revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

max time kernel
891s
max time network
902s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral30/files/0x000300000001ea67-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
3820	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4772	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3820	MSSCS.exe
Token: SeDebugPrivilege	4772	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3820	3340	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 3340 wrote to memory of 3820	3340	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 3820 wrote to memory of 4772	3820	MSSCS.exe	95
PID 3820 wrote to memory of 4772	3820	MSSCS.exe	95
PID 3820 wrote to memory of 316	3820	MSSCS.exe	97
PID 3820 wrote to memory of 316	3820	MSSCS.exe	97
PID 316 wrote to memory of 2264	316	vbc.exe	99
PID 316 wrote to memory of 2264	316	vbc.exe	99
PID 3820 wrote to memory of 5032	3820	MSSCS.exe	100
PID 3820 wrote to memory of 5032	3820	MSSCS.exe	100
PID 5032 wrote to memory of 1692	5032	vbc.exe	102
PID 5032 wrote to memory of 1692	5032	vbc.exe	102
PID 3820 wrote to memory of 4440	3820	MSSCS.exe	103
PID 3820 wrote to memory of 4440	3820	MSSCS.exe	103
PID 4440 wrote to memory of 208	4440	vbc.exe	105
PID 4440 wrote to memory of 208	4440	vbc.exe	105
PID 3820 wrote to memory of 3652	3820	MSSCS.exe	106
PID 3820 wrote to memory of 3652	3820	MSSCS.exe	106
PID 3652 wrote to memory of 3464	3652	vbc.exe	108
PID 3652 wrote to memory of 3464	3652	vbc.exe	108
PID 3820 wrote to memory of 724	3820	MSSCS.exe	109
PID 3820 wrote to memory of 724	3820	MSSCS.exe	109
PID 724 wrote to memory of 3980	724	vbc.exe	111
PID 724 wrote to memory of 3980	724	vbc.exe	111
PID 3820 wrote to memory of 784	3820	MSSCS.exe	112
PID 3820 wrote to memory of 784	3820	MSSCS.exe	112
PID 784 wrote to memory of 392	784	vbc.exe	114
PID 784 wrote to memory of 392	784	vbc.exe	114
PID 3820 wrote to memory of 812	3820	MSSCS.exe	115
PID 3820 wrote to memory of 812	3820	MSSCS.exe	115
PID 812 wrote to memory of 2740	812	vbc.exe	117
PID 812 wrote to memory of 2740	812	vbc.exe	117
PID 3820 wrote to memory of 2480	3820	MSSCS.exe	118
PID 3820 wrote to memory of 2480	3820	MSSCS.exe	118
PID 2480 wrote to memory of 2424	2480	vbc.exe	120
PID 2480 wrote to memory of 2424	2480	vbc.exe	120
PID 3820 wrote to memory of 2880	3820	MSSCS.exe	121
PID 3820 wrote to memory of 2880	3820	MSSCS.exe	121
PID 2880 wrote to memory of 1188	2880	vbc.exe	123
PID 2880 wrote to memory of 1188	2880	vbc.exe	123
PID 3820 wrote to memory of 2612	3820	MSSCS.exe	124
PID 3820 wrote to memory of 2612	3820	MSSCS.exe	124
PID 2612 wrote to memory of 2772	2612	vbc.exe	126
PID 2612 wrote to memory of 2772	2612	vbc.exe	126

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d45tblyi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58289979637402288B1F0CCCE66D1DC.TMP"
      4⤵
      PID:2264
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD145.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF621CAA2B33470FB3B57FC42FCC87D6.TMP"
      4⤵
      PID:1692
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\60hzbpou.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58D29D55571D4A2193FDA87BF3F0F24E.TMP"
      4⤵
      PID:208
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6m9eucwm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD23F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc608CA19C9AB446DD94A6B0DCE0556545.TMP"
      4⤵
      PID:3464
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqttvssn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD28D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58FBF17C97F1499188AB1EC6B94BDCCF.TMP"
      4⤵
      PID:3980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A48741B10446D782FF1746181A314.TMP"
      4⤵
      PID:392
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf27lfmd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD349.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9600544A83A44A5E96BAF833C8E7BDCA.TMP"
      4⤵
      PID:2740
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ogl20x_2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42D25989140746BE96F1EB916342D6.TMP"
      4⤵
      PID:2424
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xznvdrqp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA05122444C9F470BAFD144A4D8B21BD.TMP"
      4⤵
      PID:1188
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD452.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192D64FDAAFB4632ABF84EE644C7D75C.TMP"
      4⤵
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.cmdline

