revengerat | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

05-08-2023 22:52

Analysis

max time kernel
1792s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat xdsddd execution stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\system32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

4432 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4432	MSSCS.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3596 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3596 powershell.exe
3596 powershell.exe

pid	process
3596	powershell.exe

pid	process
3596	powershell.exe
3596	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4464	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4432	MSSCS.exe
Token: SeDebugPrivilege	3596	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4464 wrote to memory of 4432	4464	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4464 wrote to memory of 4432	4464	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4432 wrote to memory of 3596	4432	MSSCS.exe	powershell.exe
PID 4432 wrote to memory of 3596	4432	MSSCS.exe	powershell.exe
PID 4432 wrote to memory of 3432	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 3432	4432	MSSCS.exe	vbc.exe
PID 3432 wrote to memory of 4316	3432	vbc.exe	cvtres.exe
PID 3432 wrote to memory of 4316	3432	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 4044	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 4044	4432	MSSCS.exe	vbc.exe
PID 4044 wrote to memory of 4728	4044	vbc.exe	cvtres.exe
PID 4044 wrote to memory of 4728	4044	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 2384	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 2384	4432	MSSCS.exe	vbc.exe
PID 2384 wrote to memory of 5092	2384	vbc.exe	cvtres.exe
PID 2384 wrote to memory of 5092	2384	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 1816	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 1816	4432	MSSCS.exe	vbc.exe
PID 1816 wrote to memory of 3208	1816	vbc.exe	cvtres.exe
PID 1816 wrote to memory of 3208	1816	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 4060	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 4060	4432	MSSCS.exe	vbc.exe
PID 4060 wrote to memory of 4340	4060	vbc.exe	cvtres.exe
PID 4060 wrote to memory of 4340	4060	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 3800	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 3800	4432	MSSCS.exe	vbc.exe
PID 3800 wrote to memory of 4680	3800	vbc.exe	cvtres.exe
PID 3800 wrote to memory of 4680	3800	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 4672	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 4672	4432	MSSCS.exe	vbc.exe
PID 4672 wrote to memory of 324	4672	vbc.exe	cvtres.exe
PID 4672 wrote to memory of 324	4672	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 4312	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 4312	4432	MSSCS.exe	vbc.exe
PID 4312 wrote to memory of 4596	4312	vbc.exe	cvtres.exe
PID 4312 wrote to memory of 4596	4312	vbc.exe	cvtres.exe
PID 4432 wrote to memory of 732	4432	MSSCS.exe	vbc.exe
PID 4432 wrote to memory of 732	4432	MSSCS.exe	vbc.exe
PID 732 wrote to memory of 3416	732	vbc.exe	cvtres.exe
PID 732 wrote to memory of 3416	732	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k5xkdoom.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES334B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A64BA93923747EB9D6C26EC6D89E87.TMP"
4⤵
PID:4316

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8lklujso.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3406.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD259379E34F046D08790861C77AE226.TMP"
4⤵
PID:4728

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvx75yzz.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3483.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84630C42F41748BFAA9B313D91634CE.TMP"
4⤵
PID:5092

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oylmi9nh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3500.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc938D5F09D34A108CBFF97680757A30.TMP"
4⤵
PID:3208

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ttruk3x.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES358D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE98F5267FB94EB1BA6BECE927853F5.TMP"
4⤵
PID:4340

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ko8988w4.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9E52EFC60F543028BA9CB42C7DC48C.TMP"
4⤵
PID:4680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwtzu-ty.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3658.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc972CE5CFD42F435EB295FB8B56597167.TMP"
4⤵
PID:324

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1takn6br.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc326FA6DCA32B440AA084C72D8B7329EF.TMP"
4⤵
PID:4596

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d9fm3uua.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD17CBB09259C491896F814C85B34EEFA.TMP"
4⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4044,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-ttruk3x.0.vb
Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ttruk3x.cmdline
Filesize
174B

MD5
1b8a6aba01415736e1e4e53ee7de3445

SHA1
a8cc09589d7f64954d84cb46f3f4612229e1efd8

SHA256
1b3a7bf9dd37b5659b4ebf16227bcc166dcfbab4def9cc508df20789f23ba5c7

SHA512
032e11b50d74e30107b99edce613e0956eeb65a229efc27edb6a94821e0841c336ba780d5c8082a2611c628984da7d5e6b056580d8931d09f391b76065c72896

Download Submit
C:\Users\Admin\AppData\Local\Temp\1takn6br.0.vb
Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\1takn6br.cmdline
Filesize
171B

MD5
bef58250c4b86ce776d78480c823ce12

SHA1
710f4d157999ba4e5fd4f0a79fbed2cc789cf70a

SHA256
be9bdf91b113708fb9b11efbe37e9ba7f563fedb6176c3f32d4fea1e16befa8f

SHA512
d286bd6baca0e0e51ebb634690e1a2d9b8478c69a1f8c6f15db68e826198f3c4a0fe9f9ce2f27cca860e479a45422cad75b7b7ca3dbf4035dff2ebe39619c75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8lklujso.0.vb
Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8lklujso.cmdline
Filesize
162B

