revengerat | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Resubmissions

05-11-2024 03:18

241105-dtxrgatbpg 10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

4156 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3940 powershell.exe

pid	process
4156	MSSCS.exe

pid	process
3940	powershell.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3940 powershell.exe
3940 powershell.exe

pid	process
3940	powershell.exe
3940	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	804	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4156	MSSCS.exe
Token: SeDebugPrivilege	3940	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 804 wrote to memory of 4156	804	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 804 wrote to memory of 4156	804	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4156 wrote to memory of 3940	4156	MSSCS.exe	powershell.exe
PID 4156 wrote to memory of 3940	4156	MSSCS.exe	powershell.exe
PID 4156 wrote to memory of 2968	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 2968	4156	MSSCS.exe	vbc.exe
PID 2968 wrote to memory of 3276	2968	vbc.exe	cvtres.exe
PID 2968 wrote to memory of 3276	2968	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 2456	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 2456	4156	MSSCS.exe	vbc.exe
PID 2456 wrote to memory of 1568	2456	vbc.exe	cvtres.exe
PID 2456 wrote to memory of 1568	2456	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 5068	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 5068	4156	MSSCS.exe	vbc.exe
PID 5068 wrote to memory of 3576	5068	vbc.exe	cvtres.exe
PID 5068 wrote to memory of 3576	5068	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 2616	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 2616	4156	MSSCS.exe	vbc.exe
PID 2616 wrote to memory of 4932	2616	vbc.exe	cvtres.exe
PID 2616 wrote to memory of 4932	2616	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 4464	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 4464	4156	MSSCS.exe	vbc.exe
PID 4464 wrote to memory of 4128	4464	vbc.exe	cvtres.exe
PID 4464 wrote to memory of 4128	4464	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 4124	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 4124	4156	MSSCS.exe	vbc.exe
PID 4124 wrote to memory of 5004	4124	vbc.exe	cvtres.exe
PID 4124 wrote to memory of 5004	4124	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 3140	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 3140	4156	MSSCS.exe	vbc.exe
PID 3140 wrote to memory of 1820	3140	vbc.exe	cvtres.exe
PID 3140 wrote to memory of 1820	3140	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 3728	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 3728	4156	MSSCS.exe	vbc.exe
PID 3728 wrote to memory of 1124	3728	vbc.exe	cvtres.exe
PID 3728 wrote to memory of 1124	3728	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 4284	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 4284	4156	MSSCS.exe	vbc.exe
PID 4284 wrote to memory of 2288	4284	vbc.exe	cvtres.exe
PID 4284 wrote to memory of 2288	4284	vbc.exe	cvtres.exe
PID 4156 wrote to memory of 3936	4156	MSSCS.exe	vbc.exe
PID 4156 wrote to memory of 3936	4156	MSSCS.exe	vbc.exe
PID 3936 wrote to memory of 400	3936	vbc.exe	cvtres.exe
PID 3936 wrote to memory of 400	3936	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pv_w1uj1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8071517C4D6D42668F5D47227A7DC84.TMP"
      4⤵
      PID:3276
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5n-38ur6.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc291ECF849304BE99B22B0936171810.TMP"
      4⤵
      PID:1568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nqbz4fjh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5CA70CDF35B40918BB9772BF064CA2B.TMP"
      4⤵
      PID:3576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jepeuleq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33777EAC96A24E42891ACC4F1CA67D71.TMP"
      4⤵
      PID:4932
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_ommovp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A17967B63684F1DB6F361ABD3A1BC94.TMP"
      4⤵
      PID:4128
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76igypon.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6E6D15C3C514EE88D32EFB74B93D5F.TMP"
      4⤵
      PID:5004
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1qlkhndi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C0BE3C0296C419B98711DA3CD9ADE2.TMP"
      4⤵
      PID:1820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hdmsuje.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc341F0DE096E546E8911A47F069BA1155.TMP"
      4⤵
      PID:1124
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnbcxlsu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4974501916D74165AB8490C55A41AB29.TMP"
      4⤵
      PID:2288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ka1qfczk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC03E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB640DDCB3D3468E885AF6B9C38FEEB5.TMP"
      4⤵
      PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1qlkhndi.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qlkhndi.cmdline

