revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

14-12-2024 07:51

241214-jqcj1sxnhr 10

11-12-2024 15:39

241211-s3498stkar 10

07-12-2024 20:12

241207-yy4qsswqej 10

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral15/files/0x000b000000023b98-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
548	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
548	powershell.exe
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4516	MSSCS.exe
Token: SeDebugPrivilege	548	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4516	3668	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	97
PID 3668 wrote to memory of 4516	3668	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	97
PID 4516 wrote to memory of 548	4516	MSSCS.exe	98
PID 4516 wrote to memory of 548	4516	MSSCS.exe	98
PID 4516 wrote to memory of 2764	4516	MSSCS.exe	100
PID 4516 wrote to memory of 2764	4516	MSSCS.exe	100
PID 2764 wrote to memory of 636	2764	vbc.exe	102
PID 2764 wrote to memory of 636	2764	vbc.exe	102
PID 4516 wrote to memory of 3060	4516	MSSCS.exe	103
PID 4516 wrote to memory of 3060	4516	MSSCS.exe	103
PID 3060 wrote to memory of 1792	3060	vbc.exe	105
PID 3060 wrote to memory of 1792	3060	vbc.exe	105
PID 4516 wrote to memory of 1772	4516	MSSCS.exe	106
PID 4516 wrote to memory of 1772	4516	MSSCS.exe	106
PID 1772 wrote to memory of 3204	1772	vbc.exe	108
PID 1772 wrote to memory of 3204	1772	vbc.exe	108
PID 4516 wrote to memory of 3328	4516	MSSCS.exe	109
PID 4516 wrote to memory of 3328	4516	MSSCS.exe	109
PID 3328 wrote to memory of 1808	3328	vbc.exe	111
PID 3328 wrote to memory of 1808	3328	vbc.exe	111
PID 4516 wrote to memory of 4572	4516	MSSCS.exe	112
PID 4516 wrote to memory of 4572	4516	MSSCS.exe	112
PID 4572 wrote to memory of 976	4572	vbc.exe	114
PID 4572 wrote to memory of 976	4572	vbc.exe	114
PID 4516 wrote to memory of 4468	4516	MSSCS.exe	115
PID 4516 wrote to memory of 4468	4516	MSSCS.exe	115
PID 4468 wrote to memory of 4576	4468	vbc.exe	117
PID 4468 wrote to memory of 4576	4468	vbc.exe	117
PID 4516 wrote to memory of 2828	4516	MSSCS.exe	118
PID 4516 wrote to memory of 2828	4516	MSSCS.exe	118
PID 2828 wrote to memory of 3604	2828	vbc.exe	120
PID 2828 wrote to memory of 3604	2828	vbc.exe	120
PID 4516 wrote to memory of 228	4516	MSSCS.exe	121
PID 4516 wrote to memory of 228	4516	MSSCS.exe	121
PID 228 wrote to memory of 2676	228	vbc.exe	123
PID 228 wrote to memory of 2676	228	vbc.exe	123
PID 4516 wrote to memory of 4524	4516	MSSCS.exe	124
PID 4516 wrote to memory of 4524	4516	MSSCS.exe	124
PID 4524 wrote to memory of 3992	4524	vbc.exe	126
PID 4524 wrote to memory of 3992	4524	vbc.exe	126
PID 4516 wrote to memory of 2960	4516	MSSCS.exe	127
PID 4516 wrote to memory of 2960	4516	MSSCS.exe	127
PID 2960 wrote to memory of 1492	2960	vbc.exe	129
PID 2960 wrote to memory of 1492	2960	vbc.exe	129

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0hkpl5-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2499422186A4E1C8A18D12DFDD3DD4.TMP"
      4⤵
      PID:636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvelb_ni.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC160.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc133F28CFC8214DD7BBE792328E371A9.TMP"
      4⤵
      PID:1792
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqxhg6ca.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5814F2E0998E4E49AD368F36CD9E6077.TMP"
      4⤵
      PID:3204
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l2sxgpbr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC26A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA3AD5E36DCA45B79BF0D48E65437729.TMP"
      4⤵
      PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfjgchqx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3209FD53496549C480346F63CE4A4B18.TMP"
      4⤵
      PID:976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udsgfhkl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC325.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4905EDAA774041529A90BCE86A8A4B5F.TMP"
      4⤵
      PID:4576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_9v-v0zo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC383.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc257E25FED98440BB3945979AC9D4D61.TMP"
      4⤵
      PID:3604
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\teq0c4rq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11BE045132F48E28AB0A8945C99E54.TMP"
      4⤵
      PID:2676
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ggtvpdc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC44E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56724D17531E44FE8530FC5772524AA5.TMP"
      4⤵
      PID:3992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yrqhvzt-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83F87FCCB66A4927AEC6AAFC4F5A4B40.TMP"
      4⤵
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ggtvpdc.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ggtvpdc.cmdline

