revengerat | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

05-08-2023 22:52

Analysis

max time kernel
146s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

4300 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4300	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4916 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4916 powershell.exe
4916 powershell.exe
4916 powershell.exe

pid	process
4916	powershell.exe

pid	process
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4276	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4300	MSSCS.exe
Token: SeDebugPrivilege	4916	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4276 wrote to memory of 4300	4276	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4276 wrote to memory of 4300	4276	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4300 wrote to memory of 4916	4300	MSSCS.exe	powershell.exe
PID 4300 wrote to memory of 4916	4300	MSSCS.exe	powershell.exe
PID 4300 wrote to memory of 2204	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 2204	4300	MSSCS.exe	vbc.exe
PID 2204 wrote to memory of 1036	2204	vbc.exe	cvtres.exe
PID 2204 wrote to memory of 1036	2204	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 3548	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 3548	4300	MSSCS.exe	vbc.exe
PID 3548 wrote to memory of 3648	3548	vbc.exe	cvtres.exe
PID 3548 wrote to memory of 3648	3548	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 3952	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 3952	4300	MSSCS.exe	vbc.exe
PID 3952 wrote to memory of 3188	3952	vbc.exe	cvtres.exe
PID 3952 wrote to memory of 3188	3952	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 1556	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 1556	4300	MSSCS.exe	vbc.exe
PID 1556 wrote to memory of 3552	1556	vbc.exe	cvtres.exe
PID 1556 wrote to memory of 3552	1556	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 812	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 812	4300	MSSCS.exe	vbc.exe
PID 812 wrote to memory of 4324	812	vbc.exe	cvtres.exe
PID 812 wrote to memory of 4324	812	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 1408	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 1408	4300	MSSCS.exe	vbc.exe
PID 1408 wrote to memory of 2240	1408	vbc.exe	cvtres.exe
PID 1408 wrote to memory of 2240	1408	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 3244	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 3244	4300	MSSCS.exe	vbc.exe
PID 3244 wrote to memory of 4500	3244	vbc.exe	cvtres.exe
PID 3244 wrote to memory of 4500	3244	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 416	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 416	4300	MSSCS.exe	vbc.exe
PID 416 wrote to memory of 2800	416	vbc.exe	cvtres.exe
PID 416 wrote to memory of 2800	416	vbc.exe	cvtres.exe
PID 4300 wrote to memory of 880	4300	MSSCS.exe	vbc.exe
PID 4300 wrote to memory of 880	4300	MSSCS.exe	vbc.exe
PID 880 wrote to memory of 4552	880	vbc.exe	cvtres.exe
PID 880 wrote to memory of 4552	880	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8y1ecrii.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6823B285CD424835AFE96D28FAA6D2A5.TMP"
4⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bn9ibdxz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44C53DAE655E4F4DA91F263DE9C767E6.TMP"
4⤵
PID:3648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gn0tappf.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFE4A3A4FD884311B07E2316259F87C2.TMP"
4⤵
PID:3188

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aprju97-.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4DF86E6921D4A4FB1BC34ECC7B7C0B3.TMP"
4⤵
PID:3552

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0vrjw9q.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6075.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC01CF043B9640D2B5A05D5EA2F9FED6.TMP"
4⤵
PID:4324

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c7o14yac.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc266987929DAA435485F6C2BAFEF712C3.TMP"
4⤵
PID:2240

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjho2z2c.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81CB498A2904AE6BE82DBEEC488AF62.TMP"
4⤵
PID:4500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ervpyjkl.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES621B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A763DE26F8843E2A5DE7D45D1E708C.TMP"
4⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bcttwb6.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D7E0D3B17044B26B2CE14742F34FB34.TMP"
4⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bcttwb6.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bcttwb6.cmdline
Filesize
173B

MD5
777dc09f9225e7938d7c29e8f11f57e8

SHA1
380c4111354dd27074f465b4103c8db392b6bfe0

SHA256
9ec46b002768cd822be9d27b2a95eec73bf484521a38b2c71d4dabf75f42f341

SHA512
e12c007dcdd9069ea8787b9b0adf5a492c9491afb09ce10935dc4abbbf677d3d3afba56e2a9f88c9aa2763e8dda5353618acec0cad0d80f7b7d8835a99fbd2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8y1ecrii.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8y1ecrii.cmdline
Filesize
156B

MD5
86d9a40d1dcc38118d977734ea9c4ba5

SHA1
c6e8ec7ccd80eeb74c088069ce0fffe191ab5115

SHA256
3cae875bce27fa0cf5b1fe76e1dcae4a05ffdfe00395c4ff533053b9daf19c11

SHA512
5a58f368e2472a6f98c59647e02362a53b6201d7ae61a560a8ef329cab4641b9ec76b91d6b446db0b59454b42f44250648b9253952525bf4f4ff652eb73a313b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D49.tmp
Filesize
1KB