Filesize
164B

MD5
bba1f7a96d424d20f290fedb788f3521

SHA1
3b842f716dc7ef960ee9c8bd2c6c3c1b9b6ea676

SHA256
6e08e2b89f5d7fd9eac5ae386a918b017f0e85ce4661d5b6dda668551dd3c0a2

SHA512
3dae342015c321de1bfaa31db01b5d97b3ba9d8ed3b945bd0fba3786c4ec5ed171f00cec095fd7d5328f8dbe6c4591059e0edfedd6fcaf16c960df955184674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hdmsuje.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hdmsuje.cmdline

Filesize
170B

MD5
bf09670aa38675e05fa7d72feb8d42c8

SHA1
db7fcf45d6241c7dbedec424b93e610553507aa9

SHA256
8b53b4eca329c8b7a541638ae58e73dd9dc86a23e29433a1a1bb4b17b4c9ee86

SHA512
bfa05bf17442a1c613fc1c133781345843d89fffe171f7a8bdf71208d6451dc05324d7fce917aa24936df22d17dfb1aeaec0159d116472253addb8e8a84799e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5n-38ur6.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5n-38ur6.cmdline

Filesize
162B

MD5
eefdaa72259ae96cde96b929f844cfe1

SHA1
63e1ab7594d7d1e6f0d7944e9c41833a71823d70

SHA256
c473e7d732c489ddb07f508bf78c106d5f6853d712690eb9deb5d944753cb500

SHA512
61f34e724a7bb713f0870fc84c2e0463a7e8cc862b1fa5222e198fe1474f3b5a9e414b0b709ec686c0361dab609fdfd035a3e19fe203125b1aae6f31852897eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\76igypon.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\76igypon.cmdline

Filesize
174B

MD5
d7b2933210f3a59d1a53c814932730b1

SHA1
cad4a09d5421fb0e55d1207f8f112024e6c3e790

SHA256
c600268f17698525aa1ec3e4d6b3227bd8cf8ae213853727ff85a3b319d60a5b

SHA512
4f260de4518d12bae2af29fc4998c45c0868b3ce60ddcf6db8b694df4f3432378d04c2e3df55a874d4b2c0ce2937bf16bb4fa35cda24bf4c730ba00491bda7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB9A.tmp

Filesize
1KB

MD5
af92fcad3a6da9460fb0216501449e99

SHA1
5cb811b88291c0805bc79c270bc62bfeda751d78

SHA256
bd1af33f257f8779d9c33f5f39545b7925a86026f62d8bff1174b014383a9ca6

SHA512
814092b2c763e3250ebab11e11e2f814e8e9316316ee08c897caa15b83d054495c14cb82bfb3d7c94df24094282969cc4c7b473087c09051dcb77ce11339025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp

Filesize
1KB

MD5
5b6da02b73dfb32b23103081733fb5b5

SHA1
edb6384a7f4a12173cb7fa931710fa774f77c022

SHA256
4c2456a9e47e8c75ff4941b59939ae3f95a00412061f7f843aef8794f68d60eb

SHA512
b92d207bc44e9297e1a5a38e7712c615e76388a025d11e6d2c7e77eacb66d767ed5cbfd3f3ae91bac0f472102b66a9b8adba1e088e3d3dc7d55b1f8fb9b2582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD11.tmp

Filesize
1KB

MD5
2eca326012772c301774cfc1d7009756

SHA1
2f8ed54f958bd71e7f1f395a41a73070100db1e1

SHA256
bb704ca016a252ce7c02723e458ee518d2799d88968212a775a2ee01043f66bf

SHA512
44c868fc69e12c00f129991a0861ec93063f66565f95082378a52c3f6467cf7571e5cc85b6923a9363fcc33c7aa69a384cde52c77b42523b540bcee8e5c7d9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD6F.tmp

