revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral30/files/0x0008000000023d41-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
428	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3588	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	powershell.exe
3588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	428	MSSCS.exe
Token: SeDebugPrivilege	3588	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 428	3596	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 3596 wrote to memory of 428	3596	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	87
PID 428 wrote to memory of 3588	428	MSSCS.exe	88
PID 428 wrote to memory of 3588	428	MSSCS.exe	88
PID 428 wrote to memory of 1632	428	MSSCS.exe	90
PID 428 wrote to memory of 1632	428	MSSCS.exe	90
PID 1632 wrote to memory of 4796	1632	vbc.exe	92
PID 1632 wrote to memory of 4796	1632	vbc.exe	92
PID 428 wrote to memory of 3432	428	MSSCS.exe	93
PID 428 wrote to memory of 3432	428	MSSCS.exe	93
PID 3432 wrote to memory of 1168	3432	vbc.exe	95
PID 3432 wrote to memory of 1168	3432	vbc.exe	95
PID 428 wrote to memory of 4636	428	MSSCS.exe	96
PID 428 wrote to memory of 4636	428	MSSCS.exe	96
PID 4636 wrote to memory of 1800	4636	vbc.exe	98
PID 4636 wrote to memory of 1800	4636	vbc.exe	98
PID 428 wrote to memory of 3084	428	MSSCS.exe	99
PID 428 wrote to memory of 3084	428	MSSCS.exe	99
PID 3084 wrote to memory of 3216	3084	vbc.exe	101
PID 3084 wrote to memory of 3216	3084	vbc.exe	101
PID 428 wrote to memory of 4520	428	MSSCS.exe	102
PID 428 wrote to memory of 4520	428	MSSCS.exe	102
PID 4520 wrote to memory of 2100	4520	vbc.exe	104
PID 4520 wrote to memory of 2100	4520	vbc.exe	104
PID 428 wrote to memory of 2408	428	MSSCS.exe	105
PID 428 wrote to memory of 2408	428	MSSCS.exe	105
PID 2408 wrote to memory of 2800	2408	vbc.exe	107
PID 2408 wrote to memory of 2800	2408	vbc.exe	107
PID 428 wrote to memory of 2204	428	MSSCS.exe	108
PID 428 wrote to memory of 2204	428	MSSCS.exe	108
PID 2204 wrote to memory of 3484	2204	vbc.exe	110
PID 2204 wrote to memory of 3484	2204	vbc.exe	110
PID 428 wrote to memory of 4912	428	MSSCS.exe	111
PID 428 wrote to memory of 4912	428	MSSCS.exe	111
PID 4912 wrote to memory of 312	4912	vbc.exe	113
PID 4912 wrote to memory of 312	4912	vbc.exe	113
PID 428 wrote to memory of 2160	428	MSSCS.exe	114
PID 428 wrote to memory of 2160	428	MSSCS.exe	114
PID 2160 wrote to memory of 4816	2160	vbc.exe	116
PID 2160 wrote to memory of 4816	2160	vbc.exe	116
PID 428 wrote to memory of 3000	428	MSSCS.exe	117
PID 428 wrote to memory of 3000	428	MSSCS.exe	117
PID 3000 wrote to memory of 3964	3000	vbc.exe	119
PID 3000 wrote to memory of 3964	3000	vbc.exe	119

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8y5agswo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1071.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54F70CEBE3BF4533972F32FF67B5320.TMP"
      4⤵
      PID:4796
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9czzhvrc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES110D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB2FC12DAA164A3CAAE91807061C2D5.TMP"
      4⤵
      PID:1168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rydr-gnt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0D0A6EA19A549618B9A162A1F799D41.TMP"
      4⤵
      PID:1800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fe0yaync.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1246.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40B5C1C12A8442A6A627811F64285F31.TMP"
      4⤵
      PID:3216
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwlucapj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA5A4A9EE1834944A041A1EC15BC8759.TMP"
      4⤵
      PID:2100
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zlv3jdnq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1321.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76BA9E35EDF845A19214F23F649F14F9.TMP"
      4⤵
      PID:2800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\koqfm7ag.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES137E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc305C546BF9046189197EA2F965FFCE4.TMP"
      4⤵
      PID:3484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vtv1zwfr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1AECBF99C214CE4A471DDE64AD4D860.TMP"
      4⤵
      PID:312
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9tneu3nb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1449.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6309E8E13E53413DA08699F711339A12.TMP"
      4⤵
      PID:4816
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyqtjfpy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1498.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5EC7AC6C57A4481928E882ECDB5D8C3.TMP"
      4⤵
      PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8y5agswo.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8y5agswo.cmdline

