revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

13-11-2024 23:34

241113-3kmbta1eqc 10

13-11-2024 22:28

11-11-2024 05:34

11-11-2024 03:05

11-11-2024 03:00

08-11-2024 08:59

08-11-2024 08:55

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

624 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4600 powershell.exe

pid	process
624	MSSCS.exe

pid	process
4600	powershell.exe

Drops file in System32 directory 4 IoCs

Processes:

MSSCS.exe905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4600 powershell.exe
4600 powershell.exe

pid	process
4600	powershell.exe
4600	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4916	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	624	MSSCS.exe
Token: SeDebugPrivilege	4600	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4916 wrote to memory of 624	4916	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4916 wrote to memory of 624	4916	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 624 wrote to memory of 4600	624	MSSCS.exe	powershell.exe
PID 624 wrote to memory of 4600	624	MSSCS.exe	powershell.exe
PID 624 wrote to memory of 4336	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 4336	624	MSSCS.exe	vbc.exe
PID 4336 wrote to memory of 4956	4336	vbc.exe	cvtres.exe
PID 4336 wrote to memory of 4956	4336	vbc.exe	cvtres.exe
PID 624 wrote to memory of 5096	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 5096	624	MSSCS.exe	vbc.exe
PID 5096 wrote to memory of 2968	5096	vbc.exe	cvtres.exe
PID 5096 wrote to memory of 2968	5096	vbc.exe	cvtres.exe
PID 624 wrote to memory of 2560	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 2560	624	MSSCS.exe	vbc.exe
PID 2560 wrote to memory of 2340	2560	vbc.exe	cvtres.exe
PID 2560 wrote to memory of 2340	2560	vbc.exe	cvtres.exe
PID 624 wrote to memory of 1288	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 1288	624	MSSCS.exe	vbc.exe
PID 1288 wrote to memory of 4972	1288	vbc.exe	cvtres.exe
PID 1288 wrote to memory of 4972	1288	vbc.exe	cvtres.exe
PID 624 wrote to memory of 3116	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 3116	624	MSSCS.exe	vbc.exe
PID 3116 wrote to memory of 2652	3116	vbc.exe	cvtres.exe
PID 3116 wrote to memory of 2652	3116	vbc.exe	cvtres.exe
PID 624 wrote to memory of 4288	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 4288	624	MSSCS.exe	vbc.exe
PID 4288 wrote to memory of 2284	4288	vbc.exe	cvtres.exe
PID 4288 wrote to memory of 2284	4288	vbc.exe	cvtres.exe
PID 624 wrote to memory of 732	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 732	624	MSSCS.exe	vbc.exe
PID 732 wrote to memory of 2120	732	vbc.exe	cvtres.exe
PID 732 wrote to memory of 2120	732	vbc.exe	cvtres.exe
PID 624 wrote to memory of 3772	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 3772	624	MSSCS.exe	vbc.exe
PID 3772 wrote to memory of 1188	3772	vbc.exe	cvtres.exe
PID 3772 wrote to memory of 1188	3772	vbc.exe	cvtres.exe
PID 624 wrote to memory of 468	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 468	624	MSSCS.exe	vbc.exe
PID 468 wrote to memory of 400	468	vbc.exe	cvtres.exe
PID 468 wrote to memory of 400	468	vbc.exe	cvtres.exe
PID 624 wrote to memory of 3380	624	MSSCS.exe	vbc.exe
PID 624 wrote to memory of 3380	624	MSSCS.exe	vbc.exe
PID 3380 wrote to memory of 2336	3380	vbc.exe	cvtres.exe
PID 3380 wrote to memory of 2336	3380	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h1qazxax.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F3F8332750445EFB05193EEEF3B573.TMP"
      4⤵
      PID:4956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cwdh5mvb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF1C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87CB1E10D53A4C6D8BF3A035D76C3C89.TMP"
      4⤵
      PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bn8zavzs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFD7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B4E8D527DEA4D1EA66A1FA81E332B49.TMP"
      4⤵
      PID:2340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4a_vtb4p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8F20ECE90C74B5B92B39B184FF7EAB.TMP"
      4⤵
      PID:4972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxydew5z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E46346DC9A94AFFA47B9A938572CC0.TMP"
      4⤵
      PID:2652
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfq28wc5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES100.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC501F742BE1943788114914670859881.TMP"
      4⤵
      PID:2284
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pqhzuwxm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18CD02EBDA5B45EE94FA1C5F10CC19EA.TMP"
      4⤵
      PID:2120
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rvqgy8o8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F867D5785D44BECB597BB844BB15C63.TMP"
      4⤵
      PID:1188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qp6-gvfw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES219.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F6160BCE7DF497C9C3683B2373F2050.TMP"
      4⤵
      PID:400
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\faapjnm8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES277.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14F1F169D6A748C5867DCF84D679F9D9.TMP"
      4⤵
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a_vtb4p.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a_vtb4p.cmdline