Filesize
1KB

MD5
90587d7a35f460cb285a166bf281bcc2

SHA1
e1a302379509f93e5dd4012cd3109171b4629f32

SHA256
2f93d6d87120875f000606a9d951cfdb49ed2dd6b54bc034aa1d2210473b61ec

SHA512
22d751bca5dc71a500f534a332322c677d131e8afaff4faaeaf2881a57073ad4208919216dd910e43cb0e93cbd1f028d59a60af8855df7d5a820ecdfbb6f7fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDEC.tmp

Filesize
1KB

MD5
534dce6b2959e61c425e54ffd69879b5

SHA1
89638cb919896aca00c2a4d9d4ec60fec531c40b

SHA256
41340ef6e77b16dbf0d4c41eeafc3175e7db473f916bcd07ce18525e071d75f3

SHA512
fc9c6182d34bf077368eaab1051254884f46d30a7ac7141233f4e46b88ac205b6bbde8b336d2f1fed35c21f118073e48d6d8c7a1029dae5d4af851cde82bd030

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE79.tmp

Filesize
1KB

MD5
101c6daccc10e41d2a0ff91daaa7f043

SHA1
de17da252ae68ecbb40699add5b75687263fb527

SHA256
a44664ce523048d633978960bf4fd4c5738980f308a85eac92b0c3b4a8c61a9d

SHA512
eb7bec2caca291cff4c1b1c9cef9d208ef14dbab425d23ced871ba623aebe5f1f8a642eea7a90049a1e183839c980686ff5e77f9b267510aa3879f6e2c9397cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEE6.tmp

Filesize
1KB

MD5
57e0f083c258a5da4485a40491343fe8

SHA1
ce4a0cfb616ea8360fed91dd9f12483a707b94f5

SHA256
8c5f91c35abcfcee96726a32da944e645464394debf7ff9c511f0993290c12b9

SHA512
885d3c92a4cd971985a546c3f100c8dba00370d91c39246d64cd7575815f8580ef3dafd5cb2d0980a840304db9fa336748da754bf4f142c8833089226bb96055

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF53.tmp

Filesize
1KB

MD5
a82fd1757ee8c34705dd8d6fdfb332a5

SHA1
d1bdd428e7228fd14e4fb0ed2f45ed0da9122fc7

SHA256
faf41e2e7e30a3aee6e8b0803f71146ec7f0f7187098d0e3a933f3c96f133579

SHA512
1caf92443a2d30a5f7ea52ec57b24b059ca1d324a95023e7e9252b85770dc8be3f1486ed254d21a8e916308eb7ff6334ce549d4cdf8e8c995622dd0d9254f53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFC1.tmp

Filesize
1KB

MD5
e445543e6ac22cbe7ebb98e5f6c573cc

SHA1
2b1fb8b00d2c4ab2e6fc1c03a91bef8ddb87238f

SHA256
57969cff0417bd24169b44a11f790e5f961151a8603a391adbab50a44e7861e8

SHA512
156da0c0bfe6221469dd0b869fa5571fa328ca899f520b33cffdd1fb4c3022a0fde2cc866f9dab12d84bf608c44208cd273eb454519e27bbbb8da6109ed47e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC03E.tmp

Filesize
1KB

MD5
c6dc5df04d331673fd896be05e59eb82

SHA1
0c3055127b91b595be9f6e3167017ae5e34e1141

SHA256
3f93e623c6d8cd46d957bd654976057e6ba836f197048e719bcea214efec03a0

SHA512
d2f8f3ff0a70c825a3069d64a3972a857a81996976d936711660dfa3f40add0efcf99f2b79e7e16ab36d1d6b36cc0b8f76cbcaa1c663bfc85f6e830f6f470429

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqucteuf.5hi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnbcxlsu.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnbcxlsu.cmdline

Filesize
171B

MD5
f03c1fb52675f57e267d26e70aa21b12

SHA1
1a929496afad54babeada45727a71f5dd85c5ea5

SHA256
6fd7c59d204890c387cf4f629ae2d4a19322f768e67132bca70a1167431458c1

SHA512
293966e83a823d3680f7ff972e9f9cd0b9dc145506fcc53c4b2c5a831c755bd286fa3e0732cf0a9052c5b3b9cd59fb3ae2352ed5f0c044e942f34ec5525e53c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_ommovp.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_ommovp.cmdline

