revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

13-11-2024 23:34

241113-3kmbta1eqc 10

13-11-2024 22:28

11-11-2024 05:34

11-11-2024 03:05

11-11-2024 03:00

08-11-2024 08:59

08-11-2024 08:55

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\System32\MSSCS.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

Processes:

MSSCS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

Processes:

MSSCS.exe

pid process

4356 MSSCS.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3752 powershell.exe

pid	process
4356	MSSCS.exe

pid	process
3752	powershell.exe

Drops file in System32 directory 4 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exe

description	ioc	process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3752 powershell.exe
3752 powershell.exe

pid	process
3752	powershell.exe
3752	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4736	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4356	MSSCS.exe
Token: SeDebugPrivilege	3752	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exeMSSCS.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 4736 wrote to memory of 4356	4736	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4736 wrote to memory of 4356	4736	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	MSSCS.exe
PID 4356 wrote to memory of 3752	4356	MSSCS.exe	powershell.exe
PID 4356 wrote to memory of 3752	4356	MSSCS.exe	powershell.exe
PID 4356 wrote to memory of 3584	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 3584	4356	MSSCS.exe	vbc.exe
PID 3584 wrote to memory of 4512	3584	vbc.exe	cvtres.exe
PID 3584 wrote to memory of 4512	3584	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 4028	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 4028	4356	MSSCS.exe	vbc.exe
PID 4028 wrote to memory of 1572	4028	vbc.exe	cvtres.exe
PID 4028 wrote to memory of 1572	4028	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 3188	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 3188	4356	MSSCS.exe	vbc.exe
PID 3188 wrote to memory of 708	3188	vbc.exe	cvtres.exe
PID 3188 wrote to memory of 708	3188	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 4628	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 4628	4356	MSSCS.exe	vbc.exe
PID 4628 wrote to memory of 4324	4628	vbc.exe	cvtres.exe
PID 4628 wrote to memory of 4324	4628	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 1732	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 1732	4356	MSSCS.exe	vbc.exe
PID 1732 wrote to memory of 1696	1732	vbc.exe	cvtres.exe
PID 1732 wrote to memory of 1696	1732	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 4864	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 4864	4356	MSSCS.exe	vbc.exe
PID 4864 wrote to memory of 3432	4864	vbc.exe	cvtres.exe
PID 4864 wrote to memory of 3432	4864	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 2708	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 2708	4356	MSSCS.exe	vbc.exe
PID 2708 wrote to memory of 5008	2708	vbc.exe	cvtres.exe
PID 2708 wrote to memory of 5008	2708	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 4412	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 4412	4356	MSSCS.exe	vbc.exe
PID 4412 wrote to memory of 880	4412	vbc.exe	cvtres.exe
PID 4412 wrote to memory of 880	4412	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 4736	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 4736	4356	MSSCS.exe	vbc.exe
PID 4736 wrote to memory of 696	4736	vbc.exe	cvtres.exe
PID 4736 wrote to memory of 696	4736	vbc.exe	cvtres.exe
PID 4356 wrote to memory of 2672	4356	MSSCS.exe	vbc.exe
PID 4356 wrote to memory of 2672	4356	MSSCS.exe	vbc.exe
PID 2672 wrote to memory of 2588	2672	vbc.exe	cvtres.exe
PID 2672 wrote to memory of 2588	2672	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctr0izbo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B5714351AF47189ED47B5BFC378279.TMP"
      4⤵
      PID:4512
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lv02nxvt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E0A7188194E4D0BAACF96EC24D42A.TMP"
      4⤵
      PID:1572
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvxoupty.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD53D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6BB01839A0F459E989AA2FDC088D332.TMP"
      4⤵
      PID:708
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\odw4acvh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEEA68FE1D01403BA873C58037B01CCB.TMP"
      4⤵
      PID:4324
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uxk3wg8u.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F49356EFFFD4F0EA2AFCC4BD6869C45.TMP"
      4⤵
      PID:1696
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\phqr0spe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD656.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3204E1F71194A0D9E294F81DD9C4BC7.TMP"
      4⤵
      PID:3432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uuilwujw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc180702E9A8704A93A299B76698C16228.TMP"
      4⤵
      PID:5008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\49iz8cip.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD702.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD1CEE7D9BFE44BCB026BD82BEB5F.TMP"
      4⤵
      PID:880
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dutaretq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD76F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AE616BF743649ED86589D887F25B8C1.TMP"
      4⤵
      PID:696
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wj9bz7wi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F3C9A429C646AE953615F9BF81BB7.TMP"
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49iz8cip.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\49iz8cip.cmdline

