revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

26/02/2025, 05:50

250226-gjv2nssrx3 10

26/02/2025, 02:02

25/02/2025, 23:31

25/02/2025, 23:21

25/02/2025, 23:08

25/02/2025, 22:22

Analysis

max time kernel
148s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2025, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x001a00000002ae09-13.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5372	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5372	powershell.exe
5372	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6020	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	2992	MSSCS.exe
Token: SeDebugPrivilege	5372	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 6020 wrote to memory of 2992	6020	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	81
PID 6020 wrote to memory of 2992	6020	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	81
PID 2992 wrote to memory of 5372	2992	MSSCS.exe	82
PID 2992 wrote to memory of 5372	2992	MSSCS.exe	82
PID 2992 wrote to memory of 2268	2992	MSSCS.exe	84
PID 2992 wrote to memory of 2268	2992	MSSCS.exe	84
PID 2268 wrote to memory of 916	2268	vbc.exe	86
PID 2268 wrote to memory of 916	2268	vbc.exe	86
PID 2992 wrote to memory of 4180	2992	MSSCS.exe	87
PID 2992 wrote to memory of 4180	2992	MSSCS.exe	87
PID 4180 wrote to memory of 3376	4180	vbc.exe	89
PID 4180 wrote to memory of 3376	4180	vbc.exe	89
PID 2992 wrote to memory of 3600	2992	MSSCS.exe	90
PID 2992 wrote to memory of 3600	2992	MSSCS.exe	90
PID 3600 wrote to memory of 600	3600	vbc.exe	92
PID 3600 wrote to memory of 600	3600	vbc.exe	92
PID 2992 wrote to memory of 752	2992	MSSCS.exe	93
PID 2992 wrote to memory of 752	2992	MSSCS.exe	93
PID 752 wrote to memory of 4960	752	vbc.exe	95
PID 752 wrote to memory of 4960	752	vbc.exe	95
PID 2992 wrote to memory of 3040	2992	MSSCS.exe	96
PID 2992 wrote to memory of 3040	2992	MSSCS.exe	96
PID 3040 wrote to memory of 2500	3040	vbc.exe	98
PID 3040 wrote to memory of 2500	3040	vbc.exe	98
PID 2992 wrote to memory of 3652	2992	MSSCS.exe	99
PID 2992 wrote to memory of 3652	2992	MSSCS.exe	99
PID 3652 wrote to memory of 5584	3652	vbc.exe	101
PID 3652 wrote to memory of 5584	3652	vbc.exe	101
PID 2992 wrote to memory of 1596	2992	MSSCS.exe	102
PID 2992 wrote to memory of 1596	2992	MSSCS.exe	102
PID 1596 wrote to memory of 488	1596	vbc.exe	104
PID 1596 wrote to memory of 488	1596	vbc.exe	104
PID 2992 wrote to memory of 4628	2992	MSSCS.exe	105
PID 2992 wrote to memory of 4628	2992	MSSCS.exe	105
PID 4628 wrote to memory of 5528	4628	vbc.exe	107
PID 4628 wrote to memory of 5528	4628	vbc.exe	107
PID 2992 wrote to memory of 4808	2992	MSSCS.exe	108
PID 2992 wrote to memory of 4808	2992	MSSCS.exe	108
PID 4808 wrote to memory of 4264	4808	vbc.exe	110
PID 4808 wrote to memory of 4264	4808	vbc.exe	110
PID 2992 wrote to memory of 2164	2992	MSSCS.exe	111
PID 2992 wrote to memory of 2164	2992	MSSCS.exe	111
PID 2164 wrote to memory of 4280	2164	vbc.exe	113
PID 2164 wrote to memory of 4280	2164	vbc.exe	113
PID 2992 wrote to memory of 5260	2992	MSSCS.exe	114
PID 2992 wrote to memory of 5260	2992	MSSCS.exe	114
PID 5260 wrote to memory of 3868	5260	vbc.exe	116
PID 5260 wrote to memory of 3868	5260	vbc.exe	116

