revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

13-02-2025 19:41

250213-yd78gssrap 10

11-02-2025 00:12

250211-ahcqdasrbz 10

08-02-2025 06:10

250208-gw53ea1mhp 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat discovery execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral22/files/0x0007000000023e3b-14.dat	revengerat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
25	2308	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
3776	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3144	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2300	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3144	powershell.exe
3144	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3776	MSSCS.exe
Token: SeDebugPrivilege	3144	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3776	3536	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 3536 wrote to memory of 3776	3536	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 3776 wrote to memory of 3144	3776	MSSCS.exe	89
PID 3776 wrote to memory of 3144	3776	MSSCS.exe	89
PID 3776 wrote to memory of 2476	3776	MSSCS.exe	91
PID 3776 wrote to memory of 2476	3776	MSSCS.exe	91
PID 2476 wrote to memory of 3636	2476	vbc.exe	93
PID 2476 wrote to memory of 3636	2476	vbc.exe	93
PID 3776 wrote to memory of 600	3776	MSSCS.exe	94
PID 3776 wrote to memory of 600	3776	MSSCS.exe	94
PID 600 wrote to memory of 3872	600	vbc.exe	96
PID 600 wrote to memory of 3872	600	vbc.exe	96
PID 3776 wrote to memory of 1820	3776	MSSCS.exe	97
PID 3776 wrote to memory of 1820	3776	MSSCS.exe	97
PID 1820 wrote to memory of 4060	1820	vbc.exe	99
PID 1820 wrote to memory of 4060	1820	vbc.exe	99
PID 3776 wrote to memory of 4512	3776	MSSCS.exe	100
PID 3776 wrote to memory of 4512	3776	MSSCS.exe	100
PID 4512 wrote to memory of 2648	4512	vbc.exe	102
PID 4512 wrote to memory of 2648	4512	vbc.exe	102
PID 3776 wrote to memory of 4844	3776	MSSCS.exe	103
PID 3776 wrote to memory of 4844	3776	MSSCS.exe	103
PID 4844 wrote to memory of 2580	4844	vbc.exe	105
PID 4844 wrote to memory of 2580	4844	vbc.exe	105
PID 3776 wrote to memory of 3032	3776	MSSCS.exe	106
PID 3776 wrote to memory of 3032	3776	MSSCS.exe	106
PID 3032 wrote to memory of 4520	3032	vbc.exe	108
PID 3032 wrote to memory of 4520	3032	vbc.exe	108
PID 3776 wrote to memory of 880	3776	MSSCS.exe	109
PID 3776 wrote to memory of 880	3776	MSSCS.exe	109
PID 880 wrote to memory of 872	880	vbc.exe	111
PID 880 wrote to memory of 872	880	vbc.exe	111
PID 3776 wrote to memory of 4956	3776	MSSCS.exe	112
PID 3776 wrote to memory of 4956	3776	MSSCS.exe	112
PID 4956 wrote to memory of 4208	4956	vbc.exe	114
PID 4956 wrote to memory of 4208	4956	vbc.exe	114
PID 3776 wrote to memory of 116	3776	MSSCS.exe	115
PID 3776 wrote to memory of 116	3776	MSSCS.exe	115
PID 116 wrote to memory of 4052	116	vbc.exe	117
PID 116 wrote to memory of 4052	116	vbc.exe	117
PID 3776 wrote to memory of 2244	3776	MSSCS.exe	118
PID 3776 wrote to memory of 2244	3776	MSSCS.exe	118
PID 2244 wrote to memory of 232	2244	vbc.exe	120
PID 2244 wrote to memory of 232	2244	vbc.exe	120

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lux9zohz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB2269FFDF64ECD9B16EC46ABBB3D3A.TMP"
      4⤵
      PID:3636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gfkvn6qq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76F5637CEDAB4BDDB233515B3AAC1C67.TMP"
      4⤵
      PID:3872
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv4hvwrm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D5EFA7561BB486689EB2EB6983040EC.TMP"
      4⤵
      PID:4060
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vfl9-ca.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE02A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80C04E09AC2345B6B9705A51DBC2E1C.TMP"
      4⤵
      PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8m2wtyl3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE097.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA40486AFC24840C79F39A86E299BBCBC.TMP"
      4⤵
      PID:2580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52sgbwxo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE133.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAE1ED65FC254DF9BCB1C322C771AE9.TMP"
      4⤵
      PID:4520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fo0ukac5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81A391147604C7DA230ADF9768286C3.TMP"
      4⤵
      PID:872
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jb1pfdt1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79F5FCAAA80F415685B2427F9C9EAADA.TMP"
      4⤵
      PID:4208
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qfuisrk9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE29B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD317117A6240208A7BDAF783D7C57B.TMP"
      4⤵
      PID:4052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4zoxxith.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFAADAEEA968478791F465AB42E05495.TMP"
      4⤵
      PID:232

