revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

14-12-2024 07:51

241214-jqcj1sxnhr 10

11-12-2024 15:39

07-12-2024 20:12

04-12-2024 19:31

04-12-2024 11:47

04-12-2024 11:40

04-12-2024 11:35

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral22/files/0x0008000000023cfd-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4520	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4520	powershell.exe
4520	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4816	MSSCS.exe
Token: SeDebugPrivilege	4520	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4816	1112	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	98
PID 1112 wrote to memory of 4816	1112	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	98
PID 4816 wrote to memory of 4520	4816	MSSCS.exe	99
PID 4816 wrote to memory of 4520	4816	MSSCS.exe	99
PID 4816 wrote to memory of 3996	4816	MSSCS.exe	101
PID 4816 wrote to memory of 3996	4816	MSSCS.exe	101
PID 3996 wrote to memory of 2808	3996	vbc.exe	103
PID 3996 wrote to memory of 2808	3996	vbc.exe	103
PID 4816 wrote to memory of 1648	4816	MSSCS.exe	104
PID 4816 wrote to memory of 1648	4816	MSSCS.exe	104
PID 1648 wrote to memory of 1968	1648	vbc.exe	106
PID 1648 wrote to memory of 1968	1648	vbc.exe	106
PID 4816 wrote to memory of 1556	4816	MSSCS.exe	107
PID 4816 wrote to memory of 1556	4816	MSSCS.exe	107
PID 1556 wrote to memory of 2224	1556	vbc.exe	109
PID 1556 wrote to memory of 2224	1556	vbc.exe	109
PID 4816 wrote to memory of 3992	4816	MSSCS.exe	110
PID 4816 wrote to memory of 3992	4816	MSSCS.exe	110
PID 3992 wrote to memory of 3316	3992	vbc.exe	112
PID 3992 wrote to memory of 3316	3992	vbc.exe	112
PID 4816 wrote to memory of 4132	4816	MSSCS.exe	113
PID 4816 wrote to memory of 4132	4816	MSSCS.exe	113
PID 4132 wrote to memory of 1236	4132	vbc.exe	115
PID 4132 wrote to memory of 1236	4132	vbc.exe	115
PID 4816 wrote to memory of 2836	4816	MSSCS.exe	116
PID 4816 wrote to memory of 2836	4816	MSSCS.exe	116
PID 2836 wrote to memory of 4944	2836	vbc.exe	119
PID 2836 wrote to memory of 4944	2836	vbc.exe	119
PID 4816 wrote to memory of 4176	4816	MSSCS.exe	120
PID 4816 wrote to memory of 4176	4816	MSSCS.exe	120
PID 4176 wrote to memory of 1128	4176	vbc.exe	122
PID 4176 wrote to memory of 1128	4176	vbc.exe	122
PID 4816 wrote to memory of 2388	4816	MSSCS.exe	123
PID 4816 wrote to memory of 2388	4816	MSSCS.exe	123
PID 2388 wrote to memory of 1896	2388	vbc.exe	125
PID 2388 wrote to memory of 1896	2388	vbc.exe	125
PID 4816 wrote to memory of 2404	4816	MSSCS.exe	126
PID 4816 wrote to memory of 2404	4816	MSSCS.exe	126
PID 2404 wrote to memory of 4868	2404	vbc.exe	128
PID 2404 wrote to memory of 4868	2404	vbc.exe	128
PID 4816 wrote to memory of 1172	4816	MSSCS.exe	129
PID 4816 wrote to memory of 1172	4816	MSSCS.exe	129
PID 1172 wrote to memory of 4792	1172	vbc.exe	131
PID 1172 wrote to memory of 4792	1172	vbc.exe	131

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dza3rvkp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C003A541B6B489786CE50151E78B62C.TMP"
      4⤵
      PID:2808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n0mnzkdw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCD310EC8BF49E0B36EF5B9576FFD7E.TMP"
      4⤵
      PID:1968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ebt1w-d.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc553AC64B1CDB4BEDA434F5EB62C8FA2A.TMP"
      4⤵
      PID:2224
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rrkhn3av.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF83B559F3ED64A728A62F7F8E96A890.TMP"
      4⤵
      PID:3316
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpqiraxu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCDF7B1F3AAE487A86717798F3BFBB2.TMP"
      4⤵
      PID:1236
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfgkns_w.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD976C05B9B454F38BA1ACC669DD4BE88.TMP"
      4⤵
      PID:4944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cou4gegk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30D412A8B9475B95D80AF7AE6ED15.TMP"
      4⤵
      PID:1128
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8xltf3ku.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0FE4F6F4A734681BA7FAD9D55305CBC.TMP"
      4⤵
      PID:1896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oigvuvxw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1301.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E63CD1A3B7C43C581E47E5BFDA0DA5A.TMP"
      4⤵
      PID:4868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axzcpgeh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES143A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc575AC833972D4CE487DA841BC0DA9.TMP"
      4⤵
      PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ebt1w-d.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ebt1w-d.cmdline