Filesize
171B

MD5
2e39cccf5e0b1b52deaf1f7483613e96

SHA1
e1d1301d3bb7469c3940bdea0a731a6b810f1c76

SHA256
4af7f9b3fbfa0a456bf4248c385c625d0f8ffc6cbbec7b4fd6d001b70b161599

SHA512
f55b08954d8718fc82d9644e973238f84caf210868c2ead0b360dedb09c8e313337b72161bd6be0c96134f41955a5491e68a780a06a6952f3e50052815e63379

Download Submit
C:\Users\Admin\AppData\Local\Temp\60hzbpou.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\60hzbpou.cmdline

Filesize
163B

MD5
f8ed2f74ebbe673f856428bb65b53518

SHA1
7daf4bb33263c89d70c13566adb82c88d41966b9

SHA256
fad89a3380fd01aac1280ad5f7f4b8883a3fcc0d310b5cd678de565cda74eafc

SHA512
48ea035b6e2daa2cdd8ad4ec2e2c7280f05c8691b6d05ed1fa3d7bf2a416e21e058a8f5907a6e66f0fea7ba326ed9b76e19659a7672dc2095988141ece6608c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6m9eucwm.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\6m9eucwm.cmdline

Filesize
171B

MD5
cac0dbc290b2a09eb26ffb9068ddb271

SHA1
5abf127e9b44c7a7c7ec5aca5f83af1272268106

SHA256
25250080555661feff6c920ed3a13965a22a6c8931634add9d6742fc69f2d9ba

SHA512
44c80bbb8ca7402f270671575d758ff2bf9840216ddeba88d342d4f43d02112e1ba1dd401810b2e891504df40c040bc1a6d506abcfce99235647b55a91476b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp

Filesize
1KB

MD5
dbc223acbbbb31a3e14c391d7e607c51

SHA1
732af6ec5671e3535c5e27629b73b5e3daf2f6bc

SHA256
bd67a9576e02535b277ce4a61f1f8d8c5ad4dbf0178fce0b1c08869237cb92b3

SHA512
d61678c8d0dcb0db07bbd2bdf476b594c7f87bc1c7602fe69e929441f98a800378289dad32847cc3ce23f667e2bea67373892aee0ed55fb49321fd2894bee61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD145.tmp

Filesize
1KB

MD5
121692569b66a9f77e11e93d16c7b819

SHA1
51d5946b70f5ebfc01a32a24e08197ce65b4e40b

SHA256
218f1db9e609fa59d0da77b60d6504b0cbffa371d6ade24a589448d6838aa885

SHA512
36343e782ac71bd8a54f14e3a800652ac48da6eb305650cb6346508fe7888a56e365ac177b2bd2d2b668046c0cfda3017e18eb7a7b4ffba6f15d67c8e1560c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp

Filesize
1KB

MD5
de6dcee4af4dbabc8e2f8be5e47eb24f

SHA1
997d1a1874f6ada006f60a272dbb3dc0379d686d

SHA256
4025cc7fe1b9d8b039546bf972d79bc370e01e980862b491c9e68a6e4d2efc77

SHA512
7414e5deb74b36df9e180aae85d962503318eafacd9c7931df9a76ead7f7d53198c1a5c650aec445473b024f6e663c3a45c981555760690d6ef25e01f8f773db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD23F.tmp

Filesize
1KB

MD5
73aabb0065a879595e7621fff481e2ab

SHA1
f2610011357368afd87a30f3b754e8fedf9d0ac4

SHA256
5900d122b28b0d6ddcb56314afa15ce02c98a3651fd141bc646fa7124954f157

SHA512
217c1ee97d0495248144a0947b2bcb5e97777a8e617714979970e28d400f59806a38f49962c5214c7a8a2142e0b4592934a9c791ef1f5c8948ac59814929111b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD28D.tmp