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEZFQTBGREUtQUVEQi00NkU4LUI0MDktMkRGMzA4NDI5NEY3fSIgdXNlcmlkPSJ7NkRDQTg0NUUtMEYzRS00RDVGLTk5MDItNzk4OTRDMzA3MTAzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTA4Qjk0QzktNTVCMy00Rjk5LUJDQTUtRDg4MkIwOEFDRjRDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODI3NjQ4MzQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4zoxxith.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zoxxith.cmdline

Filesize
173B

MD5
a356581c28a8d33a350193d6104c0f7f

SHA1
6af7ff94980f2bc9314db36be4ee86b43efe7289

SHA256
efc0a97b7cf1b70e417fbab63cbaa1c164a4701392978cbab5cefa971a80df18

SHA512
635db513578211655ba402f3c17a5eb38b68b29eea7cabe487a9c86a8b49bebdcf60c95e4194dd7b6948c82d258741c7b30ace9f491914d7b21e10e0317e450b

Download Submit
C:\Users\Admin\AppData\Local\Temp\52sgbwxo.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\52sgbwxo.cmdline

Filesize
171B

MD5
eb830ed1b3f1e57c9c2cd036ccfdd337

SHA1
dc16bc783982044f715087f95fd695d45d938c1b

SHA256
0d95a3376945b2e384f27505a760101768b1d66ce4058cc66211be5d4f71a19b

SHA512
60078fda2b6f7745c054f68421d82d1238095d6980215f82719bb12b4531db70b5fe6adcc522b7448d9f4c6611ead9230a0e177dc2f669cc63e7fe2de287015f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vfl9-ca.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vfl9-ca.cmdline

Filesize
171B

MD5
d1c9b539740fd2f8493d452bf21331d2

SHA1
66812d3cf860ffc1ef1ec22d0f9471db5d70e581

SHA256
eed5b558aad932c36baf3ff7fa06342394e2d37e858f7466b0fa66c7fffbb208

SHA512
36ba031db0a244798d2aad7f970e6e20a1a7fafca142274f3da763cd30d0822b77d32f4cb7c41602be6af2abbb9ea43c06686f5b67c8494986e25afd2d7a9648

Download Submit
C:\Users\Admin\AppData\Local\Temp\8m2wtyl3.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\8m2wtyl3.cmdline

Filesize
172B

MD5
60825b945a69d8bce00854e4bb9210f5

SHA1
27701109bfb3f2406079514a589cee1ce769f378

SHA256
82d8e62cb797bc1d1309fdea35c2be03a8a5ff9f06c9a115367218273d11a62f

SHA512
fe0f9cbff72e49ea8d8cc18649254d494e8cb3f0efe51874a9c8db9aad21d6b9589e6e533e30c45345393e02e24c46737936739cc1fddf7a04a2c79f8e158b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDE8.tmp

Filesize
1KB

MD5
c119826b7f4e0864631836e0b18ba920

SHA1
ade8127f8dbf0e301531f0a708d9fe24371b9dda

SHA256
33408fa46484245814f479c2a7056a8f7b5af68ece0536638107bc8c158fa300

SHA512
567c0bc66ac1364c8559feaf9d0ed8b0d1120ce3e62d1c24b54944cb9a4471fdd670bfdbdd0c54ab6f4a32b7e8466318e7514dcdbef58d5bfdf45f9c42d13427

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDEB3.tmp

Filesize
1KB

MD5
27df25e92d4d8a7a8081bbdade7e237e

SHA1
2295ff4a125a4a3c2a3c82a0286215b534006f03

SHA256
33a8f46fbcfcbd89e305313278feb4582b1e6d4165bcb1d699d39b108464afbf

SHA512
6d676542e58addf94b25abf63e6296cb05628269f29481f825da16a1bc99a8ac5691c73b290889460e6ac2f242a6a33e87a622028f916c0569ffddbc6e3e9359