Filesize
170B

MD5
40f11db8c623f7837d8e153d32a269c8

SHA1
2d8de452eed9f02d3128209d8411ea7ef6d4f56e

SHA256
f32ecc506f79ae0ea24c78dc549e90f05bedde1f59885a9211601e668fdea6a4

SHA512
3d72301957c87ed8b14321217e0b96bc7b0f1fabd2ba506ed80cedd9b683536451f04cdce95fe46eb956393e3fc3b8198613e88b1be79da950b854bcb42bd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp

Filesize
1KB

MD5
91131fc6e21c697a873ec517ab72bbff

SHA1
9394def637a8e25e0badc845ad49ec54788d806c

SHA256
2cb205043686a6489be6162ad6f1b9147d6dfa09992f93cbf9f5c39b5ee239c7

SHA512
2f147c8fefd86f2f8a89d6e1db61f78357dece4290f5335a0a3e08fb7ddda81b38fd9f5c35da062a4ca976da54ee50580e0eaab0700717f11bc10d1e5d481214

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD4DF.tmp

Filesize
1KB

MD5
e7ba507a8dcbaa12a3f2da1cef042377

SHA1
5b8337896a95527ba56254ea51ddba3cd780a69e

SHA256
611049d12882a89ee865b958ac2c377a4a47e42c522674e993c7b923ebf1fdd4

SHA512
38b467e69d9c37fa7cb0ea19383c31b80310973afb2b3bb8af21da5e8870dbbdf0385fdf333a3fb932401310ebbe3b7afe4ef0c70fe7013874eaf809995da5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD53D.tmp

Filesize
1KB

MD5
9bae33cc34c8429ae5e865d498639c87

SHA1
894db88d1384941146e04af31d09e50e7e9d1ec2

SHA256
8191bdd12f6d77635b538a9f99c69dbd2866965210b6edadb99ab18fbd2cada4

SHA512
9a817f0549839c34fed74dc12f16b537b06206bfe5fa9fcd42a2dcfd356211525e7b6a5f6b81b3ca434d80dfd9165bdb211ca9c0bc56d847dfcdb317a5aabf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD59B.tmp

Filesize
1KB

MD5
98b4bfb33b2ad4a3a47b4f0c8007ab98

SHA1
bb3d930d7f5059f5d698db76060eccfcc48999cc

SHA256
f3a76aae92aef8fb8352a19872f591ee257cc28f1186024f0560d5e9a6c2df4e

SHA512
1874ea969fc19614ca7b3ea998932e3afc0f48258b761d57a73c02e0b7a3e6a4fcf32e8468da848512505d9a0860179f5705d4c9020216e64ec1794a69383618

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5E9.tmp

Filesize
1KB

MD5
3790144c1af0312379b52e6e7cb1651e

SHA1
2b96b532e8450897e5e1fe5048d110134484b758

SHA256
bac354d4d77072fae49eaeb64375070219576483a4958eb4c7b34e58e266c78b

SHA512
78d93b969db200966df3570a471298308e773c13d17ba87155f0763631ca0fa18d1a9bb70dc9fab7079b38725161075ec09ff5a072893e18aaeec4e38b923491

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD656.tmp

Filesize
1KB

MD5
784c370208aa280b483e934b4380bf28

SHA1
f4b1a23fc6f0e85adf02c64b6e6f59f38f356fbf

SHA256
9c8cdbeb1a469eec273c4c17637c58d089d3bb3e22bf53dd1f2fb4a51a157716

SHA512
09e6ee2fb30e8766dd08f5bb6733fcbf84eaa7b0ab3e96c935dfe58492258cd80baa1572d3b7012c82e6e76808e847a228106ce913d22a82d716f300eacdb6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD6B4.tmp

