revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

26/02/2025, 05:50

250226-gjv2nssrx3 10

26/02/2025, 02:02

25/02/2025, 23:31

25/02/2025, 23:21

25/02/2025, 23:08

25/02/2025, 22:22

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral30/files/0x000400000001e733-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
208	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4728	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	208	MSSCS.exe
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 208	220	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	106
PID 220 wrote to memory of 208	220	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	106
PID 208 wrote to memory of 4728	208	MSSCS.exe	108
PID 208 wrote to memory of 4728	208	MSSCS.exe	108
PID 208 wrote to memory of 3108	208	MSSCS.exe	110
PID 208 wrote to memory of 3108	208	MSSCS.exe	110
PID 3108 wrote to memory of 2024	3108	vbc.exe	112
PID 3108 wrote to memory of 2024	3108	vbc.exe	112
PID 208 wrote to memory of 3584	208	MSSCS.exe	113
PID 208 wrote to memory of 3584	208	MSSCS.exe	113
PID 3584 wrote to memory of 4596	3584	vbc.exe	115
PID 3584 wrote to memory of 4596	3584	vbc.exe	115
PID 208 wrote to memory of 4964	208	MSSCS.exe	116
PID 208 wrote to memory of 4964	208	MSSCS.exe	116
PID 4964 wrote to memory of 652	4964	vbc.exe	118
PID 4964 wrote to memory of 652	4964	vbc.exe	118
PID 208 wrote to memory of 2676	208	MSSCS.exe	119
PID 208 wrote to memory of 2676	208	MSSCS.exe	119
PID 2676 wrote to memory of 1784	2676	vbc.exe	121
PID 2676 wrote to memory of 1784	2676	vbc.exe	121
PID 208 wrote to memory of 220	208	MSSCS.exe	122
PID 208 wrote to memory of 220	208	MSSCS.exe	122
PID 220 wrote to memory of 2364	220	vbc.exe	124
PID 220 wrote to memory of 2364	220	vbc.exe	124
PID 208 wrote to memory of 2924	208	MSSCS.exe	125
PID 208 wrote to memory of 2924	208	MSSCS.exe	125
PID 2924 wrote to memory of 4232	2924	vbc.exe	127
PID 2924 wrote to memory of 4232	2924	vbc.exe	127
PID 208 wrote to memory of 1576	208	MSSCS.exe	128
PID 208 wrote to memory of 1576	208	MSSCS.exe	128
PID 1576 wrote to memory of 4840	1576	vbc.exe	130
PID 1576 wrote to memory of 4840	1576	vbc.exe	130
PID 208 wrote to memory of 1076	208	MSSCS.exe	131
PID 208 wrote to memory of 1076	208	MSSCS.exe	131
PID 1076 wrote to memory of 3804	1076	vbc.exe	133
PID 1076 wrote to memory of 3804	1076	vbc.exe	133
PID 208 wrote to memory of 1144	208	MSSCS.exe	134
PID 208 wrote to memory of 1144	208	MSSCS.exe	134
PID 1144 wrote to memory of 2608	1144	vbc.exe	136
PID 1144 wrote to memory of 2608	1144	vbc.exe	136
PID 208 wrote to memory of 2684	208	MSSCS.exe	137
PID 208 wrote to memory of 2684	208	MSSCS.exe	137
PID 2684 wrote to memory of 4220	2684	vbc.exe	139
PID 2684 wrote to memory of 4220	2684	vbc.exe	139

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mhkosphh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1880.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CECCE7AA35D43BF87A6A6FAEBF5B6F2.TMP"
      4⤵
      PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\peq2km5e.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A748977C265400E8A36548D2D34A87E.TMP"
      4⤵
      PID:4596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0z-biirp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AD5BABB7FDC457D9E77B7E8D28B2D9.TMP"
      4⤵
      PID:652
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgfzxind.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc153B586BC54B49E58BD7281484C7C285.TMP"
      4⤵
      PID:1784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsfs_3bw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBCA0FDCBFE482098F883E37092C33C.TMP"
      4⤵
      PID:2364
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfeszuof.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E369D2E970B42269B227B12CE67B44C.TMP"
      4⤵
      PID:4232
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vt75p5cw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFFFEDFF648C4CFC9A5852E14BA7CA9.TMP"
      4⤵
      PID:4840
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8pkhrbj8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBF451C3B21C4C0581253AC398983598.TMP"
      4⤵
      PID:3804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zym53z-k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28C0700FC4046C787DF4ACEA3E39E5.TMP"
      4⤵
      PID:2608
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qxle-fss.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2DFC3F9A16B4BC093E476C84DC732.TMP"
      4⤵
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0z-biirp.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0z-biirp.cmdline