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp

Filesize
1KB

MD5
80af9b5bbe7824a0f9295cb1e528e243

SHA1
74fba25198058670c9fca8cc4c9d6c863c2863f6

SHA256
f17b4133f6a23c0bfe1e9e5aa8c75e2d22b486bcd3aa5c19a4f13cbc65121717

SHA512
ee7077e3739978afd172d45522aed9496e6836e778d80fb229892a8d0a6ade77b382e5201a2ab7a1bae6b5487ecda275a64788411b76de390df8bd75330fba4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE02A.tmp

Filesize
1KB

MD5
cf9a7e5dfbef6fc5bc1d6328b684386a

SHA1
2e9710cb924ff5e7baa4eabdf54badcdcd230219

SHA256
1bc21c488b4e001624afea2bb4246704101009ba0c13e886b0dffd2f11edaf16

SHA512
e9deb50336c69f669c0a1241c302bb7e6ff42acacd8c2992e3e8cb1eac0362434161829133acf513eaf11f1d372b723935f4d44d35e97119d4ac0b7eb088b405

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE097.tmp

Filesize
1KB

MD5
495b168de833960e96043e26647e5d0d

SHA1
aaf78be00a3e367edb279c2f33274b9bc98754cb

SHA256
09eadf8db9414182d42044585b2ecf172e02c41a20e27d773582d3d8de0bc3f2

SHA512
c4d93b09161fd3a0965e85aa7874a9ad126d1b25ec94f3a902ea19ffbcadfed66d43ed303f73c6cdae1d725b80ec61b5b4d1bb73ecdbef931d339b202c0ca329

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE133.tmp

Filesize
1KB

MD5
66a87c58315abc16a9406bc3a8b0a39f

SHA1
533490b5217117367ddddfff03797050e75dc0ce

SHA256
37c1346360919b4731c7bed311028b12f5c80d7a9865f018070a7b7b9e732509

SHA512
1aab72d818f2d1b6adc70c250935d66b0d2a2d8d9f6824ce95d99bab24007b0b6f27fe84d2fac00f95506b2e32f48af9966142150100796d199e9764128f3099

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1B0.tmp

Filesize
1KB

MD5
7ff10df62bc2adab01bc2c70f499515c

SHA1
39a67d300f762738ee0334814707cc787eea5dcc

SHA256
79a41aebe9bcf97171d3afd2f7d349211bdb3adc498e4a491bc54cd0dbe9f3e5

SHA512
35c251f7e02bc93ba7e5fcafd85eb40f10fbd09000960d14816e9bca75990af14040bb25e768e25b3ba5f6a926c3cad012ba7a1d1b5dc846ca4bf192c0091507

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE22D.tmp

Filesize
1KB

MD5
0a0ea6f33b2410db9fcd56ee8d8473cb

SHA1
d0c1282f0f5452beeb9e4c845e9c1aa742a70c00

SHA256
0e0e4348b86a163068d74a83bc636836b5f348a40ac5bb1be5a37467394c903e

SHA512
f60eff35d5e541157fee503310bf5ac1b179d87de762734fa8efb9bfb7f8c8d0fed06dbad573242b90bec4a99a2118dadf4db12a824dfd9c3bc9c18d9ec94487

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE29B.tmp

Filesize
1KB

MD5
c160f98c81bc44ab96724235dcdc8452

SHA1
f6bdb5ac5c5c8137f5c30e3865e21011ba54e2e4

SHA256
892b06e145ab130895e54c6bb8468076a5bbb6e88740732c4093a4d0ca4ba460

SHA512
a5152479424dce922ced096a822dbf9cce83ed791a74dc642294064253cac9384effce1429d973ae354a9dbafc71302aa326215aebcfe644f88ebf33a6a9681c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE308.tmp

Filesize
1KB

MD5
88d7115b3460cf8189457e5e9c2a7889

SHA1
9038b644b6859866b7cee562cd822793992f8edd

SHA256
3ea86b0d0dc18cb93d78b16d68c3b757161f1d2ea602100db5f4955300551a3c

SHA512
c140eb1d4b597abf69477f0b3c2809a322229745c150da1f0b9c14bf0b8e6166470fb59e725bd61ae9f990f530fc1934c2a147cf391e58735ece9d99b14fb3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_os51yhkh.evz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fo0ukac5.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fo0ukac5.cmdline