Filesize
170B

MD5
495c6618f547741876add50e5c8a8f4b

SHA1
9b9191f0826773ebff6028da9646f3c9ec5e75f5

SHA256
dcde864a686504ca62333005fd5aa0d048fd729722d21b4f7916dd8370e57327

SHA512
043cd2d756491097ac065bd7534ef993099e1ee1cfa65411e51f259114e0b2bd493d5f0bc15b57379c0ab16a0f8c85515d1e1222333eeeaa94893c73b5f3fd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0B4.tmp

Filesize
1KB

MD5
c98751238f1f5a3b3f51b66ed14d08d5

SHA1
a99919e5e8263ddfddbf1cdda39c8788807dfbe0

SHA256
b1d98df0ff08b635563e3e55aaa6d2e469030adb796c25b0e629603bd53df137

SHA512
1cb31d9ad79b1c44453c1b12ed42860b1f27969109fdf8a526079f7c5c6485487ff84931e6dec6394c955ac14e84483696abc8e38b96b082b2b6ca3d7e1eaa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC160.tmp

Filesize
1KB

MD5
a1c41468bcae16c24044bd1994c8b2aa

SHA1
616756ee6b09e3bb737dff92810cadb7fbe8d4d4

SHA256
fb697fb7ea88f9c250ed7078f66998d1f3cbc3b4c1e2287a362704fdfa03c19c

SHA512
2b8919b91009226cefeee7efe10d292c54a3d7e17b039ef652bbe18aae0829cc1796488a0bc8ffd1474e15122be20b0291b83760587678115f0e0d1f91b4a016

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1FC.tmp

Filesize
1KB

MD5
743aaa276efcf538c01e61a7f8475c95

SHA1
eda429eff6aa8f50f2f81f00af37d2457b80d702

SHA256
5e7a829e5456307faab0ce6391c1cb10fb6c730c6f02d10f837dc0bbc5e6ab1f

SHA512
9874dd02d419fc6f97867e1a8f45faf7b48f59df9b40dcfeac75663bd11865604fee194b22d5433f3f03d151bf1bc2155cb99e6dc572dc30016e5987b04ba685

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC26A.tmp

Filesize
1KB

MD5
97f93d5521fe0038eda158dc8d9b332d

SHA1
d8758d6b7ff020a9a883f6af307ff3268ce5dc53

SHA256
da8b45a3bf27f54e49e958f0bc48d4188edd1cf7512b5aa34c3f01fade25992c

SHA512
050484d222366f4e2cb071ad5054de79aa727bfaf976573121e9adece3cfc20cd7006289a4ec16ebc9c515890bc3aeecee938f6e87af26305b804cc2598faa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2C7.tmp

Filesize
1KB

MD5
bf6bf96125adb0c522c60dacf1f68ecf

SHA1
a66142a999e8845a21a78635820ea3e1d29968bd

SHA256
0c0dce5fe5ada3a3a07773d0d94c831644eaf4012b202faf9a027c8c326959a4

SHA512
d24dcd4d1e276920104c95c018b423bf503567e81380704e0ebac3355e9fb71d7e647089a99704557b0266fe888f1aa51cddf71425813f113c968cd0170f5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC325.tmp

Filesize
1KB

MD5
315abe044823e0ffd933ea8c05126d2e

SHA1
04277b19d07f13e96a7fed82e4ed3a5d69ad63fd

SHA256
1786eb510e6e88cd6a60d7f8131af91468793704ae000f9f6f9e02ca12c8340e

SHA512
edbe038a24e2b0f1c3f3d4ce5a59be1ca3739737226865df7f5cbb5e1e4122889e4debe3e7bb27bf90a223624c9e1367662082eeaa52fed1526483c7c574ec7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC383.tmp