Filesize
156B

MD5
b90d4e42c816bc6f7205505c30e03ffb

SHA1
f46b55a4373b6dd9d7b7a4fc21d8b982859e86c9

SHA256
956c9b355c93876391106fda6dbd10f5e8166f26d90438ece130f9d27db757c9

SHA512
9985b3e8816efae1aa4f738bbc28ba836ce8084cb51ca19235ba1a26f50178812c413872fd07def70c9ddd1e3069545e6ffba0f51e89f989e598ec43dbcc6f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\9czzhvrc.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9czzhvrc.cmdline

Filesize
162B

MD5
46d71861effb790b923047af91979179

SHA1
1d6b5ebbed49271340ffc5a8e5db4166cfae70fa

SHA256
cdfdd283076df00140959656052395f5e654c5582a3bebc2fb8668feea328db5

SHA512
b085cd1943de7ed9d6c23ff8c2c462f72724f64bcebe0a5ded581559fe8412987021f4b8b8d9bebe089daf1a65810c19db1ca90e0a658cabeb197d436b03c349

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tneu3nb.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9tneu3nb.cmdline

Filesize
170B

MD5
40712f1cd2c1ae4742ad57bf406d89ae

SHA1
0b8e131e3ce8127ee50b201414afaf8b39e8ee0f

SHA256
87635c248d6cb8251b6cb5a834b2e859d91a1ebec674e227390489b971a6f915

SHA512
8072f02f6b9ac92ff4546156f7db8b1981ad6c79d071c14b47493d31a61c84740a931bfb1eb1cde2f99a7b6a22c6c01f14dda97cf8568f8145f10bd29479459b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1071.tmp

Filesize
1KB

MD5
9205622bdfbb0e6e921c4a989e0077c9

SHA1
87264c54fe81abd39ab2bbe65f06593b6ca9e13d

SHA256
5df342fb3eb172fea81d343b9a5ae71c503c395fa523d4685e80c4c5e7e79205

SHA512
665d51a525c5d627fb925c6c31f2be47c1858ab8aaf6c6f17ebeebc7d7fb62442f5321cdd91d64dcfb894e7d95bf12a1c87a21e24746077cafedfd064ed5a6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES110D.tmp

Filesize
1KB

MD5
324131fcead4c630325f3c2a40e964ca

SHA1
ccbad84ab6ca753c3e65b26039750b4c5d5bc5a0

SHA256
2c9e0e861c00f280bb3c0edeae83b1b66f147253ad42e91c13e47da8979703b0

SHA512
6e5d7bfbe308472e44429227fb40aeb34f26e290a4ce22704202b682817d9ca87e74a2736b90fdce0cbd45a5890f2d375acaead976c212e34d412843bdca1f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11B9.tmp

Filesize
1KB

MD5
e578af5484ad42e7385f4f8f88320372

SHA1
e1b03f0d60fcd7eaf1672015addd27a12393c99a

SHA256
c3941be15327fc040c24ec76aa402ddb316221f22466651c34a73b6d98dbf1c7

SHA512
b4850cf18c021e945c8ede72fee2b1cfb48ca68aa44ad8f8429e2be3b691fe86e5d51c31213f3b45bbaefa241f53f35c8b6dfdf5a17f765441b65488963d6f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1246.tmp

Filesize
1KB

MD5
1a2e8d2edf0619076f73468dc69d5ec0

SHA1
36edcaef556ea17eade83d4d47a826eb35f98904

SHA256
caee95eede8d4d20ef48d5d9066f914eb3cb0f35a3b5bf8f51718f3c68f32b77

SHA512
9928cf532c72ef735a9b325f4e5b91bea5fd5cbd5f5a0574b86bce8a0bb69a31035fc39faff3e58d5ac940715935df944fa932f53b81dfc0e524d980e4ae6320