MD5
cf4836b84623ad7a483969c58ef1d221

SHA1
9ceec051217ba0a4f45b0aa7a943e252c545b861

SHA256
659c9b55541ed2c32f0654bfa699448329653d82a47a44eefa5e4455fe2f1200

SHA512
06d0d2f0ae9cd0d143f4445db3e38ab15d4340476937e6e276e56cf76392ec245ef8238a250b880af04e3f8504488f525406f2d5d0e44cb11a4dfa73ae625383

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES334B.tmp
Filesize
1KB

MD5
684d7553ff5046276474b945a34fc97c

SHA1
ab23e744677ec0427663429562373ccc8de70868

SHA256
08a47ebe49ed89ff85a572506f5493443e6ffc3017e6caf1c438210bc2bc4cc7

SHA512
0e8926815af2c7b23a3a6345e8a69c86c0c1bd211c46791f4510aa145f2f7ad38b0806994ab9a26dbdc7da83725d0e0adfa9b023ed0e1000f80754dbf63b24be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3406.tmp
Filesize
1KB

MD5
bbc294dfe0a2498119e20c359e115aea

SHA1
01e44af4ef3ba041dfe3830537d26086c5ea378c

SHA256
f68de39998d98de5f69ce12793d1735465e198a4ad9815e40bbe0024e1b2bcf0

SHA512
fd5e9bd929c495e93cbf1de04660b0c9be11cdb0c6f28a0ca861fc42366f598b508e4b15c1b73399f40dd4e054c8534e59f56623e71d7d61bcf8ae5d564df7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3483.tmp
Filesize
1KB

MD5
05f3111bbff5526557417585d3ca5eb4

SHA1
cf7a867117ae16fcbb1101215eeccabf0b08884a

SHA256
9746e1bbcc0633b102bea04651c50011fd677fc49d47b106bc4a2f03320b9752

SHA512
96ec4110fcd2fe32cb75e1b50e38fad0f3644bff069a68c82ec02647e47a6c13e5c282c83d0a188d8c283f1eeb5207d2c32a2f4f5978b41abffb1ebe7dec347c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3500.tmp
Filesize
1KB

MD5
d502c6879071466af5f428a9bb6793cc

SHA1
ad0f4525cc7b9cdda60db2cd4317ca97fb88b2dd

SHA256
0801f3f2bfee950490e02b7187db847cd63f6aab93008d3b459ebb27e144f942

SHA512
785ee400473acf94216f12259dff3261fc70254b1a82a3621e1dceebb2cf3c38e781f8d9f3441b00bd340d2f00556a569394a683c3d5c3aa45e84d1d111bfac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES358D.tmp
Filesize
1KB

MD5
805e06693d4cd8ea91a2d54d2425687e

SHA1
11abc26babb37a00565ae619ef27a170f6db98f6

SHA256
c7950bf3e22a8ee5c6ef8457148f1d8a5260420c907ceece0bda08743bb218f1

SHA512
0be7bec6a50eded85706b58cddf442c8b9cef717d86a1ca2215058f314d2308790f1e22db3fee6e041a0c4e7a27753f7082a0ac0ff5d074aa8846d24d5e94e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35FA.tmp
Filesize
1KB

MD5
17740e3b2068e321721ef14a7af79054

SHA1
ce8255d6ae6cb7166b898236b8e72193a12f7ecd

SHA256
6823402f3cead19341000e4c2b833c6d219e154c12e4527e936fa0effd0e8219

SHA512
5b714e85f88ec85ad4d1412b713620e5e61453dbffb72949d582736d51d7b5f2f8e3e6d9f2134cdfe16d429191567daed3ab9230dc98b892a20cbfcf818423cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3658.tmp
Filesize
1KB

MD5
f1323542c4ca316d8328aac960f634ca

SHA1
6d3d85f745703ff3baeb7c301e813edec08e09f9

SHA256
dd7b71d12599596226361c5b4356bccd68a3b700d72465ed9f23cf07e339ae6c

SHA512
3ce351c7f4e0253cf0677011592c099d2c25b9dc335179a11afa3351b44541270161c795790fdaec0462d7a6a7eaa232b30987527c403098a9e694ee1fa55984

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES36B6.tmp
Filesize
1KB

MD5
5e842661443c595e45f68957b01c769b

SHA1
87509ce574d093930309344e0f53e0fece242059

SHA256
d6b9073b0172fc81010f55f368a3f88f94f1020480c62bd83c1d4a328e1ce86b

SHA512
db06e113953c0df4cf5f245d3799d2110ca69f40f02ddda76822ed6fd449db74611c07c875bdc9730675117ca5e03403e60a0a90181a1d38577590eeb88bc007

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3714.tmp
Filesize
1KB

MD5
1d86b119c02f1af8477bad0bd0b80aee

SHA1
037c0c1949f51d47e7faf99858d3239081af5268

SHA256
096dea785ece180e7050f4e89af5270f31231273a4d1050e97d47ed1f8ec44e1

SHA512
970eb1bfef24f40c56fd00c8adf08118c64e5cf42160133fd316e8507fbe5828ec01820c1b18c227ac1547dd9951933f3151c6e7f67efb1d5cc2db9fe5274a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dcv5r5x.x3o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwtzu-ty.0.vb
Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwtzu-ty.cmdline
Filesize
170B