Filesize
163B

MD5
1eea360e4a6ab3603d9f77c8191a1b92

SHA1
1b16235956c66772d0853e1ea2f8c35f70c97e64

SHA256
b952ee468da713cefb88c0d31b341eb9fa320968fdbc26e1b037741cafcfa01e

SHA512
b1aaafd9b6f75175c412596aa493630f2134c7c9b6356d04bb137d81807e6fab9eca763d303b2bf19d31a8ce4a4863b4cda883407945f37e467374fc66790260

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xltf3ku.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xltf3ku.cmdline

Filesize
164B

MD5
81f666e64cadd9f1710e53bf3ab4b7ee

SHA1
e94c9c364c0b59a42252a5f40c2ba412081d8172

SHA256
66ac9006d5486882655747bee0783bc89292ee1fd59c0b85bc4bb043e92515e7

SHA512
bb31973a4bf82ab304dfb233311c28ff7762384ba4f15d5bd0d4e7228aea051b4c78010aafbe7d175e683d508fc266591387b7ed356eec478af8a3d4e98fe977

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10EE.tmp

Filesize
1KB

MD5
1e5f6c49a44b18a88b50d4b759756ada

SHA1
1c2f157e242a601f31ef672d1cf0ba4940279294

SHA256
c1145920d88d3e3d60f2b9aa77cc320835a75e31bf05e7d19ab40e383533aee9

SHA512
8396675a6a716ff904a5a4be355736584c7e98429ea8ac8148fd1ceafa555885cc4eabf60bcb14d2cd1ee62a5f740389dc1652330a411b16276b35bdaba40b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11E8.tmp

Filesize
1KB

MD5
52cd2842437a600acc389652ed30a46c

SHA1
5afc297853e3deb70030e3f8e4c5b0e0132e53ec

SHA256
078989f46971d2ea88a33022f405cfcebfc812abb183305bcbe15bb61c652fe3

SHA512
f0262370715b4bde6daf66d8db9a7abba8304453b839ddc1c1fb983ba1bdaeb5f5cc25b12c6abdadce9822a58948490ee419cc95ce098c7d9df215ff69ce1568

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1301.tmp

Filesize
1KB

MD5
c0a459b88cb79a85bc314a5f737ca57a

SHA1
7ad69a7574046158ab98a9318b404fc5e2fc889a

SHA256
b2118d6d1466071f083b1727471624feefe9a3c5eb54483158836d9e97bc451b

SHA512
601bee65888143aba1ace12f23b14705b51d8b0e5e82bbb0377d2a3d97cfebdcd22a19cf709fc77e20641a816c7ca26cbb060b0e71b16912fa066008526afcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES143A.tmp

Filesize
1KB

MD5
6be953f74c564fc346defd20a204b4d0

SHA1
fd69dc0df9608eabaf0374e4f5e4a3c85a7631f1

SHA256
cf7350b8db2b72da655a7f684d84b16c24158b11b385ce4f22b2c7cb8b388c45

SHA512
86bd43062b796ea4740832680f78a28f62cf78ce4f6f2f4d3ace7c484bd80eb530564f261319b3f73c340c7038f49e6afc48a1cb1031de0f0080e706fda1657c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91E.tmp

Filesize
1KB

MD5
b97162f1798789c51db9096419f575d7

SHA1
089a55547062a7615e61176a4d0663e90478ea9c

SHA256
0142b8419e6af023a0a35f215d527151fb07c3a691b08fcd55126a80654eb499

SHA512
17f620b725c429c7cabf97850b48220c18d4bc217f3950446c6812e64900ffd8731012e43a3c43edd67302c672f65dacabf6dbe47c47b2a811abfb2a5161942d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA95.tmp