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12A4.tmp

Filesize
1KB

MD5
148e6973ce666fefae28520204c08f80

SHA1
707ebc6076d9839a16517711fe4b7e9a8209d2d6

SHA256
357fd2e0e4538973c737a7cd48cd4338021d2cacbbb4b47de1d2a0aac95ca314

SHA512
099ed303ed0ee9430f0cbf1d5c32715485e832b645877978f2e52705b9a1cb7b9a653696e577288a037f12d9334954f69b50e045a646f0f62849e04838600cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1321.tmp

Filesize
1KB

MD5
3d3b6b8a647191c54d8c701e70d71d14

SHA1
0e888880de8d85ad105019e4dd0ce07f465a25ab

SHA256
f1ed0fe35fb8f3bb68d6b065d2aea6baa62a2aa7e606a7466aae6427a330c36f

SHA512
70954d907794c164e5547f4a7552d4cff6964578e832e7a12a11796c1e99b2552bec2312a72bf20c8782fcc680905cf1c486b06e5c55038ac7a82765a3973e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES137E.tmp

Filesize
1KB

MD5
8211b9f932dface36c02725b83e9173c

SHA1
afed9146a90394343dd209287e69b21c980f133e

SHA256
f7eac3f7100c4f7af6c6f3ded4f41e761eb61e4f92546b9b0980162b1c4942aa

SHA512
393e3fceec1cc45d7018c077cbdab83b7013e37dd8af6b82ed4995b27377c4a93ac80e0185733fc90e6a5f74d9c8e0c06b584ab63d7728602d5e5a6801278542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13DC.tmp

Filesize
1KB

MD5
6c845b75999cd448968d40eea0128fe0

SHA1
ac9e375d6946130798247127b698a84c865c25da

SHA256
cc4cdeaf094e1d5e3b014bde2aec4b621b993d1d75899d8f650062584a0321b1

SHA512
7dd4ab88252a53687f0bd609b00be9290b595044767b59e1ca6f116a850bf9ff6807bbea407300b57e50477e6a97c118fafab97b8626e15730199f30e91cf5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1449.tmp

Filesize
1KB

MD5
ec8003e7235d4e69eabcc841c302bb8b

SHA1
7f788ec2b10d32da72159e22b73989151d9c534f

SHA256
0dfc20a037f8e67919c6f76d351662da21d816d7d9bf8546b07b9d6138988055

SHA512
fa2e0ff006a6bbecbcc5769d96095d9005981aa1487daf671fe6eb38d159c45ac13d36df9ae10e6651b12c1ed1d9d9b56b97a4a186f2cee3d56f0cca7d1ded07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1498.tmp

Filesize
1KB

MD5
bf566c564414a0e4cc197c6a70becfc9

SHA1
5935c4b9b00913635ea6a3106c665710b49d11b9

SHA256
cbc0dea6e4333ef28fc911551be77d93fa5619c99bc18b926a6aeb9e60ff7c5c

SHA512
611429aab7e4ac1c45925986b335d38bf298ba7a89a8cbf68cc712ad3b0ff9ec1b5de8a1fa5c2fdfda3e84e83a907cf5aa31606faf3d964c0efd70e5dc3fe5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5o2il3g.4ul.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe0yaync.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe0yaync.cmdline

Filesize
171B

MD5
b6a0382938a3a6ad1680f6a7f94514c8

SHA1
94c961b250a91bffb290f706413ae97a1c6d901b

SHA256
894be386fd67d77ef0b2efb979993913f2da60d094e9c4a5de62865c785bb2db

SHA512
6ccea38ce4ec2172e4edc62a56392b1f40fa533fca1c89986440b316bc19f727e02b8e8bde578f003f1ac0229a6d8fe2d305c9d654c0aa7b0a02789ed1502ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\koqfm7ag.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\koqfm7ag.cmdline

Filesize
174B

MD5
c2bb2b8b728c5421dd4021a5c0fad031

SHA1
73c877df33f96fad6f25379d268b1c9d76ba6b52

SHA256
30fa16b00b68cf048451c85ab8411b0da9563d5c955237c37f7cda16bdfbbfb7

SHA512
fcbeadeb07b9ad4c03445ca57973c4c3b4c17a1828876ad6a46994291e5ea41ae8caf22b418b4e5eff11ee1eeed265905fffb34d5c02f01d92534445cafb6b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwlucapj.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwlucapj.cmdline