Filesize
163B

MD5
1c2a999f0988ef84a1c0ca06ef1cf12f

SHA1
a6cdecb9676bdcfe300bd09807fb375175789d7f

SHA256
c43e8577ac74bb9d0d00c7d53eb4b5bf3e54c00aa8c5f0481c5f9304c990f8b5

SHA512
cd459c219af236223ae9b5039146ab4cb4d2f98bab59bd957a608dd0590125da6be857852fa3381dc9ebd7733bcd67c0a2bd3c7baf74e85e037ef9453e581f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pkhrbj8.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pkhrbj8.cmdline

Filesize
164B

MD5
d8b1cb8242970645fe053b10a3875082

SHA1
7b0ac60f6452d0ebb3ae8d7756217f16323a02ac

SHA256
b70abf26bf468fb98a48c717c16d86fca4f21f61a247c3f1d9daa6b85d0df684

SHA512
2e200532f21152eb1a35dba40839f55de67c0ce49120e6e2d209e166ee34c740c92f5ecf0f6dc16e514766719ab40b5d541f247ae16377c86da6ed37eaabb5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1880.tmp

Filesize
1KB

MD5
ce3af33e77bdf602097cdbd8b9c1913d

SHA1
dede6f9341ebf2a35c4f3db5c3e7fec1624e36a0

SHA256
d7adcd2ba7b1de59e6b76151c3c1f50babf604f870f15ded12331fa74d28aba5

SHA512
430ee840e37b9ea4464bf6ff95aa2a3c02944cb8c8a95888b8276a6fca37f3ecb07c828ebb6974606e7b6cf949a5c3e928ddfb76ff527fc2a003f4e367626b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1999.tmp

Filesize
1KB

MD5
afba2b1bfcb04f575de4f9309b08c5b1

SHA1
68802519e6d2756e594c3ae2ff336e2c7694fbe4

SHA256
a9be2d8442942ced097e3e5adcc2e06e9d2edf0c9f42b6d9875e5bb08420da0f

SHA512
a72ff72dfe1d9f7dfe9e0652b01366c9cc1e18931567606a112108ef8f7c81e5d6273ce267ad62bbd52352d98940b62d06378d3469fbe1b0c07ccc7582b67abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A83.tmp

Filesize
1KB

MD5
5bcd2d0b292997d6fd171b2ee840ddaf

SHA1
8fd5266385e1fdfb3ae6ca0e9ebbdb4e455781c6

SHA256
ea62c7ccf7cd3ea165fd2ccbd3921fe25023d14813e34d21dac2caa9af9b47cf

SHA512
f9ef13f85fa2d5f7ff6e4d7145e2ab2ced5e5a64f541b8f0c555c16402c40f5712066b9f0da31f67036c679ff9dc8fea4a3cf7c0a98e3fadd5f63438b90abc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B6E.tmp

Filesize
1KB

MD5
e025978f94b676eebba882844f1f99f6

SHA1
21228633c7f73731522f05c951d49d9b972f1f01

SHA256
ae62cb339dc8738ea6963e79757c55363e8ed6a9c330c8e8935fcb5149543e58

SHA512
8f6e6e4b249a698eb7824dca9e129c42d392f07387218f20e4726109ffc9ac5db27fbc6fc587e4fdf8dd7e22d29f772a159ab30af9575275e6dcd87f84ac9bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BFA.tmp

Filesize
1KB

MD5
a8138ca9117e8707016bfd1432419e28

SHA1
8c88632b86c65d1530f4eca647769b3fe09c68d3

SHA256
8409b509c24cd903d218b6b64d8524ba437bf10282e0892b226ceec34ac46765

SHA512
01babd672df802172efa25d1b80a5a99d2f2d846081313c571f99e23a6d80272aa19ed42dbb473a2ac078f6afe47c76861e13f756dec53a68c584dda8db1c418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1C96.tmp

