory.dmp

Filesize
4KB

Download
memory/4760-4-0x000000001C090000-0x000000001C0F2000-memory.dmp

Filesize
392KB

Download
memory/4760-5-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download
memory/4760-3-0x000000001BF70000-0x000000001C016000-memory.dmp

Filesize
664KB

Download
memory/4760-2-0x000000001B9F0000-0x000000001BEBE000-memory.dmp

Filesize
4.8MB

Download
memory/4760-8-0x00007FFE77475000-0x00007FFE77476000-memory.dmp

Filesize
4KB

Download
memory/4760-1-0x00007FFE771C0000-0x00007FFE77B61000-memory.dmp

Filesize
9.6MB

Download