Filesize
172B

MD5
470cddc4bba23c3516314a3cf82be2ad

SHA1
bf0438470ab8d87aa4d14d1eb238a657a8a8457e

SHA256
a62630f1fafabb26e35cffd3daad31da2bee7d24758382b499cf5c9a21bcd03a

SHA512
80acc410da0cc9c36ff5b337f00924ec4693b5e98eab102b45965b65e03ff3a498837aec1fe93d434252b12118fd7472a790e09f1b5a10bcd0735bd14995c2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepeuleq.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepeuleq.cmdline

Filesize
171B

MD5
445ebae720b5261e639f7cb6829a8e9b

SHA1
8e98eecb37efb20b216ae2cb426a98cb61785168

SHA256
fe8d46fd6df8883e270d5a5ba5293007b027b26fd2edecee96b77c898dcee8d2

SHA512
9062f0c4d915f1525bd05ea5b8eb782c6c4dd94e2e78230b1a3fe77c5c96d9ae7a5138e4f750a320f40c4e5609aa9a92101e053ca769b10e3d85d85399952ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ka1qfczk.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ka1qfczk.cmdline

Filesize
173B

MD5
685eb69ff0e1ac7a6372b3a8d870c8bb

SHA1
bbc18e950986bd3ea055556c479c3902d214dbf2

SHA256
5d53da97b95a5b2cf44a2f5c03bde36f7ea110cc95058a923fb5448a7410bd4c

SHA512
c5eacc485a941439a7dcd0c75897b632ce840255ad6c0cf4e51102007973f103c2e1b9547c44d1d1ccc60e93ac27f172ca008b561f2139bd80910bce4428f25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbz4fjh.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbz4fjh.cmdline

Filesize
163B

MD5
23af01d7193272dbcf7ea63ee4db1609

SHA1
e2b74af5d2af9b2a7b2c456b23722294a4badbb3

SHA256
2d1799eaf0b1e5f91bae720d7087de0d88ae46c1a8340b17472f6131ba58b1d3

SHA512
8dc1a85c89a18d1362eb68fc10af29af45b85598ebe315b8f9e60a5d5d7085554cc9982ae72ba5a5965153f4209cd7ac91d85da7155617620b36acb857690d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv_w1uj1.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv_w1uj1.cmdline

Filesize
156B

MD5
4c0020164761145bcc3bacdd3beeb8c2

SHA1
76a6e3dac467708f510e6dc07adc51b5d90659f7

SHA256
4be5b7f4ad6bc134b30a1a8db437279e1daca9f7b62bab0003a178181597a87a

SHA512
3137b51e6947653df7fdb1023ee7ae808c67aa839986943c7a795ecde7e20390b2f718d05561d1adabca3322f1757a2d62b0651a3f4b956b8d81a650a31b0d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc291ECF849304BE99B22B0936171810.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8071517C4D6D42668F5D47227A7DC84.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB640DDCB3D3468E885AF6B9C38FEEB5.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6E6D15C3C514EE88D32EFB74B93D5F.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5CA70CDF35B40918BB9772BF064CA2B.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/804-7-0x00007FFD8E885000-0x00007FFD8E886000-memory.dmp

Filesize
4KB

Download
memory/804-4-0x000000001BD60000-0x000000001BE06000-memory.dmp

Filesize
664KB

Download
memory/804-1-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/804-0-0x00007FFD8E885000-0x00007FFD8E886000-memory.dmp

Filesize
4KB

Download
memory/804-2-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/804-3-0x000000001C3B0000-0x000000001C87E000-memory.dmp

Filesize
4.8MB

Download
memory/804-8-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/804-21-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/804-6-0x000000001D140000-0x000000001D1DC000-memory.dmp

Filesize
624KB

Download
memory/804-5-0x000000001C880000-0x000000001C8E2000-memory.dmp

Filesize
392KB

Download
memory/3940-31-0x00000235EDB20000-0x00000235EDB42000-memory.dmp

Filesize
136KB

Download
memory/4156-22-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/4156-17-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/4156-18-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download
memory/4156-19-0x00007FFD8E5D0000-0x00007FFD8EF71000-memory.dmp

Filesize
9.6MB

Download