Filesize
1KB

MD5
7b03bca451fb176d72b244f4f10a55bf

SHA1
e5cca02289f3b39358b0b52c681992f6cd51744a

SHA256
ca1243c5ff6a2da5d49348b0ce859805088e97c7ca26020b96741c5f7245435d

SHA512
947806247c92820d54a2ccc512abdc1e842363c7814c9a26dfd4aba28862ddd0dae1483c4ca0b09c724998ad4054b282c9522d7ea5117b2172e2790a4505580b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3E1.tmp

Filesize
1KB

MD5
7f4e767da596bbbc11470e8aa3d8dca9

SHA1
83da7d326789e5a2cb76aa44118d9a4ad21aed6d

SHA256
72ea5e3db173fdf6983a9b265e4dff13d3feb316e25173a906f1a42d4041c5e1

SHA512
996b832edbdae3f4fb0e259f59d1b539380e5ffe29c81410db44fbf29394a46c978efbe213812bc5ff3776aba2ded3f99eca4cfedafb4d59ddc6a188b026c46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC44E.tmp

Filesize
1KB

MD5
b41332f430fd5f4fa88675431bf7d905

SHA1
5eb9e21784c0081bf091b4b4c648c18ca333ef36

SHA256
10639f4b258734b1c0f3bdda8bdbff8a576ecd8b64fbca10cfd21dcb34f4feaf

SHA512
41bb35feafd271d7c9c04a56428145b56d5af2e03796aef5532fbb5e61f0d94d1c55d76377a3c9adfc4cbef59364324d5ee9e044cedb315f7d1b0cc40ffd134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4AC.tmp

Filesize
1KB

MD5
f158ffc3b88162ea1116966d0ac4b21b

SHA1
fcc8c1e29d03c5d09865cd90c14d4a6985605cf0

SHA256
e956a63eca942c596fddc4f71a787aabb85654026bf613f697dc6e5f092eb94e

SHA512
bde1ed7dfb27720a42dddb1bcaa60366ba49eb06adb7b5e75e01392e6d4a742157526dfe0d3f30a4354308208019d433dcd85b4f8ac9c186668e0717cf163dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9v-v0zo.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9v-v0zo.cmdline

Filesize
174B

MD5
979d59b5928e5f6650162db59c0671fc

SHA1
602007f4e2b31755b201e625273bb452ec7b9cc9

SHA256
a2d405b7f7ad6269628c90e9be22519fea68452cd4f96512a4c543b6557d0f64

SHA512
5dcae968ba6276a33405a6f82ff28b3a34c073b0577c2005e803bf00f29a9ddf427ed256dffa0bb2e062b577cdad79541b6d16b48832a51ab9bb4c3ebab1206d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5ccsi4x.nqr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0hkpl5-.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0hkpl5-.cmdline

Filesize
156B

MD5
eba8e49f9ff059f9247fcecbafa69190

SHA1
a5177f0c30d74b0197b559f01961b588c7cec230

SHA256
4f044f98884984038132b3af95848f1f5e2cb66557e2aefb79c192db4bbae76b

SHA512
508ec3813e85d68b90abedb266410e6379451e36ae83e543de2984aefd52f01b3aa6d2f46ec5cc9a7f7662218104ea06dbb05ebb97aece7120630edb462f729e

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2sxgpbr.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2sxgpbr.cmdline

Filesize
171B

MD5
48e7a8f60b8e0e20b805611d3d42c415

SHA1
b438762ee36b9b1aa36a600654b95b1e8a1ccf69

SHA256
298db8bc2343704dfec3febebb29e8358010a69005c6dd60009ca24859faefd7

SHA512
6dd6e43ea9c73b29a1ec7c239584d5433cb122ed2ba325b62661897e97aad44b3a9b7258830e236a28d592a9769335e4b311cf2f0620035a66963384f50be13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfjgchqx.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfjgchqx.cmdline

Filesize
172B

MD5
8cbb112c50b7feb7eda9e1607d3aff40

SHA1
6536bda193cf79396714adc0f6f2a126356e0f04

SHA256
d4353a71bebe9cb6aa7609c77bd01e55f8009f2d264e935d7e577ad72df14b8f

SHA512
c31182f945a3493045920d85e9bceb09af3fd8b7015a28da3f7be36686070044c6c8b3763f4aaa3f86c41ae5b30aa14352c934292025601d65ed6873c79de8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\teq0c4rq.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\teq0c4rq.cmdline