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6020
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1krlkld1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF289.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7662201D7384118AB7DA7C41D9EC228.TMP"
      4⤵
      PID:916
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gutpt_8m.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF325.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54BCD81FC81742239DB23ECE67F7034.TMP"
      4⤵
      PID:3376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kcz8yvim.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAE4BFD6277C40709CD94C7AB58B67.TMP"
      4⤵
      PID:600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ews9m6vh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF43E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2924E6511B14FFE8A6DFBC6F186873.TMP"
      4⤵
      PID:4960
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gyqioxmn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB2637188CEF45979D5CB4F9D1642E45.TMP"
      4⤵
      PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_cigtn79.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD51A9EC1F14B4025A2E18895DB2BB415.TMP"
      4⤵
      PID:5584
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ydvsbvoi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF642.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc143E8D587597405AA854F64E425D8FB.TMP"
      4⤵
      PID:488
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gliqddpw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF71D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc316BB9557DE40D5A2D8C6AC17CD2177.TMP"
      4⤵
      PID:5528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xnvyenq9.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF77A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E3C2879F8A94CB3BBD1713C79631CC.TMP"
      4⤵
      PID:4264
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_x--nb7k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30FB1143CBD4B44852952B315ACFF7A.TMP"
      4⤵
      PID:4280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cuskl4ht.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5260
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF846.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E94F6F5C7E04D748F45EBCB7D2D8E66.TMP"
      4⤵
      PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1krlkld1.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1krlkld1.cmdline

Filesize
156B

MD5
ce4aade9528643ee7940bd51b63ec2d2

SHA1
1087c175081d689bd2ada2f6fa7ce04412f87c56

SHA256
7793e3c609f1bf493d5a58f792a64fe0938781794c5085d0b40c38fb43ee686d

SHA512
c0033f8f144576e96c1b85a2c27a98427da415a24d4bf97eeaa1d6e1d603794a59a901cb924a321e6ac029d867169035d9b04c5f960c1d0925cd05b4537a22f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF289.tmp

Filesize
1KB

MD5
a79d014c6bc3348702b81a9897e4f7a9

SHA1
cacab39a1dbbdd3c83fd92160358d5b970be742d

SHA256
cce53c59f3e6dff6afefab76af21aec298cca5d2cd066632ee225fc4cf51268b

SHA512
44e6fec6c96ebe749c425d1836a54672a0bddcc8a95edc676b81054f506d9451001b8a2c445f442d487f97a61f5ba845477bc392cae7c7ae200a6ba7272e3d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF325.tmp

Filesize
1KB

MD5
7c0ea62dbf2176852c6a4efe062a7325

SHA1
0119730482bbc064205250f456161f02fd215ffa

SHA256
9c632d6ba3a167e7d022abeafc50b1d63002ab35a3c9fd7b24ecb40f7594b8dc

SHA512
5e22cb758f14ffcf411b0589e5fb4c64c27b68708901330e47aecdad7d8f66200dc4b3e5244a01c1a812539439f4d5031fc79e574d40b17c43b7527cac52dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF3B2.tmp

Filesize
1KB

MD5
4b31aa890788c461bfddf3c8ee1b472a

SHA1
5cf4ed4b4dac4ae1508da38807a0ffbfdcf16e28

SHA256
38487049bb23592c6f93c49693b544c56babf484d20067b51ac7bdd1bdb63005

SHA512
fd7d9daec813fdf8431fcc53df1e4cfaaf1d6f92e1eb95bf49a8f6387e8c4d92d872f0f4f3a7691c9fb1cb55c26d9fc70e5f7ce8286894f4d70cb4a39d29221c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF43E.tmp