Filesize
1KB

MD5
788fdb23045acd6c144675d0c6030506

SHA1
7be3a702c500b8e79feb69090bc52bd9483b2e77

SHA256
a5a2c7fd8662b86c9e1af7c24c37d35561a2b6694a06005cf890b9ce7fdcf1f2

SHA512
894cbfcfdf4329522b95ac59ab98d92473329726b41585d154fcc58871807c21d45bcdb241e805505eacd240adf770aefaa29829ce08bab9ebd469bd2a28b77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D04.tmp

Filesize
1KB

MD5
932747b1059dd26ddc099aefaeb93d9c

SHA1
d439c9628f37578fdfeb1dde4db93e6b6d517f76

SHA256
8a91b181bde26efd301e6005d48b2f11f0c7e31480f6167b570e8d79e48a6cb7

SHA512
7646a00058a06e9b07ee62e8bce2538fb913436889a632a5100a496ff4e99318a2da88b04c6d4057422d5cfee9a8b13cb66b5222fe4f44678894e85cef98edae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D71.tmp

Filesize
1KB

MD5
cbac9e0929dfc548bd7131e4f23b4250

SHA1
28811ca0ff72003c5e811e1899e224b40ac29bc6

SHA256
3b41f24f369c4e854dfa477127fbe5845a225bcabe1451f7de71729f67a7626e

SHA512
937512cab0408695f4260c6ab1bcc585a6c00b187fe8fab28190fb674097a4d47be92b5344f37865df4243d17e956cdacb03984a2a4c44a78bab9f328fc2ba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DDF.tmp

Filesize
1KB

MD5
c05f1a3694be964bf912223457f3c3e1

SHA1
b833b259fc8efd0a68428e12252c06da7a31bd04

SHA256
2343622fd901e32c51e131ce9ccbd05d4a1d7894aee0b1aec69963d481468abf

SHA512
733c197fa4c98a527c3c0e1971ee7b6cccb6f7cd6127f99501ac77c9e02e2eb411947f64cab9711f0e7fea77d775114724badbffde9e4d96f02a24205ccccc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E3C.tmp

Filesize
1KB

MD5
c21b43647a6607076bb7fef06674ab7a

SHA1
b089aa38ac95fc48cfa0daec2e812df348c07f6f

SHA256
e20d8259782af5bd1638dc028db99aed3d9516c0b36fe7099e4d7eecf3cb3095

SHA512
eef939741c059dc8f8de1cce4425c70446696f8467dbcab6b014fb7325f3454cc3eac7c827465edc6c03325f6045b3ea490dceb1907b1b5974fcfa4ccc497668

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oq0cbkkr.e3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsfs_3bw.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsfs_3bw.cmdline

Filesize
172B

MD5
2b8b42387c02ba64803fcb34d29f95c2

SHA1
e57a49c6fff1f1d4290d94f5efb7dcf1cb9a2977

SHA256
776ccc7600bfa185ec665e3d5d7c3daa089a4596787ecb5f75943a953ce22ebf

SHA512
a862616fa6b4a07d501ea78c2bee504c730f8c94188e3924ff543eb0ff08ae2274f79da6212e37337fbb7e8bc3e2f08a84bee61af6c25dd50ad30382847b8bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhkosphh.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhkosphh.cmdline

Filesize
156B

MD5
ddd80b36c600a26db2ef9ca86d7b2fbc

SHA1
0b1a737c2f8add2ab4883f9fcc439975e7fe330f

SHA256
53b45e3e1f22fcbf2711f92760c0974db9a3d28024fbf74f92a3606330718016

SHA512
c2429509f13e83c2612f63392f0100e6de9d77444698e379550342daebbb82c3ce78c2f23bdb968363e9722b08e87684120c839fe350a4983bc4e7f19d416102

Download Submit
C:\Users\Admin\AppData\Local\Temp\peq2km5e.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\peq2km5e.cmdline

Filesize
162B

MD5
360189f46bdb7ee3bc5a2bcc25bb244c

SHA1
588cdee0edc786650fb9046d38185ee141c49366

SHA256
cb182d527d6cf34223c5dbf8963657accf1495191704a55f3d38e39b05785268

SHA512
2f07e70f3a675225d0c2f924a9e05ee3f7e6e807790de0761851916879f05af2f4fd68c8e482938c2e1eaa9f4c746c167c45250863197c3506267df6539391de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxle-fss.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxle-fss.cmdline