Filesize
1KB

MD5
f343e9affb61e5d67f275bcc7b9aa551

SHA1
3861f195db3c07ff5637c71ef6aa756d2d242bdd

SHA256
1c8ad5ddfd37b4268c6e33d562b99f4c4f15a0f927303a3faaa50806a78b02ef

SHA512
b15f2979a91251e388b2f61fb6c08621cdf17cadf42e3b35619e5120dd5e44d04f0c0770436074a0308d56c623f5a8e0e3ea885f5e499e6c8f479975e30a2c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD702.tmp

Filesize
1KB

MD5
320ec09e7f0df1e6d17c9f02f79672d9

SHA1
a842388121513e307d05312384160b311589461c

SHA256
32feab23dac93a81d12c5e27cf08b832d105724d11e6f4010c12de57db2aaf00

SHA512
95de8b81a15fb6df073856bb40f0a5b9dc6de6c9014e40a5f3c9071c5d91d8bf02910fcd5fa0133290a353af79413c5c8e773a0610c075b54d1e1b2c488bace1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD76F.tmp

Filesize
1KB

MD5
ebb91cf83ee27cc08efb3ac831755653

SHA1
4709465cd7e4538bb5ba763d267bc58a1b5983d1

SHA256
db22771de5a55121731af26908903e5008e28aaeb9174c63c72183f063fbdcc1

SHA512
198aea366fbe5425d0fc4aa2d08eb29b130dd9eb4dc8337922670d1ff23bab8c6d8d5d307fb7d86f26f690776357612f4a6cb75270740dbd9dd090ca558ef94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD7BD.tmp

Filesize
1KB

MD5
d18ba0dc6208c1b293e815131d688dcd

SHA1
cde03d1f8695f3e8c9a928ba9f80d7631fb1dadf

SHA256
bf55153caae9f5d2bde918ed153be9be22b79d8b115897414a4333e4452292ab

SHA512
72f603e6c4ea3fe19bcb7a5b47fd81bf7a5c169216dec528fd1bd510c27b4e9c92359d478d334ee7715a49cf07119d59cdd7b004e2cbe9410fc76c5c8b8fbd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oiydexm3.lnq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctr0izbo.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctr0izbo.cmdline

Filesize
156B

MD5
811e45fc135301592c099fb12cc9bb54

SHA1
c1fb72a8f78101972884d2416ee804412ad63bb8

SHA256
4dfd73fb812be97010683a2f640842b9035ebee65fdca7b8eddb02b2f5bc5006

SHA512
f7e6aa196bdeba7a5b5462b01af3e3c773eae414e92c5bf02d892f6f62d448e2f7fa3c397ee7b085b232ade243a83e03e82b991e02f2f841df2aaa716f5b1fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\dutaretq.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\dutaretq.cmdline

Filesize
171B

MD5
2ca1890918cb0a5b48cd64c938ed3b1f

SHA1
f02d97352c3e6ceb84e073dc189fa52387363627

SHA256
8faf96258422a816115b6552e1e5a58f2c13498d74d2e7f7f84550584454d799

SHA512
56e269beef828404c77741dd631d6b0b7b102a04d1cfa3407ed34a3b8a058397d09398c50f6e79fd4c856753a4d717525df05fdd1362cbd035e7d5bc4ee95ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv02nxvt.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv02nxvt.cmdline

Filesize
162B

MD5
70c092d68a4d6545d05b6e334b635fe8

SHA1
026fb4ba48d97786c515579b2ebc5c5c0260917c

SHA256
279af0e62bef7d324bc9c52d93803ea2ef8bc5fbcc8239943a14e37a15293717

SHA512
4196bda9076e2d137eb039a934828a12fd217533994b9794425f8d8910afa73c9ffadbdcc60abc82b3bc19fbc6a090f553cc0ae97805b65ab02841e897c8819e

Download Submit
C:\Users\Admin\AppData\Local\Temp\odw4acvh.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\odw4acvh.cmdline

Filesize
171B

MD5
30e9a1c87435bdd36295ba7f12af9140

SHA1
91d6d6edbc497ad5ebe7cc16cc496c38f1e051d1

SHA256
0af6f12eab96687e2f8e953e96022cb4bca8d6169757ee3210c9bbeae9fa4640

SHA512
435f047a5642ca534c772b67e577cbef80533d2f1432188df68ffa659a6b4633984a7a8ae2d286e4f103f68ace7958a158dcf10e6c4efeca96b751eac27cc8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqr0spe.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqr0spe.cmdline