Filesize
1KB

MD5
2beecd730b319d1f9255c3a057df00ca

SHA1
76a7953494edbb8d0a87018907ff881107c67464

SHA256
1840fa87a93f0dfdad14bf2640e52a9520d9987eb6d2d2cfba8213803d7d71ac

SHA512
5904c80bf7076ffc75e3fc9dad343dbc84a6e00a451a35c9f56909951a3a351e4033faf1202d05db43cb56395235743385d782802c29d3f60a9d4ec61085ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2FB.tmp

Filesize
1KB

MD5
fece1b1e5d87bc7f675ea9b6f056f7ec

SHA1
fcd8a2031cbca8850386dfa238cc11fdf9fc4003

SHA256
063de8a9f096dff69500df1d0e8b694192b5591c02a4374f1fc8aa3d0c9887e1

SHA512
ea1d81b44c7a0f559f184e6ca87462d9cdacded8693c4096040b1475ce73852631355f749fedd1efa0e601757e8f8c93937bcc1a62703f71de7efc1564259ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD349.tmp

Filesize
1KB

MD5
8e46ddb9074c255605d743b3450ccccf

SHA1
d1b6f80957f985a410ae29eb74942316e0999991

SHA256
cecf0cf0e63c03a9f1f7b96cc12f153e918c2f9ae845b42daf1eb8ee15974d4e

SHA512
3bd099e5c41b94c27fb443fa6680779f475cd1ff6d7cd2582168a58f89fcc16cbe9a315ea1793980074a4550537a8eb332fa5af05121906336171e8be7c63d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3A7.tmp

Filesize
1KB

MD5
3f2b567c94d0de28c9d7b674782e9153

SHA1
18a5e22626aa38af05d8bd729a31020b7a2e5cbe

SHA256
0b67af46c8a5396a579cc8a5b9ad851969ce3f19b58eccfdacf4beccdcc46e6a

SHA512
ef4c4a3ba91621fa32fcfd61796efbbe0c95b1fac93ba7828d2107ffd4591d18ca1b3d8762acc3a769aa7a377508cdfe28a4d16580ebd0bd274a7fe493ac9b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp

Filesize
1KB

MD5
0a6f59e04de6bde0e7926e0ebcf213be

SHA1
650b76019ced87a1ec396c03762758ed0a60ff9f

SHA256
596986c4e74116aea75985caed90404f2991ad47dbddf28be1e4ac2e0f2e1548

SHA512
3830e26420d526a640b8d64fc491d5ba537ce8f9ccbf32bf768b2d884d78a29846d245ba991a2c95ecf3c4e7eae860798b531ebdd5899f5640a971273ab9ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD452.tmp

Filesize
1KB

MD5
f5e0c9780e65668fd217a2525deb7c12

SHA1
24dedbe15943a1691533e31dab22b251829f3b49

SHA256
1fedf97f029c272de9864f0ee651346ba5e5fd7ff44d816c25d3b0e444edde46

SHA512
ab9189aef3d64d41114c97bfd38ff6671eff4b9dd8581419c641c0f4afe37fb69b58dd62352323719778bdaf5d1005fcf0125325d006ed8fee2d2ac9a5bb4bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1exozrn.vxb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqttvssn.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqttvssn.cmdline

Filesize
172B

MD5
8befb89fae71f94795578f921746ae22

SHA1
dd1a447b10117352ded7323a844288a02425eafb

SHA256
a352a4e02d72fecf90692476c160df28b57278855669e10bb5c971fedd8f042a

SHA512
3e8b0353fc4ced36e86dc8cf30c54d3affca3a213aa60694f37cee59615b20d1e73c8593dc73370476b5db721b8671fb9972ecb569e30a95630f876e65f9cc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\d45tblyi.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d45tblyi.cmdline

Filesize
156B

MD5
aacf28d35183dab1745584fd673aa685

SHA1
cd11d192497b05cfde6c4378efcd933529999d04

SHA256
665fac7c8ed07ef1b550e905eb60d82c86b9a83ede24f0c1458b2466eb364349

SHA512
5ff5e4c21e05cfdadae46bc26fdb62779e2a4dee237a2f26c0a240410c67ba5636c96d880fdf2424374169534efd1e343d145fb2fd4a508d57fde589b8e08f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.cmdline