Filesize
1KB

MD5
2eebf04ba682459a755326ae7bb130a4

SHA1
71942ea80bc51044458eaa59bf1a92458d74eb88

SHA256
8e98397341102289ad3167a6f127bef5a0e23437962af2bfe436192f056c5e28

SHA512
3d2d22156dcefd562cc08db343165b9f40820e77b6a90f182fec18576f6cd8097eb13adb7f7bffe74035c41413920e2807d9bf425ed8e9e1bc415dfcfa4577de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp

Filesize
1KB

MD5
34af32c7b99035bf58f5695276ea237a

SHA1
4dbea88646c670e469ba4034c17a01fc8dac1093

SHA256
ce890fa12b6493aa31175362dc3522084b45faa047d14cc8c0721affbf7d8241

SHA512
37944baa9f7627b39fd130fe561245d8660daff1f9b1d29b0d602aa16ee4b74c61b833fd2d6929cbb064985620260fea58c8635ce8b26a628d9da73c142d2c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5A6.tmp

Filesize
1KB

MD5
ea18576a104e62a5e21c779833a33785

SHA1
e94ae1e2554af2ab58fbd93dbd126594ad6df6e4

SHA256
0f21d5519d4f418ce58c6b99b38023a911e8106ab1f7c04f74a640530ca88641

SHA512
8fc11a15df339e1f6715ec94ec13504d8594031849a86aab082f7266c7160ecd6aa5be1f75f1f5743251c50e33f9869d30b3a8c477b900b61ff63ea76776a5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF642.tmp

Filesize
1KB

MD5
e861cefda4d2d4d31266492b14ea86dd

SHA1
ce16b4df529b5caf1dd5e9e9bf319dee2ef73ec0

SHA256
783aa815e76212e0838eadcec2fe1817801cb05c98a070f1bef4b314a44de874

SHA512
3cc644b09db61bde303d969d3baa6fb0eaff9a1b190e589bcf9be04408715174b818a062ab19db42984605e0ce0e625a4905a2ff610d414866c05a9c33e407d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF71D.tmp

Filesize
1KB

MD5
f1833c06bfe6f6b099437ac9a8737f39

SHA1
365a46ff6a47202de3dbf4d0b6fb39f7c5428204

SHA256
30cf981a53a959bbad30132321144073cb3a813dba3b732ef089af776d53af9b

SHA512
74f1742cc982cdff80386d836cc036ee56ce67666fb8ce497489df6e943d02f4a192afb9b91e7c63a519dee03aaf5e1119063fd4b9b3fd046a04a9e4557791a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF77A.tmp

Filesize
1KB

MD5
77c193cc0cb6d48dfb26a9112eb36528

SHA1
89dbc4d5594eabf70e5d1c6919f3d5e8f0393729

SHA256
31beff4a09afbeacaf113f68f9ac13e226d9a301351c53125105b245b1b1ffd1

SHA512
93753ce966931831bf0111d6a2c4e32a8d191d77f0f3fae9573552b0bc07749bbd5c4e275b9bfd194db8aeaedbc14ae2db4fff1a204adee9d4be17b513b61091

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7D8.tmp

Filesize
1KB

MD5
764ac0b2a0c043aa251b2d6cf020f3d1

SHA1
d4aac9fd12c01a93154ab9f0909a36caaa5174d1

SHA256
7cc2655a5ae27bf8684ba5a65f385f9eab2873e44581bdec3dec29c17a4ddd41

SHA512
79f4a2eeacfdce5a9579f7dcd9af0b6d47e321d890f9e86607df91bf008787358a22d48baab0339b22adbf802e46e97d62512ccf3183cf5fcc03500a4dd8becd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF846.tmp

Filesize
1KB

MD5
dbcbcd4dcf8e89ec97c58dfcca8a2148

SHA1
250dc4db949340ce4d18cedb96943b4b85757661

SHA256
cb30bf0cbe16fd246c029df9b3f84e0087c340af4e2d212a3dfcc811b5c7c6b1

SHA512
e80eb1d80debbe85667dcc3b2bb8846d760ed4e84940efbff66a8d6f830f63a66cb46f47bce372d49dec33233c2709668d5765c487cd95749c9b9ebdd09176df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5aqzpkh.ijr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cigtn79.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cigtn79.cmdline