MD5
8c2ef37721093cd1f47006e8e8ea64a1

SHA1
4913f7be775f851450e0025c302eb34fa774b0c2

SHA256
cd632ebfeeb1421f474e3b10661ccacefc22127c9c013e2a168f18753a175b12

SHA512
910c03ccb815629a9db60a1cd15604aab0862b99142d15ca9b30abd92beba47def37b73e33d6fcff7a12c0f45d102ef0995ee56bb9dcc80ecf528f15e4380d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9fm3uua.0.vb
Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9fm3uua.cmdline
Filesize
173B

MD5
3080da2c530379e4e57a9de3b850973e

SHA1
288d2b183cef90de396599f017d718b3e8070239

SHA256
1c6df8bb5f15d868961d5da3f6148d7877aacdffd900dbb33f33758caf1070f3

SHA512
b883778d7a5fe96589e11ba59f215fef32ef46545f807f156030b2f215eac733a361e95429e2e047033b35bdb781b890d6eb2230f6d5d3d9147345ad41a47854

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5xkdoom.0.vb
Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5xkdoom.cmdline
Filesize
156B

MD5
d71d84889907a97c991cd0bf5e29dc39

SHA1
2d52c4b06a36ed0383982c80fdf7df9636067a92

SHA256
8cc857e86d5483a2382c9961f77680e44d4be9547358d65d6c131ed7816c0bf5

SHA512
992fec2fbe0e9fa484b9032cd2b01edaf02faa4081f903777a8fb69d45d8d350fd1f1afebf6c2b89858ef7471a5c3bd23ee805debbee103d4eae132c85035c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ko8988w4.0.vb
Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ko8988w4.cmdline
Filesize
164B

MD5
5860c9972dc17a5f0bb274a9e40a4511

SHA1
6279639981d049ad655b72be1b8656f0c17be62d

SHA256
ccc2fde2465f5506a80fafbcb5bcd3049812b562ba7defda5dc0e14c8b7aa6a3

SHA512
e6bea0eb8729cd3dc8aaa730d2a6677171fe9b59c14b3856b4a91183087e92457cde42620ac50fcb55cd87b2eeb6149220d8b76d977465bc269c3656ac1530cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oylmi9nh.0.vb
Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\oylmi9nh.cmdline
Filesize
172B

MD5
1d9e275d95358ae431237eda122676ea

SHA1
a9bb68691202b60f33578773e8d09d40bb0bbea3

SHA256
e99e5258df40494ecbd44ab7f46c7ee7112be00af062980803514c064355c692

SHA512
9236c9341c5a6ff4ef99e88113b90be65842c06aedbd1852696c31bb87c320d1e899a0c2158ecc9666a941c5e2e3af56d779e2e96d52cb13dff81ebfaf3a4edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvx75yzz.0.vb
Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvx75yzz.cmdline
Filesize
171B

MD5
c31edeabab4f3473d6083c744f13074e

SHA1
9486bd860b0e64baf7c704d6a279f396244ee5db

SHA256
9fe448b78be2fe7b681942b96935239964ed5a08fc29d7617315c11a05409308

SHA512
e06f4aab88049b89a65e494ac35258f57c932c04a9f8898e4d9e9e5f5b075787ee96ef19edf15fc87ecb6a54cf3ab325d5a3d4e30c2002a6e82a16f00931befe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A64BA93923747EB9D6C26EC6D89E87.TMP
Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc938D5F09D34A108CBFF97680757A30.TMP
Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE98F5267FB94EB1BA6BECE927853F5.TMP
Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD17CBB09259C491896F814C85B34EEFA.TMP
Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD259379E34F046D08790861C77AE226.TMP
Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Windows\system32\MSSCS.exe
Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3596-41-0x0000019A7FE80000-0x0000019A7FEA2000-memory.dmp

Filesize
136KB

Download
memory/4432-20-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4432-21-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4432-23-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4432-19-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4464-7-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4464-9-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4464-8-0x00007FFCC3385000-0x00007FFCC3386000-memory.dmp

Filesize
4KB

Download
memory/4464-22-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4464-6-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download
memory/4464-5-0x000000001C800000-0x000000001C89C000-memory.dmp

Filesize
624KB

Download
memory/4464-4-0x000000001C090000-0x000000001C0F2000-memory.dmp

Filesize
392KB

Download
memory/4464-3-0x000000001BF70000-0x000000001C016000-memory.dmp

Filesize
664KB

Download
memory/4464-2-0x000000001B9F0000-0x000000001BEBE000-memory.dmp

Filesize
4.8MB

Download
memory/4464-0-0x00007FFCC3385000-0x00007FFCC3386000-memory.dmp

Filesize
4KB

Download
memory/4464-1-0x00007FFCC30D0000-0x00007FFCC3A71000-memory.dmp

Filesize
9.6MB

Download