Filesize
171B

MD5
f4a6fbf3e52d1aa33cdcbc5ece62ca3b

SHA1
a06c0c3b933f2ff6f967539a029d607e5eec4a43

SHA256
64b5473489048f66ed6c969166a951888dfdb87d0c2ed092f8c1b6a51d7fb5e2

SHA512
c818dc572ddfbd692174ff83564543099d16cf0bfd151f8a72296254b0769f61ff5c3a84fee90eca0c5be5565921ed1bf8ebf68eccf711b62caaf9016b4e734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES100.tmp

Filesize
1KB

MD5
f4c33aab23414a0e2899e85a40fb5319

SHA1
90928a6fe81b9c64dc667941460e4214e6e26cb6

SHA256
2e1bfaeb0f88914e6f13706fbb5d5eded67f62079207ac023fc32bec666c8a67

SHA512
0370e4f8d2f7f1e1d1c4d8da07131b8538cd022874b6bb225a656ff51b110db2eafb2b9c233f5ae0c9e99714d971a3ef255e1d071dda24de52f7c86b0787778e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES15E.tmp

Filesize
1KB

MD5
0f62c03c9b4243eb92dc2a63d1f954c0

SHA1
1af689724fee41b06b4e2a675cf54a121a877e74

SHA256
4ec44953b7712a75b74511f387959b0ff2142073b370b7a1de647f1d22866f4a

SHA512
f42e85a19a82a97fd90b04f86cf93eaa7337512c0a97408d013648235247d730b78ae81d1e2948a6eef3965739ea996b5a0dac77f43a1255df08b44d44e3bec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BB.tmp

Filesize
1KB

MD5
dc908937a2f601412ba3d4a38df0727b

SHA1
8e37c335d0b87b126de08a18afe4331468ffd587

SHA256
c6ccd806a835e5511d99a380d4ba9d37379ac22c5a31db65c2aa2491d092c927

SHA512
8a867a133844c303750e9ad2c4c43b608c08440d9c003ed149d08865021789c88c29d3b827f399c8d54471e1459045be8253a46191da5087a8236a65d7588883

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES219.tmp

Filesize
1KB

MD5
0c5fc7c4fa19f7746f249b99f2bb72d6

SHA1
08d18a705c419108accd64038e1ed8632c2813cf

SHA256
b09aca57f1edc882d54707143b72df6dd9f49e3391b60254ebaf6914ad78b5d9

SHA512
69bb0c6967e1e8b07f459a1bba8ce56d6ee26d77e97e85b353a9429ec93025df71c3f82ae74e06cc5d270d3404b1465efc7b2df3c75a3ea361bb048789a259ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES277.tmp

Filesize
1KB

MD5
4087266f28cc28ff655c13be702a178e

SHA1
36e143a06af1a8511cf05c2720badfb065fd34b0

SHA256
6dca7bb89529264f0f0b4268cb8aab2e067b233910321ecbfb68c5b3aa029d27

SHA512
cfa5519bd20975aec4b450f6662f2f21f96fab2fbab081b3a4142238e86f456ccfb76d96811b2f09e386345c5e14f6b914bbfde2c947bcff906c5ea63bb47465

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35.tmp

Filesize
1KB

MD5
d8e9ac384ca035b4a54d4d3a43702dcc

SHA1
7ba161c2bf32f835ba40571bd12751c16591baa7

SHA256
74aec61ca41ce632e367bde3b0b45dc66a466f48707a88bc9298c99f5d8add42

SHA512
56df1e287e1eb6a47d38794d4956dd176f70abea27380318ef765cdf072b8dd7aa875502793ce12f3f804091bb3c6043503ca83071c5a159d7c985bcd2e6fac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93.tmp