MD5
9e0ec40a2f86e40e935c17e50c8de248

SHA1
210f4f7da1ff995465a61f7ad3fbf368fd0272f9

SHA256
8a25b338bbbc915990167802927537c5444181073780ecc35d7670eb644fc839

SHA512
76c42a634761e79868fa7889f92a65e83c86992e30f787a4b3cf8943d18b74610c9c4d5f28313f0e9509dc8071bb52cecf95b2ce65a95fb7b57df9bcf9fc8e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E53.tmp
Filesize
1KB

MD5
3ced98aa2b1f1869c0a1b036c0fe3665

SHA1
1d808f967888580907f1c921c9d0bf22ac1fd718

SHA256
bf90d1b0b0db1d7fe9a3d34d93d6e85c80d914817386c010194d73780c3d7a68

SHA512
de4824027d3e8bf9f788b11cfeafc93f3f80273dab7c615bb8abfee708d15e061319eafc682f3145a21dee8a0eb46db6d638b1875a149f5a3f791fe833002d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F1E.tmp
Filesize
1KB

MD5
8b49338a3e0265fdcb9367e563256e40

SHA1
1617bc9487314b8e9473792b42ea0af044ca4eb5

SHA256
0cb1a53380655bac428163956cf23f18ba918287e2d365693ddaf5834eb6bc24

SHA512
ca637089031a7f3d58b78a2a890acfcc53c26c30796d35080f8132c3e0012a141d0649966a07bc38746ddecdff3bd0dbbd21092007c2e52315d99c5238da93e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FBA.tmp
Filesize
1KB

MD5
2ef6ff3d9074f097b78754d8d7f7bd07

SHA1
47daf5e519040f72ced3deaf32f9e28423d958c8

SHA256
b298e692916c5266d677f2911a2e36027899aeb43284a3675b4017468e3f8a5e

SHA512
9a0744302f2912d84fbb49306476c041b9cc76cac3de8f12af78a6eedf276467f46656765c5c38dc5b00a1e0e0502aae7fb297d2d8cd328a955496a02cc65a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6075.tmp
Filesize
1KB

MD5
f06880f7f6bd0f7111bb86851f10d782

SHA1
7f2023045fa92664884061acdc1c8b9e45a3978a

SHA256
acd75ea8540359ba38c54f172461de7c85f04b382ecef298f157a3a9527ae472

SHA512
54b4f3b37ff0d485c90699f7b3069c93abaca8a369b61b5d8bd7db648b26bb1838f034797191e521cabf852b5c7bf3068d4b053e4b85db6b1b680248181cc339

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6112.tmp
Filesize
1KB

MD5
8d5286bd3775dc4cb44c6b022354008c

SHA1
f98261b8d8b3df38e7a08e6966e2bbcb11276e45

SHA256
cb4896f5c1fd7044b166b2323366049ca1ae8cbfd4bdb064d0d235e495b2eb17

SHA512
d5481bdf6ed528d441bced182ae429b65f7a848ac45b8f9dd812c09cd21dad7d13ca5a5177ff9eeb94151a625d90f22c06ec4a03d634593cedce9dc7ebe2a428

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61AE.tmp
Filesize
1KB

MD5
007b1c9724e959f9fb3c001f185f8d49

SHA1
471878ec7e2da928c3252a9f1de6f9ed9eb8dc0b

SHA256
ee0a4e97126cf7def04d1305667076b0f14c25e6e6d22bc663d5c5f862c4a90b

SHA512
491e8ad9135220abef0f9ce11920de9a7af085cfa8693429826097ca1f8fd0f88a2a5a039698fc045fbc0383b6e79e310661eae06dfdd3ba15820760d274240f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES621B.tmp
Filesize
1KB

MD5
ceb62d30c8be6c8795ffa9431dafe193

SHA1
917ccdc18eaa47507ee380ab2c25c689f2d76178

SHA256
6e23b603b6ef2898b2b08badb00efbbb67631de2e82880160990ca091ea35b7e

SHA512
73df3ac2ede57059a8bdde0aa6fe55f8e4cc246c1f9a2b72e8b0748fc28355889321ec594ba23c669dbef64d76877da1db96a0fd00e18b2bc035a1b0c476fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62B8.tmp
Filesize
1KB

MD5
4d8eab7919389575988f35901ba1b2aa

SHA1
31a5732c6666bca0e2f9620e4e595480e845d5db

SHA256
8ce90bfb498dc542eaab2459eb60776fafe93e23b0e897f069d1eccb2fae970d

SHA512
2617326885a504d9e980e8fd9ebe4807d76edd2a55e8a46167b59440cac3cbf38f1acc5a93792dc99a0a4fcfcd484c00742df96e344f2180a43c6fce1c736b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eq5umwna.oen.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aprju97-.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\aprju97-.cmdline
Filesize
172B

MD5
101c30b47c6c2c8f33cf0ee586e27b48

SHA1
38cd906afb31542c7896320b4e4aba5b3c3c40b6

SHA256
cdfda2e55344f7c3da01a902dcd9a2cb2aa4384052d1b94cd076a4fa5654372b

SHA512
3a2a4d40e60b2671cb78941f5a0a1aa85be872235f9d520f3658d5a880de5515aa17bf1c522be541a05d9b793327aacab2538429b760fa9f8a1eb1d844a0b4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn9ibdxz.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn9ibdxz.cmdline
Filesize
162B