Filesize
172B

MD5
0536dbaa86999099692264330855bb83

SHA1
c6000f5dbfb18e60201a1cbdea1cab6b2d45bbf1

SHA256
bb2568fa989377fc5a037ff964d82531c4067b089b1c40359ff04718f5579f29

SHA512
d5c8f2ad8e484b7a118d7260daf54e5f44b07343e2fc8bb87fd8cf6e2e2af4f49a8ed37604eea13859784b7a9ea92cc42f8c962f1b2f9bee5d1bf02be9056c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydr-gnt.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydr-gnt.cmdline

Filesize
163B

MD5
96296a06d10ffdf81f30a632f6bed676

SHA1
5f9ff695411f38a0fe1ad774b2abf0ccb5df953f

SHA256
44a4faa1b2fd51a816493f57487538881dd5b0705fcddc7f48dd0dc58e36045f

SHA512
98775319f9e60af026e6c65cea2eef5415d46d315df2f86ec098c013db0f67af63a545ba0174a38a71f21bcca38146834bc3c886b031bb84308074c2fbf6f5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc305C546BF9046189197EA2F965FFCE4.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54F70CEBE3BF4533972F32FF67B5320.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA5EC7AC6C57A4481928E882ECDB5D8C3.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD0D0A6EA19A549618B9A162A1F799D41.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB2FC12DAA164A3CAAE91807061C2D5.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtv1zwfr.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtv1zwfr.cmdline

Filesize
164B

MD5
0c47e93c8821c35228f61d0857f0c086

SHA1
8b1524e34dde7317448050ac55abca7c7334313f

SHA256
0c4b86ec3e6dcd81ae047dda97b0872e1be016edfc958a54ef291935721e426c

SHA512
00e3bc728f64843b02a10acbd3016d0126d5deb2d9eac329974f79e844d221e2b6c0e921ffb7cf33bc7b25becaa1b76ea244919cb672493a042452c9ae3c837e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyqtjfpy.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyqtjfpy.cmdline

Filesize
173B

MD5
5c108ae6ae964580b0896609f5e6a3ba

SHA1
4e633c45349cc3a9655ec3be13bf748bc94ebb7f

SHA256
490a136dad1f897e78a410c35f542894970f687377217c0726e134a4e2fb3278

SHA512
1d22c3c0291a7ac0c65836c6cbedf42e817ef52c0bf35d84ab116e92d46b04877e8bf9fa9b0d329b3d2018cf5d4f586e703f0419982a087a2f3e59adca335236

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlv3jdnq.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlv3jdnq.cmdline

Filesize
171B

MD5
324a69c9ce2bed792077eaac118201b3

SHA1
d04d140b04eaca196d771bf67b50b7168e66afcb

SHA256
276dbf6c4673ff625a02279df3262133306889ded15bedc7b394304c31573ba6

SHA512
a4dc5127cf49506bb16cb050002dab5f81406c64427bbea6f3998f8916c6933f6f4d4ddcd18ad93713e7fc6a4f874313cf11cf8532cd114d0e61ae4e249343e9

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/428-19-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/428-18-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/428-21-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/3588-29-0x000001DE3EE40000-0x000001DE3EE62000-memory.dmp

Filesize
136KB

Download
memory/3596-5-0x000000001BE80000-0x000000001BEE2000-memory.dmp

Filesize
392KB

Download
memory/3596-20-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/3596-8-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/3596-4-0x000000001BD10000-0x000000001BDB6000-memory.dmp

Filesize
664KB

Download
memory/3596-3-0x000000001B790000-0x000000001BC5E000-memory.dmp

Filesize
4.8MB

Download
memory/3596-2-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download
memory/3596-6-0x000000001C6F0000-0x000000001C78C000-memory.dmp

Filesize
624KB

Download
memory/3596-7-0x00007FFFC6375000-0x00007FFFC6376000-memory.dmp

Filesize
4KB

Download
memory/3596-0-0x00007FFFC6375000-0x00007FFFC6376000-memory.dmp

Filesize
4KB

Download
memory/3596-1-0x00007FFFC60C0000-0x00007FFFC6A61000-memory.dmp

Filesize
9.6MB

Download