Filesize
1KB

MD5
d584a14be453cbb8c25d376b654d8b0b

SHA1
37580f33eda742598e62c95aeb57e746209b21e5

SHA256
3605b7202b543a69cadaf0e6eae2b821daaa65c72f5aa817b4a68cebba5398e8

SHA512
9c6aa862c8416c7a51fcd86cb6955d5c14c1ba40896165dd1bc93080f63e714b20bfd06f4f4986975f5b3f7cc2d7711580158aad9cab1d39717a4fcd1b881ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE60.tmp

Filesize
1KB

MD5
d20b923208ca23835a81761933524fb4

SHA1
88c602a48261614c14ea58ec23b54be1324222c4

SHA256
ba955c000b79e1821680ea925b3f50119ba9b70345105b19ebce67bd8a710446

SHA512
5d5b847956e798dd0c59aa9b3c1da47c89863a17b4d7f80cad6aac303f28e021b0234bd29b325b3b6aff5d80bf6e61ba09c52ec0db975129ee5436c752611220

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF1C.tmp

Filesize
1KB

MD5
7b4642e94cb887fc017908115a657753

SHA1
7eb09d95db7b624d1c04d056538509ab87d5ae06

SHA256
d10af03d1bbb2e202bb569f78d748f25eda5d2a2a7de4925b35c75c8e18a4516

SHA512
c421e5cc78356348146c2c3975eab215c50d6ed77cc72995cdf40c518da24a210d0533f96a734c4aad99f722886a3cb2174597ef701b9f0ab1b78f963121ac85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFD7.tmp

Filesize
1KB

MD5
a564f4ebdbf6d817f01c37123cdccdaa

SHA1
f0d33e9aa8b7180a8a9edf429b93bfd330c5f079

SHA256
922f35922ff733238123c0a1a1b521d17c92dcdc7024b585ca4a36511b2d5624

SHA512
57e3465482d5af24176fcc575ca2449659ed4f4901097cfe1739e881d7bda742708d0822c2cf317fb954709b1d571a3612459fe43f8d846d946e99df51d49666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exf33eja.uzf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn8zavzs.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn8zavzs.cmdline

Filesize
163B

MD5
aa03988a4f8286e5de1c275c7923bd32

SHA1
1c03d43e5c3ab0a4519cfbd9b6e95d31a5728a2b

SHA256
4ba670b24231add265f706bf6df0e45751cf2e2ddfabfacceab281fbc8add90b

SHA512
1fef419a2ea93f5a8fb0b5e55ae98227c14451a3a01f61338baa194532257b2a4b90afba433f788b97f6d66d2e1e2bca78e3b7f6761512902ccb304b9a84d75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwdh5mvb.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwdh5mvb.cmdline

Filesize
162B

MD5
bfcab43bc18d366e2edde71c6074bafe

SHA1
0a924411059cd9d5e3dd3bc4a7662c82e87841b3

SHA256
000168374cdb1b746be2af3f992258421a08c69b998f4089a70bf1029fe5c00d

SHA512
2f82794fde6aaabfb88a4c4ea53c41321ed1925dc552035709627ab4e126e8aaa497b4429fa6d4bb885bb48d67b06c778a98fee3643dd3cc0e961589d2fc1f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\faapjnm8.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\faapjnm8.cmdline

Filesize
173B

MD5
bc2b67e00cda9e42bd0eaf71175f80f5

SHA1
a7cf266e7212aa3bbc942f0676d4693ae037996c

SHA256
7cbdcfa97bcd77e0d85a44cb96c92cf4234b028be346382165849e2b5ba0d8c2

SHA512
e2e4d73b54791d93478a73c8321eb8ffe6594a692d0c40de615e0c87d1505c9527176c7273f28829d78abf3b5b155e2a7ece623844e59e54d12eeab883ba7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1qazxax.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1qazxax.cmdline

Filesize
156B

MD5
220c424850e2d91279f569c65964c4e1

SHA1
4d180e3063a35822ac6b1748c18a58caac80728c

SHA256
d027b63e71db87133bb032b9b0a62e3022f082b3b1b8bfc691947ea7622a19c1

SHA512
5b8d847ea5b720d925d0ecbee53f863fb225d63e5e3e758f018200c502ffb4bb24cc2e94371377cde44824fafceb60494a1893084a3f17f857833e2b1da4b739