Filesize
173B

MD5
cee891761a3f56a85bab01f1c4b49fa8

SHA1
11e2b7ba7ec1805ad35a6a9b81161456f3c2e6fe

SHA256
fc65d0db3c82b1c6f1b1a8293638b8d5bc4c16ad41eec0cd0d5e4247623c24f5

SHA512
0255558312f27d6d7d0c87c04a8a56bd504693b8ee1fdb220e35818669f0f55bb007f1cc9a7d73639c352de1a58f1de1478968adaab8ab6e7eee317c234a67ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.cmdline

Filesize
162B

MD5
62d919288d08a743e1aa1e5ecdaee700

SHA1
23b83b47122d3559b5fa70c142890a3cbe0c09a5

SHA256
95fd823ec8c27661277620551d548028328d22f2ebe4037fae66ed7daec6f031

SHA512
fc83e4eeda63edf4e8e076b379d7acdaaec62e6102ab995e857357586053218d416390053d3e448cdf5c96c156e4d3cc7f29773ddb698f0f36367a10bf5991c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogl20x_2.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogl20x_2.cmdline

Filesize
164B

MD5
4a4d9ff9fb114a6cf402d210d4fb8ee2

SHA1
9368085f04962becc7bf320af00b5a96994008bc

SHA256
dedbe1b3f9acbefc4b691544b7ff2568cb6110302aa1632a7fc06db83e425d73

SHA512
463b1bd275418bbdc5f8c3f0148876e13e3d2c361013e4e1e031ce4e9bbcfbc7488ead43b9b3a1b7ff848ff634579ab2fb3c00e85cdf25d558a86f84b46d43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc192D64FDAAFB4632ABF84EE644C7D75C.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58289979637402288B1F0CCCE66D1DC.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58D29D55571D4A2193FDA87BF3F0F24E.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9600544A83A44A5E96BAF833C8E7BDCA.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF621CAA2B33470FB3B57FC42FCC87D6.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf27lfmd.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf27lfmd.cmdline

Filesize
174B

MD5
208978695e9bdd9424b0cdfdbde76737

SHA1
b558d8e4d386b83857d032ab001f0522d9192d88

SHA256
d6f6d8e70e6ab96342443dc494041ca18b9626a3675a6e840429a9ef0e68ae14

SHA512
f97c7f88bfb66ae97f0cd3f6a127150ba5f51f4b6e3e56b2344c0dcfdc4015689b0561a128db469cc5ce093d78ab3fc74c7065fe2ba9f1e235f4f5b2fb7cf39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xznvdrqp.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xznvdrqp.cmdline

Filesize
170B

MD5
330f184476cfa722b401d0b9fd369e0d

SHA1
139bb3e2f3b79a39bd54fbf235c6d6375cd23aa7

SHA256
0eb67a8636ea6c280b58c1c327c5d85ad9d17fcc4e5ba8906d742aaa337b9ac0

SHA512
86c84aa1473dfcd3cc40d4ac0157c18e01cfd5815c56da25c8aaffba300f0b55af99a3e739465de865c1250b81f132e6716365258256bdd115451493bdb1ab84

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3340-5-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3340-1-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3340-0-0x00007FFA53D35000-0x00007FFA53D36000-memory.dmp

Filesize
4KB

Download
memory/3340-2-0x000000001BB00000-0x000000001BFCE000-memory.dmp

Filesize
4.8MB

Download
memory/3340-3-0x000000001B570000-0x000000001B616000-memory.dmp

Filesize
664KB

Download
memory/3340-8-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3340-7-0x00007FFA53D35000-0x00007FFA53D36000-memory.dmp

Filesize
4KB

Download
memory/3340-6-0x000000001C960000-0x000000001C9FC000-memory.dmp

Filesize
624KB

Download
memory/3340-21-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3340-4-0x000000001C0D0000-0x000000001C132000-memory.dmp

Filesize
392KB

Download
memory/3820-17-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3820-22-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3820-18-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/3820-20-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp

Filesize
9.6MB

Download
memory/4772-31-0x000001FE7AAA0000-0x000001FE7AAC2000-memory.dmp

Filesize
136KB

Download