Filesize
174B

MD5
3b454ccba551dbc301f6a44d875ecac4

SHA1
25c6a1d552e76e77be5b8f7b8ee61df031ca6982

SHA256
8b29fd9e9984cd487656cc2b267260394c9002be83fe78742a39a6b97495188b

SHA512
febc3f91a95f4df5ae38f3c8f76a716109475f82571912bcdd6980ca719ab3441f29059397b64ba1b0b50971618620a199a29c9eef52fa76bd66e19a44b55706

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfkvn6qq.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfkvn6qq.cmdline

Filesize
162B

MD5
2deecc96a9f9e3a682da0afae088d31a

SHA1
f23034d7af2c4d5107bd8069fd534283bea8d96c

SHA256
ea1979e781dcaab02ef3e1690eae24c04b6e2a2adf60dd95237276f700004843

SHA512
f39907c229094b03ceea5bebed00877ac3700f0e648059e397f317c8a014e9a801148fb06c5b6d7bc1bf05c39fdb875b3946e3e35c6cab003985256ef4afa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jb1pfdt1.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\jb1pfdt1.cmdline

Filesize
164B

MD5
d112157f9b3781f540105f9e474fc0c3

SHA1
265befdd0bff9228dab358903f5cf3816f1a8e19

SHA256
710d175343156e4bb22979822b249f9bf146865e79365c0e564d51f861d5ece8

SHA512
366105c4f77c1768060fc6ae55e6f802c4cc16ac1d95da88c0f03c51a518380e402d25f90e3593e9a1893c7b845678465d7e78c9f4c6e86cb42eca7d03f8c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lux9zohz.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lux9zohz.cmdline

Filesize
156B

MD5
501887c96958aeea066ef230966c2829

SHA1
1a9c9aa4ed22332ab9e6546b6b7651f429f43465

SHA256
ceb36f3035c2fa92ae297c1fd707a3dfd0d92e9d4f67f1d366e7e52cdd7300ee

SHA512
5097986e881e58b98cab39977f999267c686b76480a56c28a0b5ebe753b9403bcf874cad2f68d1e3831ac9ab81ec0588f851ee1fe8d5d48e4e70fecc068bdf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfuisrk9.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfuisrk9.cmdline

Filesize
170B

MD5
64e9bcbd6b7489a70e7ec11a062133bb

SHA1
5e77c8a89aedc79f5b848e61e1e4d8acac2d5261

SHA256
3c70ef19f43e34c6307af8705f13450db4c2a62d7f0e72580cb170c765fde5c5

SHA512
42a11cb0a51676e17fbfe72c839fb039d8c481098dbefb6c266625bcb65dd98d2765e0a9e6df7c101b337f0fa2fdbbd857456caa52dfcac2b00699fc008eca66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4hvwrm.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4hvwrm.cmdline

Filesize
163B

MD5
157067fa84510f00a925b3fe585111c1

SHA1
26a20e270dff94329f0ca30d30d8a99571dda2d4

SHA256
7c3deb7cd0f3c3b21a84bf08e989a1e179e027b928b15b60b0fb7c8f8413bc7f

SHA512
303b3a001e387c9b141d3e9f4535778f137d4d96bbe1a8820a67e8b64fb77b1f200510a85438510f1a4e5ea6527527d5d38b04484196acda324bfa87fe2b5c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D5EFA7561BB486689EB2EB6983040EC.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc76F5637CEDAB4BDDB233515B3AAC1C67.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc81A391147604C7DA230ADF9768286C3.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCFAADAEEA968478791F465AB42E05495.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB2269FFDF64ECD9B16EC46ABBB3D3A.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3144-38-0x000001C95F080000-0x000001C95F0A2000-memory.dmp

Filesize
136KB

Download
memory/3536-21-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3536-1-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3536-3-0x000000001BAF0000-0x000000001BB96000-memory.dmp

Filesize
664KB

Download
memory/3536-2-0x000000001C080000-0x000000001C54E000-memory.dmp

Filesize
4.8MB

Download
memory/3536-0-0x00007FFD8C375000-0x00007FFD8C376000-memory.dmp

Filesize
4KB

Download
memory/3536-8-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3536-7-0x00007FFD8C375000-0x00007FFD8C376000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x000000001CEB0000-0x000000001CF4C000-memory.dmp

Filesize
624KB

Download
memory/3536-5-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3536-4-0x000000001C610000-0x000000001C672000-memory.dmp

Filesize
392KB

Download
memory/3776-23-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3776-19-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3776-20-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download
memory/3776-22-0x00007FFD8C0C0000-0x00007FFD8CA61000-memory.dmp

Filesize
9.6MB

Download