Filesize
171B

MD5
8e72c0a51a343dd771ac4015de535f35

SHA1
8261691cc9b7f17f78222ace8f73e42e318e24dd

SHA256
8cb6d7c3c29d4e96af9a56c582c6a41c482ec10a20a0735400fd4c9bbb19add0

SHA512
251fa03f9dee3588661adaaf8e31b9b4ab15ba69558c1f9cb45e324be9d0fa88fa3d5ab2bbd541fbf19ddf7c308e411a313614fe0413ac296f201b2c4d0859c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_x--nb7k.cmdline

Filesize
171B

MD5
ba8059c92cf60597f65df1ad927dd519

SHA1
7d39e25b3617689dc7b4aa8034c0866faebb5f5b

SHA256
eb66d696219ba0c1acf4bfa75eb871a17e6190bd6433a77673db53dad37dc4f7

SHA512
2be92785a5a919cd3c7f030ada570c132c8bb885e6aeb82c5047c73aa7316c05d5058cfc4104c783f7426e603f98a663d276c404edcf56ff4e3a7cdcbc23c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuskl4ht.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuskl4ht.cmdline

Filesize
173B

MD5
8a58ff438d3e32f4d028eb433d9148e2

SHA1
c63ced3181b6294d9ff7fdb5f45dfe33532c3d91

SHA256
de801ca96af3ae0dad8995a660b9d021a5b1eefef67463a2b4a3107d6345706a

SHA512
2fd55ef88f1318d1755614a7d13b0b62c260450d0b5d9a5525004eef7bf053281abf6df50f82d4ccb8c1863ca8079f8ca9c8c8e7e5fd2151acca7995d8bc1feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ews9m6vh.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ews9m6vh.cmdline

Filesize
171B

MD5
afd2984a78d1e7b05136027948a2d74c

SHA1
1cdf1bc33d881f677a1b11b950eaa5c73d3b3388

SHA256
8373bd7a1a0458058d864044041345e3a2e3c0e14b7ec643146729418b6aafe6

SHA512
1725206e3a9561709ae97ea7915e52b54b07b88b712fbdab1c6c740262bb290965edfb0f39457df5994bf420224fb2bd083fbfdf66c915be62b072dac1d22a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\gliqddpw.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\gliqddpw.cmdline

Filesize
164B

MD5
a72d7a2fe002a8fcdc1206e1d2d44829

SHA1
1d166e0107b0b4d668604da1fdbe6f84f3c6b13f

SHA256
fd603b124ab736f04d9af952c824d9f8f95e2ea56768181eaea4ace56bbb4253

SHA512
44a4388e5daeee7bffd2fb4ae58211ba31374d4d5a629b613199f1592b72b5bbf661833216b6a58ce7ce0243b230f1f0749f4adce5cac1dcd40ad7e40a0bf56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gutpt_8m.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gutpt_8m.cmdline

Filesize
162B

MD5
8259637c454a3cf04b40495cce5eb041

SHA1
4126058464f32791e2c37bfdd76a20d4e6fd9be7

SHA256
c56a2a91a240ce6f2e59452bdc07183e0979b03937a74e0183ffc5e0b7966a93

SHA512
46152272eb3e69f2f5171dbfc0fa4e6c2c5d81846c60a0f69e5b16456184374c13ee8e1e6db426958c76b260f2885e1b5a8484ca33bbc7ba740f36f533bd9a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyqioxmn.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyqioxmn.cmdline

Filesize
172B

MD5
df2e3eb1fe07b509fa4138edc17265ad

SHA1
99ce14073d7b46952065ef9e65e49d3c77129c55

SHA256
88a795b0d684b5eaacb8756f958d02035bfc59dcc39a8120adb8d9cbcc8234a0

SHA512
b1b80bc2f559561594dc64f2d50ddb085a3151552a01c668fe101dd5f0b8a92162fc3af0b92a23915bc6ae74f560b28d78c3bdb964973cc9252940f9b7146ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcz8yvim.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcz8yvim.cmdline

