revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
143s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x001a00000002b202-14.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
5540	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4980	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	5540	MSSCS.exe
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 5540	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	78
PID 3988 wrote to memory of 5540	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	78
PID 5540 wrote to memory of 4980	5540	MSSCS.exe	79
PID 5540 wrote to memory of 4980	5540	MSSCS.exe	79
PID 5540 wrote to memory of 5452	5540	MSSCS.exe	81
PID 5540 wrote to memory of 5452	5540	MSSCS.exe	81
PID 5452 wrote to memory of 5652	5452	vbc.exe	83
PID 5452 wrote to memory of 5652	5452	vbc.exe	83
PID 5540 wrote to memory of 2304	5540	MSSCS.exe	84
PID 5540 wrote to memory of 2304	5540	MSSCS.exe	84
PID 2304 wrote to memory of 4424	2304	vbc.exe	86
PID 2304 wrote to memory of 4424	2304	vbc.exe	86
PID 5540 wrote to memory of 1092	5540	MSSCS.exe	87
PID 5540 wrote to memory of 1092	5540	MSSCS.exe	87
PID 1092 wrote to memory of 956	1092	vbc.exe	89
PID 1092 wrote to memory of 956	1092	vbc.exe	89
PID 5540 wrote to memory of 4548	5540	MSSCS.exe	90
PID 5540 wrote to memory of 4548	5540	MSSCS.exe	90
PID 4548 wrote to memory of 5972	4548	vbc.exe	92
PID 4548 wrote to memory of 5972	4548	vbc.exe	92
PID 5540 wrote to memory of 4380	5540	MSSCS.exe	93
PID 5540 wrote to memory of 4380	5540	MSSCS.exe	93
PID 4380 wrote to memory of 4248	4380	vbc.exe	95
PID 4380 wrote to memory of 4248	4380	vbc.exe	95
PID 5540 wrote to memory of 5684	5540	MSSCS.exe	96
PID 5540 wrote to memory of 5684	5540	MSSCS.exe	96
PID 5684 wrote to memory of 2436	5684	vbc.exe	98
PID 5684 wrote to memory of 2436	5684	vbc.exe	98
PID 5540 wrote to memory of 5708	5540	MSSCS.exe	99
PID 5540 wrote to memory of 5708	5540	MSSCS.exe	99
PID 5708 wrote to memory of 560	5708	vbc.exe	101
PID 5708 wrote to memory of 560	5708	vbc.exe	101
PID 5540 wrote to memory of 5724	5540	MSSCS.exe	102
PID 5540 wrote to memory of 5724	5540	MSSCS.exe	102
PID 5724 wrote to memory of 1912	5724	vbc.exe	104
PID 5724 wrote to memory of 1912	5724	vbc.exe	104
PID 5540 wrote to memory of 2300	5540	MSSCS.exe	105
PID 5540 wrote to memory of 2300	5540	MSSCS.exe	105
PID 2300 wrote to memory of 5556	2300	vbc.exe	107
PID 2300 wrote to memory of 5556	2300	vbc.exe	107
PID 5540 wrote to memory of 744	5540	MSSCS.exe	108
PID 5540 wrote to memory of 744	5540	MSSCS.exe	108
PID 744 wrote to memory of 4732	744	vbc.exe	110
PID 744 wrote to memory of 4732	744	vbc.exe	110

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ybjgrft5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5452
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8499CDDE15A74FEC94D5F7E3C5176536.TMP"
      4⤵
      PID:5652
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9mjnitel.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE924574AEA0B442CA35DB49FCB3799F.TMP"
      4⤵
      PID:4424
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_wzufzj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF364.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B1FCFA6B946A3BEA3634E6AD73D68.TMP"
      4⤵
      PID:956
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bx7_h1t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56B1452A243A4F998A40CC5494E2020.TMP"
      4⤵
      PID:5972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvzanyo3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF44E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62EA94A1BEC24ABDB6ECF6EE1E96953.TMP"
      4⤵
      PID:4248
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4pusmaih.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5684
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA627BF2C86740A19CB66EF3673C2ED3.TMP"
      4⤵
      PID:2436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xgu12-sc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5708
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF567.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCE3FC33D3FF4FBCAE82A9423312B763.TMP"
      4⤵
      PID:560
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xwferuhm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5724
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF24993FAFA945DC8FA5EBA5D4B5A8DB.TMP"
      4⤵
      PID:1912
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqzy39w-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F4358756A56496986DF459AFD7796A9.TMP"
      4⤵
      PID:5556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zf3nx0bl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF652.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1718E4DD9B8408D9B331789BF2BDF3.TMP"
      4⤵
      PID:4732