MD5
6a0eaa725e00dc8b05e8d0766688a3fc

SHA1
9e6bda7b7310ee5f34a49f870d19ffd27f2f0f64

SHA256
d1bedf0cdedc58211762076bfd28d12d7bfff90a21f8f2215971254abdd4739f

SHA512
725a62b07d571880bb4c0f9c3787ec5fe1de6926932e7496a993636a1618c3e9285e8e911d05a19090bf8f9df90d195cf840446042e9d58cf6e4fd68f1e393ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7o14yac.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7o14yac.cmdline
Filesize
164B

MD5
d420e206053d3876fac4ad2766be4dce

SHA1
6ed1a4f2a916aacee70efcde6f569abf219d336f

SHA256
4d99bcf0cf7d4399e798fbd9c57af8f1166ece0cc5ed0efcc4012ece60147665

SHA512
2ba8e6bba181f4fa2d52c98f39c7b38e670aa5f0e79a22081888f0affd5830b1445bc0ee45cdb170834aa1821c5f9e4c3b1e718dca16d3190fb3ccfbf1a4f129

Download Submit
C:\Users\Admin\AppData\Local\Temp\ervpyjkl.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ervpyjkl.cmdline
Filesize
171B

MD5
688fbcd229a9b92a97cbaec79adab28f

SHA1
7d36d7ace1828dc7d7bc4673a05d0c88c783a9bf

SHA256
4d744f3ba9b63c9c16888d7e74bfd4727e124fa94448b44144fc3fc0d2e3675a

SHA512
4052a282d26df2a4d63b1fe3ee88df8051ef9a59303290bccc9e0c48a396b90e8f8e2df1d15d48f3736e801892d7ad2a53857ee11798d5a6833419e50279dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gn0tappf.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gn0tappf.cmdline
Filesize
171B

MD5
53f88a938927831dd44e9708ec222322

SHA1
ebae164681848308d2eaa9a528a3fbcaad52f6db

SHA256
47a7ac481978a3ade845c4e3686bdf5f208836db74c578e42e65dbbca4d038a7

SHA512
915225da8878bb9033bfd27fb9141cdd97b4a44922a695b0bdd0f1bdcf9e9059a6e9a8178380e02d1e98d9f7dfa0d65a9a6407ae9aea9754509d53d7b6e4d00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjho2z2c.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjho2z2c.cmdline
Filesize
170B

MD5
8f3bf313031e0fa059b7b302b25283b6

SHA1
912a896faf899b7f2af875ec6e6931303005e940

SHA256
d208241434c1f886d88383fe88cb7da8aeb443a6e249c7431b8bfbc707ccf1ce

SHA512
8fc2e3b122b6f14c1e52e9b4602d310d09f14b11fbd166f7505d5501fc3f686c05852ca15227003be390b85f0c0d5ed7c75cbace193dd42d9d7b9eb08903e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0vrjw9q.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0vrjw9q.cmdline
Filesize
174B

MD5
9ea9ce1fe900cbcbfddc099a87b10add

SHA1
57ddaecb7ce590300cbfef6023c7d1edfe42f81a

SHA256
edbd538a1a222fd7b528e6290bc6e659656d982becd5c9916c253434180e7ce6

SHA512
5aff0b0e925c11ad00b877bbc1d96db99a8e2400c47ecf398575694f88a341f54ededbe151041279af4939a2efab61c444ab94220d387958903f0cd40efe2ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44C53DAE655E4F4DA91F263DE9C767E6.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D7E0D3B17044B26B2CE14742F34FB34.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6823B285CD424835AFE96D28FAA6D2A5.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDC01CF043B9640D2B5A05D5EA2F9FED6.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF4DF86E6921D4A4FB1BC34ECC7B7C0B3.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Windows\System32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/4276-9-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4276-6-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4276-0-0x00007FFFFEB75000-0x00007FFFFEB76000-memory.dmp

Filesize
4KB

Download
memory/4276-8-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4276-20-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4276-1-0x000000001BEC0000-0x000000001C38E000-memory.dmp

Filesize
4.8MB

Download
memory/4276-7-0x00007FFFFEB75000-0x00007FFFFEB76000-memory.dmp

Filesize
4KB

Download
memory/4276-2-0x000000001B910000-0x000000001B9B6000-memory.dmp

Filesize
664KB

Download
memory/4276-5-0x000000001CD20000-0x000000001CDBC000-memory.dmp

Filesize
624KB

Download
memory/4276-4-0x000000001C4A0000-0x000000001C502000-memory.dmp

Filesize
392KB

Download
memory/4276-3-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4300-18-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4300-21-0x00007FFFFE8C0000-0x00007FFFFF261000-memory.dmp

Filesize
9.6MB

Download
memory/4916-30-0x00000247CF380000-0x00000247CF3A2000-memory.dmp

Filesize
136KB

Download