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqhzuwxm.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqhzuwxm.cmdline

Filesize
174B

MD5
3ac9adafbe7dc97ae1a355d71576a299

SHA1
ed5e6afb988dd787b08c80eea96c2e3ed362c8f1

SHA256
1c879d6fca30c6e9719fcc39fc0da66715acd0979853441f4cac20a1af003a1f

SHA512
e6f05b3af92c0ed40e7ecbab807dccb2f468ae5831306a522331c27f72bee2c147d92ef51d3c35f4dd79ac26d270cad07ea148d117454046b44ce5ad90ee6964

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp6-gvfw.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp6-gvfw.cmdline

Filesize
170B

MD5
9a970fb7c8df275cf41505c4112db11f

SHA1
e335c0375607dc981cd4b97c013e475fcddfc094

SHA256
03109b2208459cb8b723171643bc5d72bd8cd9268d2bcb95de215fac7ff3ff88

SHA512
02d183f3adbbd280d0bba7d8f428997432eff942b1d937cec96a8c8c56ebedd5761a4e5e0ff4169b8085e842dd2201ee83885156056c62bb22eaea8630a32483

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvqgy8o8.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvqgy8o8.cmdline

Filesize
164B

MD5
0cf812d56f0bde15e400b2737d402c42

SHA1
fea8b1e2bce31c055152f6cd0250e33ec9b93bb3

SHA256
d075673cbfb92625e257a9a2cb8bf4d8a973c63d34902b68959be580dc0f5d0b

SHA512
d555e85b5d04d1c7cfb17e25fb93df250cb600e8f25196b0a27493ded5c13d781fa98ad6f929b1fe4d75063aaab3a24e9876d926ffb5d4fc9778837c7e92f6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc14F1F169D6A748C5867DCF84D679F9D9.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18CD02EBDA5B45EE94FA1C5F10CC19EA.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B4E8D527DEA4D1EA66A1FA81E332B49.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F3F8332750445EFB05193EEEF3B573.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87CB1E10D53A4C6D8BF3A035D76C3C89.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxydew5z.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxydew5z.cmdline

Filesize
172B

MD5
9145153af5aded00565748ee9eee5104

SHA1
c90d2fd9bfd1db8f286e6ebfc62363174a1ef084

SHA256
54b1dff3705d0488282da9aaa34aa6e6ec65eac45b1b7c5e1d43749aaf6cdac4

SHA512
704190ebb9ce443d654ff01fa455d86407685a61782b39dfcdad43dd46743f8ad03b5cca302f7edb39c4566e397132de09bb3d98d4d5118dde9937511b6df0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfq28wc5.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfq28wc5.cmdline

Filesize
171B

MD5
3d8937551296e0a87ae31b2b76844e3f

SHA1
864c1aaa347dc6d7512ebf6dd89812f7d9327cbb

SHA256
d24f6086e6431cb4a460b12908a24fa10808e733d7e4280539827bed40aedd82

SHA512
3ed0506409eea6b91a0ef429f1020c7e142e4428bb439c0f4fbe5feedf4974f6217dadf13147c53ed618f6d8e0ed8631ea708aac2ba2bd1d6df33a5c985f8642

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/624-17-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/624-20-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/624-21-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/624-22-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/4600-39-0x0000028CBC520000-0x0000028CBC542000-memory.dmp

Filesize
136KB

Download
memory/4916-8-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/4916-6-0x000000001CAD0000-0x000000001CB6C000-memory.dmp

Filesize
624KB

Download
memory/4916-5-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/4916-7-0x00007FFBABE65000-0x00007FFBABE66000-memory.dmp

Filesize
4KB

Download
memory/4916-0-0x00007FFBABE65000-0x00007FFBABE66000-memory.dmp

Filesize
4KB

Download
memory/4916-4-0x000000001C3E0000-0x000000001C442000-memory.dmp

Filesize
392KB

Download
memory/4916-3-0x000000001C260000-0x000000001C306000-memory.dmp

Filesize
664KB

Download
memory/4916-1-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/4916-19-0x00007FFBABBB0000-0x00007FFBAC551000-memory.dmp

Filesize
9.6MB

Download
memory/4916-2-0x000000001BD90000-0x000000001C25E000-memory.dmp

Filesize
4.8MB

Download