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bx7_h1t.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bx7_h1t.cmdline

Filesize
172B

MD5
f504e47f0cb2b44a0c6720dad3f0ce29

SHA1
03476dd55e47b5dce23fc5b841c74dca4aef5382

SHA256
20b06b8716dfd4577e24040411a0a38dc77cc567c81d274056ff3cae43f15061

SHA512
efe110f8facc5c85bcd1a37ca2cce0ac4ac722ab628a0975393c554b7b6506b0a30619ceb9f11809fa0e5b9de3a154e9469e3c94560aca2b4c0fba6118796566

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pusmaih.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pusmaih.cmdline

Filesize
174B

MD5
e2a3fc3556f66f63eee939825c8d97a0

SHA1
7791e9c90b720cddd55f1d60dc876566b4df884f

SHA256
4b4fd20670334de2c650ae7a78ce4944131794b26cc0dd4bb162834dd127e0ed

SHA512
a01ddc46d4e431ce24f710cd8a947a7a48417a1f1c746764b07730848021e9281e44981c0fbf26040374e7ca7c7c5765286c367e0dd289c0c9073b439f558a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mjnitel.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mjnitel.cmdline

Filesize
162B

MD5
dd83491e0034dda0606f7ba4cc6af90c

SHA1
f46c337459041cb6d6ebfe67d68ee9c9b57d4e10

SHA256
64c1572eb22206ea882ef81c78029020e202cbc28f204413f869201772d596b5

SHA512
2e2a67950d2d51091056d0a727089f9d43ec1a5c00599259045b463ec9d016ed1b96bda8bf4370d0f0cebbd1a36e675823aca8e96c87d2964fe33e74e4a76028

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp

Filesize
1KB

MD5
996e6662a43c3a566381a95f37484823

SHA1
143f15381485af117bba1c8321de2ef3f0a17176

SHA256
9b273d6fcc000bf6dbce72017afae6758583a30836c96d15e941b81a9ec67e3f

SHA512
ad7e989e2abe88dc6bb6d5554009a801a9608da1080e732efb1c15502eaf7df6393c6e7ecdc04f3b7267291d8c645e730727a8d1f9ad135f1df9be0574ad038a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2C7.tmp

Filesize
1KB

MD5
e91ba3185bbe09332f88ce8ff66bb6d2

SHA1
7bdfbaf8244eaf44a8dde94b9a25c4a883fe0a50

SHA256
45292f61bfadd3125aa214832dc9818c5ad5aa8694182b9c37797cb05f6ab0e4

SHA512
68eee4f9ba3ec7c6a121963530b9f6bcd95e3f1a7c0439a75722aab671b46ef1a09d401a1d491d69470abceca83f2abe396613be90deff053ef5e9bfbdd9cb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF364.tmp

Filesize
1KB

MD5
9346cde3fc27d099877ff15af26624e1

SHA1
99036ae91950353e0eebcf39c41c6fc0ded688e6

SHA256
eb4f4f6e4289b634e47d7d449e032153c7e8f20fa0fa0705578206f6db627386

SHA512
42e17d9dac4bc0ea1d66cd503a42768e3f0c352e3832b0a9236e749461ce5471bf35eaffcc6a53b12d07aab05b2e0f3d4baf3cc3a985e952269fd5e58ea1c958

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF3D1.tmp

Filesize
1KB

MD5
aef96842097b4962f9251f606271e1b2

SHA1
78b36156f635069267bb0946f9af37268f270431

SHA256
88208e4df7cc5088696f3c4686b691fedd0633d23b1b9085f871453b4c668314

SHA512
926375b560792caa2f04a9b0979f297abfb40676d51d92c3b1532c7c9c9134ec41b80dd0c49a6481b26469e6af47f0f8d7c2890e8e1c8e63a794f47ce7106282

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF44E.tmp

Filesize
1KB

MD5
39b050a80bb72e21ab539ae053a82f5b

SHA1
67be6ab38c517559197f0aae47216f09176e4b45

SHA256
a60dc2a6bc716714fd5ac9671c6decc8500f7d5324d5186c384595dc56986e0f

SHA512
8870d0b3550a8b0c5a3fc50394e859c0377769edd0b74ace45d194be3dd684390c213c42d4e7057dd63bc28a9d2cf4b7c1b7fd8df57e00cff273fe2136a9fea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp

Filesize
1KB

MD5
3059c4c4559fd712b3af3efa22b41ab9

SHA1
af9df963f2bf78e4300f75cf040ee5b9bfe1f96d

SHA256
a9eca8bf7ceb255ae202491d164368cbb8506f08a475c05ab57e80b1058f13b2

SHA512
5e82df5cb748ebf2e5a797de02dacf064489c442d54674630539b2d56639f922c8ddef2e72f2f1caa0b7f68dfd72b905b9c70f03ba826794b4912a87bfae0b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF567.tmp

Filesize
1KB

MD5
0d8e1686a37fed8b2691138ec7732fb9

SHA1
3d4a1f979f20f40ec1fc67acbc25e74fd29482bb

SHA256
a7ad1c77ea337edf93b78b06b5b835afcac03745bcd302a2dae8d89e6287aced

SHA512
60d6e28822f189d2a13a8a2702e99b8635d67131dc7953bab32a60914b493092f7ad1ef0a89e06f38acd19c4d50af4e76f635c39bcb2b9d25262ea206b0cc158

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp

Filesize
1KB

MD5
656bcc3fd86e747b993f230638912659

SHA1
dff823920923d613dd361e7143ef34a07ab40da9

SHA256
2229e7e9eb24652f199d050759cff88f893b5f70e2df0f1d2957b634d7a0aab2

SHA512
7efd93818e44994356ce7266c50345722e4c5ba133c3782dbb151b182b6e78e71447997acc24d2af14c3baf0132a77d793781934202ec365bfee5629e623d862

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5F4.tmp

Filesize
1KB

MD5
6673ff0422aca2a40daaeff6145005f1

SHA1
83a858d6e56c92d111a70ba9611df44c2bb13364

SHA256
96b6b487ab23f1a71d029be5150bacfe6048096966faa0c977c8d5c3df408baa

SHA512
eaa9c31fe18c45b4a2b10cc98322d08129b3a805209ea66e7b6c7b86538b3c1cacaa274a40c5a9fff759c345b8bbea9f5e23ddaa83f43a4c54895111861958c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF652.tmp

Filesize
1KB

MD5
2d32cd1d661f829ca6498ef25845985e

SHA1
920e832a7c1c98309312c1fa49a5af3e449baf92

SHA256
6e4e6ee0134bd104bf65ddfe374aa5c64936b2620d5434d4e08ee17aa2043f61

SHA512
598bd0a4ebec0fe756cdb9c9726758f2868c22b9c9db44a7229161266c78779f35a823233d89a984b9035256768c5e137bc5a06b2a22d65152bdec3910c92c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ic3vje3s.ljz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1718E4DD9B8408D9B331789BF2BDF3.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc56B1452A243A4F998A40CC5494E2020.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8499CDDE15A74FEC94D5F7E3C5176536.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE924574AEA0B442CA35DB49FCB3799F.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA627BF2C86740A19CB66EF3673C2ED3.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\w_wzufzj.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\w_wzufzj.cmdline

Filesize
171B

MD5
92e214dd9dac72f7f4b6193a6941fd76

SHA1
897697c81944ab38e2bd5fe32c84cd001338ebdc

SHA256
dd8644a3b10c9792d9cde13b56277c7a09e793784a58526df642fd9bea44af0c

SHA512
1ff0bb9f911349295a8b2dfc40b00bb8444de1d2bc581f49e1b7efa20f37c098d997ee16199bd406bf557d7c51b9f2d416a7df8dae72cb71a821f9fa1ea3425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgu12-sc.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgu12-sc.cmdline

Filesize
164B

MD5
3a980ff110359e3b3c474f487f3336aa

SHA1
4a969db112c7d10321757f25dfebf0ae73c25837

SHA256
5e62498f68f9d2a57b90fa8308b76c8266fde7e123ca944c3bc8ce6c554d1aaa

SHA512
e45afdfa20cebdc390d5e9ab4ad55d2d6da4a34a53ffc4886d0a68a1b59f931461c1e05d115bb9dfee0faef1b47ad4d3b1c540e097c9b71828f055de7f9114a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwferuhm.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwferuhm.cmdline