Filesize
173B

MD5
e06ce72977ec50b578957b1321958b0b

SHA1
48ea9e99a52c27e2f764b073c52f1b2e12542ea3

SHA256
46505fe9edd6d1546a4b88cd4fd60f334fa6174fab151c55e4881c5e30364ff6

SHA512
fa77a8fac05ff408b3ac8acd08ad4c7eead953c5182d1d958c4689cdfe307e311d9d1b37d358a96e0f2fdf07114d16988f66cbc5717df8bae8eacfe9d838f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfeszuof.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfeszuof.cmdline

Filesize
171B

MD5
263aa85ac7553192e1d5888ab561752d

SHA1
fd25bdf946484ed968cee09d1a4c8e4062465394

SHA256
730f524ea2bc7ebd8e04be6f7abc5c8df4217724854b4bab3c9c0f8f5498806b

SHA512
71a4941f8bc15febc8529b4573240f3ae221443e1c5609eb368d339de6a1a8cc151f2f355328f833a35385f80badc2e7d8f01a3232136c22a6d711c65c99bb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgfzxind.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgfzxind.cmdline

Filesize
171B

MD5
d713c34031199ac8b4511ada7fe4a367

SHA1
efc6d80ce51b6aab3793fc91566ea4bda8865628

SHA256
82d82dda0c1ebf0909ef0b125b39e66e0614c82c815da01e04961a1de3697cc2

SHA512
49bde9b2c98f729f35c17cdd5cc7f8ef08c3377d2f1b9e8c5c73a44378c7b113656643e5f6f32912335377f2ff3c6a3f038177c4f1ee39d61f7f0a4a30bb1dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3CECCE7AA35D43BF87A6A6FAEBF5B6F2.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A748977C265400E8A36548D2D34A87E.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7AD5BABB7FDC457D9E77B7E8D28B2D9.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDFFFEDFF648C4CFC9A5852E14BA7CA9.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2DFC3F9A16B4BC093E476C84DC732.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vt75p5cw.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vt75p5cw.cmdline

Filesize
174B

MD5
0d298b6650daa84e824b11820b44f637

SHA1
91e1544affc487aa080a1cc3787ef22355d2a699

SHA256
8879b81e637eb6468d54f829a1ba79d3dda0c25d3783d9aaca8620a535d37ea5

SHA512
28db1eb0b215315510785e0cef379a3e48fa3d7de8d659e35072b301a9907a10423fa6ea9a0d1254721fe4784d03babe57eeb580dc6c38d5821c0db427b193a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zym53z-k.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zym53z-k.cmdline

Filesize
170B

MD5
6333b6ed3be9da6561516ffefdfa6acc

SHA1
8cdf66c85824cb1af454fb8df75a8bd29889d049

SHA256
42e3054c5e5b36733a4bd0f09609737bf7aff972f34cd94dd4892a616d993e23

SHA512
7045a3baa03f6dd78f1552d62e5f8c37524c2eeedabf9ac6d3f7858ae43c410be7b0e01c0d9643131aaf4c1d36e138f3323698597bfd5c69e25378604bd9e07d

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/208-21-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/208-19-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/208-18-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/220-7-0x00007FFC43EA5000-0x00007FFC43EA6000-memory.dmp

Filesize
4KB

Download
memory/220-0-0x00007FFC43EA5000-0x00007FFC43EA6000-memory.dmp

Filesize
4KB

Download
memory/220-6-0x000000001C630000-0x000000001C6CC000-memory.dmp

Filesize
624KB

Download
memory/220-5-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/220-8-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/220-20-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/220-4-0x000000001BDB0000-0x000000001BE12000-memory.dmp

Filesize
392KB

Download
memory/220-3-0x000000001BC00000-0x000000001BCA6000-memory.dmp

Filesize
664KB

Download
memory/220-2-0x00007FFC43BF0000-0x00007FFC44591000-memory.dmp

Filesize
9.6MB

Download
memory/220-1-0x000000001B680000-0x000000001BB4E000-memory.dmp

Filesize
4.8MB

Download
memory/4728-36-0x00000228E6CC0000-0x00000228E6CE2000-memory.dmp

Filesize
136KB

Download