Filesize
1KB

MD5
454bc31eaa3a91fc0b4edd8d8a65a035

SHA1
7cb95bc22f5e5ac662d238e4331af86cfdc9870e

SHA256
fc0eb76b57b98d9334f65b70ace4c62cc018ffa5b529ee200e7177ceda32e6ec

SHA512
87a9f53214a728c6f253cd0a6e2ef1dc1617272df3051922d90b37d9377f7fdc08dec4d33860c86ca329e6a7fbb41a1b3e968f9150fe7eaa72a840d63c4360c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8F.tmp

Filesize
1KB

MD5
aa72e9aa4557824d189fb85e146f5ff9

SHA1
cc40f9ed2ce7456bd694bcc4e191546e66604bb5

SHA256
7b5f0711eacb80bcdbffff4ebbfab929e54c7ca41faea1394f7e80b14e647bf0

SHA512
dbbbe775473b7f9504697c6c8ddf84cd3fa1980eeed2596b6c112f0915aadfc1ccf606f7367579a817eb1e8edb1d4e8b0dc0f364d35d6a910dbf34b825a26d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC89.tmp

Filesize
1KB

MD5
a63a34ec7552abca3ea9cd7d3bc7ac01

SHA1
4383e6f858e665e7c5a9b9a60e2c595244b8e767

SHA256
94ebcbc8d0fa2f46c8d91ac0cbbf5067c8c0d64a9a62246271838a845ec4ccca

SHA512
5ac4c56c20c9df07f5faeae3a637c8323b4469a62049050c956dd0d23f5fec1d8251fbe85b27a23a4c2605e714e779cddb43d8999c0dffbe0b923924069b3f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2F.tmp

Filesize
1KB

MD5
96117d7c5d84748c34431e77eba1b7da

SHA1
708420bdc4ccace6985cfac5772b31f16f416e81

SHA256
1f5f46c2bb66f1bb7c0cf7027324cbe203110b79e291a33ad6e2ff4341983224

SHA512
0e5f045be81a6c2fd1db12dc4df8ef52568cceb103fae31d754b6f2f47342e1bf2665826cbd3be17b342622b8e7d407aa7689959b0e4f049a62808bddfc0b308

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE4.tmp

Filesize
1KB

MD5
046262ab0aadf41f39b7d28ff509394e

SHA1
1450ca15231fc69cfcf9712f558e5f46c8537a0e

SHA256
c3c2afb0286b0d2a607bf700fa4b135e912138ff6d0fec47238e80406a7b8a52

SHA512
452ee898f8e2bb7471961176e01cc8b47e65bf346c8beee2f8a2e92f3485a215ed4e2bb35566369b91dd33086f039994b3009a5100b55708a459473814cdd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngbgw1ub.5h2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axzcpgeh.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\axzcpgeh.cmdline

Filesize
173B

MD5
c8454f3fd907d54744c3d291705d3975

SHA1
bee4f9f95141d0e59ddfc4ddcb566b6d69bbb024

SHA256
3396b28215ad81d4b9c7add9494f5a66508ca7977efe573b9c7dfc9833f74cd4

SHA512
54770b457926391ce8c6cc2b508bf8a9e6fb276b648670d93fe09c90122ca6cd2f98bc937eab303d6030cd9124b6a783ab0fd03cbaa962908ff3d174c74c0c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\cou4gegk.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cou4gegk.cmdline

Filesize
174B

MD5
674ba4ed69d690db20d5109b8c419acf

SHA1
e0cae419742ecb957769a33c59510b28c47cc3e0

SHA256
cee085b8f02228434e39f654fe2ae7bccfa330abef3abc5195b439fc5bf21f31

SHA512
73d6905ce4898121affe1ccaec3e716597e5e38bad12657ef6571aad055e909a46c7d92a4cceec78744759f1cb116f424937d7bd7bd7aa07adf0b8cb09f20878

Download Submit
C:\Users\Admin\AppData\Local\Temp\dza3rvkp.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dza3rvkp.cmdline

Filesize
156B

MD5
cfdaf5daaf67d494579bebe75a7b1c9f

SHA1
e8d06a557590970d8672c45b5f35010476b25d92

SHA256
116dc0d90c46f4c06a0b028e899996cc24acd7c43572c3b8a16cc7a8311c6de6

SHA512
80dafdfa99cc947d446d3368e4f81c8b074cddaa669a091c143108a1b7be51c7652816e5bc037b332666cd0ba32fcc824ebf7fe516a74c6e1936105d674a2503