Filesize
170B

MD5
8d6432b04f6db72418913a141e718486

SHA1
0f231e8d2a5cca5f360e7a8179d67221577553d9

SHA256
20f0c2b9931f21a42fc35c2ee3e75679a3ac3099eeb01dbc0478453d6d67559f

SHA512
b3eec0762b1817c02aef7bb4f893b413907cdc5f53562287e29d926e72cbe0bc27e6b78d322e5f4ed53f5a9945f4838da1a18c9668e6434f2c7405a7b85bc1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybjgrft5.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybjgrft5.cmdline

Filesize
156B

MD5
35b44cb2e68d8ede40dcd603e62151c7

SHA1
050708836410521d7a46190948fb9a18366af610

SHA256
b2b0fa1fc3723d61cb98aa2b12ac958d3fb68a7ab2a018f3adf263ea9cbdff84

SHA512
bb67eec617876e2666bfc285a43d41afdb1e47f0135904860dde2093ec94891f7adbeaf965af3bad8a817c63dc2837a4f4b9009235abd1e6c553d1bf183c9447

Download Submit
C:\Users\Admin\AppData\Local\Temp\zf3nx0bl.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\zf3nx0bl.cmdline

Filesize
173B

MD5
c47e2f2b4c1c11f5579c5bef4cc94840

SHA1
9a56074794b05ce376cefee4cf220136dd837596

SHA256
b405f0240faa5d4ec849456e40c707678e46c2292fefefb316003d2296599fd1

SHA512
19efc7278f1c02253aeaab467d0440b3eb3c093e77cd2e91c588e7ffd206954e92c0a7cab634ef921a5da361faa403d3b6f921457a6be30ff21caf17206b9cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqzy39w-.cmdline

Filesize
171B

MD5
0fbdca03b1bd2dc90bb680f9be867795

SHA1
69d777ae4fd1d35f1bd03ba6bb2ce8d3ea672550

SHA256
c19d1a8afb4fea0d31b1d73830f5f0f2358c913f09eba913e445adb4ae9b085e

SHA512
bf5dfd23b41e7c570fe675e6d0b57cfc70fd8c24d1b50f6bd5b7cdbcfb2256b903b7d1608b0f0cc65d26b5f8ff123a7069e28dd6e7ac427914715654548055cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvzanyo3.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvzanyo3.cmdline

Filesize
171B

MD5
206b19b7036969e246aac235e7656b7b

SHA1
907c5198d71e171662a6d1ff129181845eef6401

SHA256
4bfae1c590822ad892a1f5915158b1bfa4aea915b6975f3660f61399e88774dd

SHA512
f9f6834d915a18a89fee072a63bace5d12f9477fd4dc58e413ead9a46581d921f8051a849effd74f9db82dc2c15f9586d45a5aff82c59e81d3a0f497322a8209

Download Submit
C:\Users\Admin\AppData\Roaming\Random\Default\Microsoft Edge.exe

Filesize
6KB

MD5
07825bd6185a9ada2dbe8c0513836c07

SHA1
2e0ecf5cd13b7d2cd85b3e285bbc0bc80f3075a6

SHA256
f0ee4ea187c8e4c9a1f707e3ebb7a3d5c3889d8f9bcf74a76c8336dc48d6b4eb

SHA512
048767fa2d9554ebcd16562503a7ddfc8452ae7af7c6dbceb90a117df5a6544ad16d327d595667eca25a7b6be268dc92c3a3106d94ef3370c68bbb935662b210

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3988-8-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-0-0x00007FF98A505000-0x00007FF98A506000-memory.dmp

Filesize
4KB

Download
memory/3988-6-0x000000001C8C0000-0x000000001C95C000-memory.dmp

Filesize
624KB

Download
memory/3988-9-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-1-0x000000001BB20000-0x000000001BFEE000-memory.dmp

Filesize
4.8MB

Download
memory/3988-5-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-2-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-7-0x00007FF98A505000-0x00007FF98A506000-memory.dmp

Filesize
4KB

Download
memory/3988-4-0x000000001BFF0000-0x000000001C052000-memory.dmp

Filesize
392KB

Download
memory/3988-22-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-3-0x000000001B500000-0x000000001B5A6000-memory.dmp

Filesize
664KB

Download
memory/4980-33-0x0000021EDF3D0000-0x0000021EDF3F2000-memory.dmp

Filesize
136KB

Download
memory/5540-20-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/5540-23-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/5540-19-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download
memory/5540-18-0x00007FF98A250000-0x00007FF98ABF1000-memory.dmp

Filesize
9.6MB

Download