Filesize
174B

MD5
24347b00e874f3987fc9025a4f6f05f7

SHA1
8e3251160436b2ef59a32172252158415261cf11

SHA256
1323d3caa6a2ec03050452a4108091ca84d0dea783599a14697450073fe26ade

SHA512
4a8b47916f768a97f66cf40990dc5a8aaf712ef5b0458de8ac6a3d38f84084fddf4272a436eea6eb056c36d341fb7524a8ae9c4a7512be254ff9aabe5d41a0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuilwujw.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuilwujw.cmdline

Filesize
164B

MD5
fb541bfc5d13dc25fd3520bdb07aef98

SHA1
8fe95729b08f05b06fbc6ea7d48448380d09d369

SHA256
10113661a6382275a96109e6e672aef8c8561d411ca95106a99c2ae26edf4908

SHA512
2eea86e78ea288628e274aa65b93e814b16634a1279a7194a17e1e815741ec7fd9976d3111c27dcf8c7cff7fcc28d2083a74fb1f7cbd9785b44504b546998cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxk3wg8u.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxk3wg8u.cmdline

Filesize
172B

MD5
cb4cf0bc95b97b255b7a7e117f9672ba

SHA1
1dabbb2329ba866506e380772e9771114f159ff1

SHA256
ef67e63eb12d616d3184b5d6913f60530d0182416498ded9e5fc3021d191de22

SHA512
495b833bed72301efd339c47dcf10e5c8050c15b9b074e9684c951a70d36a22161f06c29c0ab28a7e8f374c88d4761d35098a9118213f588e672ced0ea9c2597

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16F3C9A429C646AE953615F9BF81BB7.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B5714351AF47189ED47B5BFC378279.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E0A7188194E4D0BAACF96EC24D42A.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3204E1F71194A0D9E294F81DD9C4BC7.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6BB01839A0F459E989AA2FDC088D332.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj9bz7wi.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj9bz7wi.cmdline

Filesize
173B

MD5
07fe8f2218221d057afa9afbcf858eea

SHA1
2ee2e58fc9a1f7c66a2e4724839cf3f59505a3d1

SHA256
12d00e1ebbc71eb3466fccd966c8da392a5f83a54474503bdbeb36a84c86e21f

SHA512
25f2b0461c24ee5c1c6d95a2e4a59919f89919ab8e9a5ee3fe0db03312d7bc68e3c0590597cc0bee5cb94e0dfadf6aa8a64d95d1474c58a60b72da825b25599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvxoupty.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvxoupty.cmdline

Filesize
163B

MD5
eec22aa2e610c403be1f53af83af985a

SHA1
8bf742ef3f32ba823d15366441394b6229d442bf

SHA256
b6f2ac5655a653ecf500e15ce83a486584bf6f653e524fa67ea9fd1f2c9629c3

SHA512
33b2ae81f719ad0536be89dd4caefd3448424b8d989d62cc3f6523602bc753c3de65bc9dcd251220f044431451c63ee7584eded850e8d77564870946c092d9f9

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3752-40-0x000001A0E4A50000-0x000001A0E4A72000-memory.dmp

Filesize
136KB

Download
memory/4356-17-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4356-22-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4356-20-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4356-18-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4736-21-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4736-0-0x00007FF819F05000-0x00007FF819F06000-memory.dmp

Filesize
4KB

Download
memory/4736-8-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4736-7-0x00007FF819F05000-0x00007FF819F06000-memory.dmp

Filesize
4KB

Download
memory/4736-6-0x000000001CF10000-0x000000001CFAC000-memory.dmp

Filesize
624KB

Download
memory/4736-5-0x000000001C620000-0x000000001C682000-memory.dmp

Filesize
392KB

Download
memory/4736-4-0x000000001BAE0000-0x000000001BB86000-memory.dmp

Filesize
664KB

Download
memory/4736-3-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4736-1-0x00007FF819C50000-0x00007FF81A5F1000-memory.dmp

Filesize
9.6MB

Download
memory/4736-2-0x000000001C090000-0x000000001C55E000-memory.dmp

Filesize
4.8MB

Download