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0mnzkdw.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0mnzkdw.cmdline

Filesize
162B

MD5
941196dd40a235efca28bd7249db175a

SHA1
00b4cb7ca9aedddbbcf6a1a808421532abc82684

SHA256
f8663697f932291f6ab031794c287772ce3a438092e1a3399123f58145da3a4f

SHA512
59107961d3084294d5e69e6cea9c8a704c934d3ee393c467db5d066f64b908c71f63d2ce335c286ba0fb9852bed4db8c7bc6002d5e71c01f95682651db1a1006

Download Submit
C:\Users\Admin\AppData\Local\Temp\oigvuvxw.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oigvuvxw.cmdline

Filesize
170B

MD5
56259d23a7d00e7e145dc98e72fdbda5

SHA1
46c7ed67886ad9fe520d50f5d77f588462e706f2

SHA256
ce20ec92501ff7c672dbe2b4381e017355625c6eaa16448e1df388f718c25e2d

SHA512
c6071c74c8b1b27ccf3e3770bc8cd13c2ea33b456f5ff4016fd99655d71a537387cbc19bf15d93f69d32aeb3c6ce920647f8589fd675862d477b5e176a469a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrkhn3av.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrkhn3av.cmdline

Filesize
171B

MD5
776f4eeaf82106fd0dfe4ec238fa92a6

SHA1
0afa4b720edf01d7272587aebf4be8dd27cf2e04

SHA256
347ff3b22ab7aeb47feb66620ae71cc91e952c1c5b0aa5c4ceb8368566acf6d4

SHA512
59cf5cd843fa6df43739c215d5c356d45c1ce00121773e4d703acef3bf5ab1219200928cf138cf5c4ca0651bf746825bca44ef21914a73f672842fca571d5735

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30D412A8B9475B95D80AF7AE6ED15.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc553AC64B1CDB4BEDA434F5EB62C8FA2A.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc575AC833972D4CE487DA841BC0DA9.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C003A541B6B489786CE50151E78B62C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCCD310EC8BF49E0B36EF5B9576FFD7E.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfgkns_w.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfgkns_w.cmdline

Filesize
171B

MD5
2c0871dfff0a7a4b4e33998cdbd9dca7

SHA1
6e23645ded8302ad26023a96cd97fe1ac0f03556

SHA256
16249cbba3990041e24a317e240ea1b7195ea4d76ff1030f090a72bb65946c3f

SHA512
cd277ceb20f2b54737f85194447f455cc7a28c59252c4e03caa081461d6d0af09acac3c5d9e3c302e885d418242c7ef4b63132fcfec19f1e4462bab9d8251b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpqiraxu.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpqiraxu.cmdline

Filesize
172B

MD5
c4c4b7cdbdd165efbd0e7f6fae48894b

SHA1
a2b2c1f3c9b73bbf55df329a80dc93770925a3f0

SHA256
01fb646d23d47a507a32e38d69f4a6a504e29a8da82d6be1b0a4bb4de2a26fd1

SHA512
586eeef9ff2fbdee31746f39fb67071283649d48c8724c49e907638591b641a9de42e07290a8dd02d77b3890b110e04347f1be21027612cfc9512547390a92b3

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1112-7-0x00007FF940765000-0x00007FF940766000-memory.dmp

Filesize
4KB

Download
memory/1112-5-0x000000001C000000-0x000000001C062000-memory.dmp

Filesize
392KB

Download
memory/1112-1-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/1112-2-0x000000001BA10000-0x000000001BEDE000-memory.dmp

Filesize
4.8MB

Download
memory/1112-8-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/1112-4-0x000000001BEE0000-0x000000001BF86000-memory.dmp

Filesize
664KB

Download
memory/1112-6-0x000000001C870000-0x000000001C90C000-memory.dmp

Filesize
624KB

Download
memory/1112-0-0x00007FF940765000-0x00007FF940766000-memory.dmp

Filesize
4KB

Download
memory/1112-21-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/1112-3-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/4520-37-0x000001DF25580000-0x000001DF255A2000-memory.dmp

Filesize
136KB

Download
memory/4816-22-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/4816-19-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/4816-20-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download
memory/4816-17-0x00007FF9404B0000-0x00007FF940E51000-memory.dmp

Filesize
9.6MB

Download