Filesize
164B

MD5
af792a8c173ff3ef6f0713a138ff2130

SHA1
ea6593f7596cfe21489a112a6c4a479d1162347e

SHA256
68ea74c1667d1ea1f1645834e4e74974c51413c46e0b46c8b2c873f672f4b33b

SHA512
563c3743e3a058aa028705898984c89f2edb9d173aee15ed61e9b17198f19f0d4ccec805db1fd7e1ee25c61cc09d85efe04cdc411998129f4cf1f83a650858aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\udsgfhkl.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\udsgfhkl.cmdline

Filesize
171B

MD5
4f1b94521c060103ad2087137b81bbdb

SHA1
9bc20a95a10810f773992c2a55b3d39fb475a815

SHA256
e1f80342f7d6d02b613f54667ce88308f82f29361ec9706174c355d58a583c59

SHA512
ff86005edd14e5c8c5002e817559c5cb5cad19ecd3afd29e2dabf3ddde9b8c5c3523824bf523b030096a8c343517ea22ac855646cd74c815e6c99452d3678c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvelb_ni.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvelb_ni.cmdline

Filesize
162B

MD5
5b25fc4b14b91d37d2a6b0ee149780fb

SHA1
17ce745ce247e2380ab39b560bd510568a121fcf

SHA256
61fe8e55f2610617e0db898aea0894abd88595624244c9402002458806ceadae

SHA512
709b1ce41be7e70595527e1465f551f2bca0a0a4a674eb908f3900427d46c10bd11d3931e7415ce2cad5bdfdcb2b2cb7cd9f1a8a2fb479935cb355acd6ab4464

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc133F28CFC8214DD7BBE792328E371A9.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc257E25FED98440BB3945979AC9D4D61.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5814F2E0998E4E49AD368F36CD9E6077.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83F87FCCB66A4927AEC6AAFC4F5A4B40.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2499422186A4E1C8A18D12DFDD3DD4.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrqhvzt-.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrqhvzt-.cmdline

Filesize
173B

MD5
0f23dc123860f368503746843d843d86

SHA1
1fdd8c09e511aa3231dd1bf956188fa569741b65

SHA256
9699a6e4007219872ca0f10a3efa0ea146dabf9873a80f0777fdbbefe2ab0156

SHA512
3fbeda4b3349ab64888187ebf80b2703bfd87248b03ad7169d2cda09e194ab03943600096d3a60ed859d3e19c82b7546325d8c3c8306f894fccd0bd837c2273b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqxhg6ca.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqxhg6ca.cmdline

Filesize
163B

MD5
f414b733d86a74ab75b450a8dc185167

SHA1
be05a99d7d340e3ad2df970332f0c18ef2744b61

SHA256
663f9bbdfb62e03b9a5652a64460a276ce5c47543af89b343ce12690f55c4482

SHA512
b972a49cc1f62e353a58ec5e33b4180309053e24ec7a9b5e9001a313654d721cdf810eb5e36fca8b7d007bf5f5beb212315ca98157a328603d0cbde9e680b5f9

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/548-36-0x000001D0AC130000-0x000001D0AC152000-memory.dmp

Filesize
136KB

Download
memory/3668-5-0x000000001BE90000-0x000000001BEF2000-memory.dmp

Filesize
392KB

Download
memory/3668-4-0x000000001B2D0000-0x000000001B376000-memory.dmp

Filesize
664KB

Download
memory/3668-20-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/3668-2-0x000000001B900000-0x000000001BDCE000-memory.dmp

Filesize
4.8MB

Download
memory/3668-1-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/3668-3-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/3668-8-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/3668-7-0x00007FFD50A55000-0x00007FFD50A56000-memory.dmp

Filesize
4KB

Download
memory/3668-6-0x000000001C720000-0x000000001C7BC000-memory.dmp

Filesize
624KB

Download
memory/3668-0-0x00007FFD50A55000-0x00007FFD50A56000-memory.dmp

Filesize
4KB

Download
memory/4516-21-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/4516-22-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/4516-17-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download
memory/4516-19-0x00007FFD507A0000-0x00007FFD51141000-memory.dmp

Filesize
9.6MB

Download