Filesize
163B

MD5
074ea97490fe2879001aaeebee426c36

SHA1
a725346901ae14a3cecd420abdba8fd531513584

SHA256
177cb9d2871d7f87f7ba5e49fa7f78552667a589a19269d38ed4d807d7672ba5

SHA512
51d6c8dd5c84c4da2b8b3cc87babe2d71420baebb85fe9ebf493c5a8c8c48a94838e85e0ea1eacc86b8ffe1573ebcc516ead8d26540a42829638e07dd8c3c526

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc143E8D587597405AA854F64E425D8FB.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E94F6F5C7E04D748F45EBCB7D2D8E66.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54BCD81FC81742239DB23ECE67F7034.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7662201D7384118AB7DA7C41D9EC228.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAE4BFD6277C40709CD94C7AB58B67.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnvyenq9.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnvyenq9.cmdline

Filesize
170B

MD5
a366180e652b0557035ce06171b0f09e

SHA1
99ef353dd5b2b16e5a6ece3c52cd9a24e1685702

SHA256
54dbdffb2cf67ed800411ff2972284145a336a2c761e0945af1f060c9e9fc1fc

SHA512
066282e417f48094ae7380412179f1b0dc1598d7a2076df15c65cce0d16e0c4566f2b848443b3cf9f612759d83248e9cad03a096c518dd58f08a32377c28fb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydvsbvoi.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydvsbvoi.cmdline

Filesize
174B

MD5
54628bb76d207b603f4df5f8dd84f927

SHA1
fa72e8491b4c09d6252fbfd675db2a28c7360691

SHA256
e2e95b336dd69ce94b3ef9142c805bd34ab01f6bf402e2a6e1f1a0ddac2f3d01

SHA512
3b9eda059d632a40befc08c614a65fb338deb73d3e17cc24d489f2fee1c0f664241c8a02c4b1056ead00041430922fe2066f9fd0d79101dac654d1abea79d6f4

Download Submit
C:\Users\Admin\AppData\Roaming\Random\Default\Microsoft Edge.exe

Filesize
6KB

MD5
c2a615ebfe268666551ed9bd4a20c894

SHA1
cb1ceba0b4dc2c9b1f6e5b9c6b68cbd88e3f7289

SHA256
0158958d7ef6a692a368d072efc26dabf81cefbead53b48b15c2ab37bf7ee54c

SHA512
eb46ffe8b411e0f55485fd9e607ad5d0d1d93eb4c4768bd22afe86626170215414ebb3691855f53c08b12832722be15cf1594fd94fe4fc7e74c3e846ca76ad76

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2992-22-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/2992-19-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/2992-18-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/2992-17-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/5372-35-0x00000285744E0000-0x0000028574502000-memory.dmp

Filesize
136KB

Download
memory/6020-8-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/6020-21-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/6020-7-0x00007FFE734E5000-0x00007FFE734E6000-memory.dmp

Filesize
4KB

Download
memory/6020-6-0x000000001CB00000-0x000000001CB9C000-memory.dmp

Filesize
624KB

Download
memory/6020-0-0x00007FFE734E5000-0x00007FFE734E6000-memory.dmp

Filesize
4KB

Download
memory/6020-5-0x000000001C600000-0x000000001C662000-memory.dmp

Filesize
392KB

Download
memory/6020-4-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download
memory/6020-3-0x000000001BA80000-0x000000001BB26000-memory.dmp

Filesize
664KB

Download
memory/6020-2-0x000000001C070000-0x000000001C53E000-memory.dmp

Filesize
4.8MB

Download
memory/6020-1-0x00007FFE73230000-0x00007FFE73BD1000-memory.dmp

Filesize
9.6MB

Download