revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

20/04/2025, 00:10 UTC

250420-agcc8axyax 10

16/04/2025, 11:04 UTC

250416-m58gsaz1ay 10

15/04/2025, 17:34 UTC

250415-v5ylksypw9 10

15/04/2025, 06:16 UTC

250415-g1p7ras1dw 10

14/04/2025, 08:06 UTC

250414-jzpwpstxhx 10

14/04/2025, 07:59 UTC

250414-jvg1assky4 10

14/04/2025, 07:22 UTC

250414-h7g1dss1h1 10

14/04/2025, 07:16 UTC

250414-h3xv2s1nv6 10

Analysis

max time kernel
894s
max time network
902s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 17:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral21/files/0x0010000000024041-14.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4676	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5636	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5636	powershell.exe
5636	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4676	MSSCS.exe
Token: SeDebugPrivilege	5636	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4676	1724	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	94
PID 1724 wrote to memory of 4676	1724	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	94
PID 4676 wrote to memory of 5636	4676	MSSCS.exe	95
PID 4676 wrote to memory of 5636	4676	MSSCS.exe	95
PID 4676 wrote to memory of 5880	4676	MSSCS.exe	97
PID 4676 wrote to memory of 5880	4676	MSSCS.exe	97
PID 5880 wrote to memory of 5828	5880	vbc.exe	99
PID 5880 wrote to memory of 5828	5880	vbc.exe	99
PID 4676 wrote to memory of 1916	4676	MSSCS.exe	100
PID 4676 wrote to memory of 1916	4676	MSSCS.exe	100
PID 1916 wrote to memory of 868	1916	vbc.exe	102
PID 1916 wrote to memory of 868	1916	vbc.exe	102
PID 4676 wrote to memory of 3348	4676	MSSCS.exe	103
PID 4676 wrote to memory of 3348	4676	MSSCS.exe	103
PID 3348 wrote to memory of 2852	3348	vbc.exe	105
PID 3348 wrote to memory of 2852	3348	vbc.exe	105
PID 4676 wrote to memory of 2856	4676	MSSCS.exe	106
PID 4676 wrote to memory of 2856	4676	MSSCS.exe	106
PID 2856 wrote to memory of 3492	2856	vbc.exe	108
PID 2856 wrote to memory of 3492	2856	vbc.exe	108
PID 4676 wrote to memory of 1932	4676	MSSCS.exe	109
PID 4676 wrote to memory of 1932	4676	MSSCS.exe	109
PID 1932 wrote to memory of 808	1932	vbc.exe	111
PID 1932 wrote to memory of 808	1932	vbc.exe	111
PID 4676 wrote to memory of 3804	4676	MSSCS.exe	112
PID 4676 wrote to memory of 3804	4676	MSSCS.exe	112
PID 3804 wrote to memory of 1876	3804	vbc.exe	114
PID 3804 wrote to memory of 1876	3804	vbc.exe	114
PID 4676 wrote to memory of 2180	4676	MSSCS.exe	115
PID 4676 wrote to memory of 2180	4676	MSSCS.exe	115
PID 2180 wrote to memory of 1356	2180	vbc.exe	117
PID 2180 wrote to memory of 1356	2180	vbc.exe	117
PID 4676 wrote to memory of 1064	4676	MSSCS.exe	118
PID 4676 wrote to memory of 1064	4676	MSSCS.exe	118
PID 1064 wrote to memory of 3992	1064	vbc.exe	120
PID 1064 wrote to memory of 3992	1064	vbc.exe	120
PID 4676 wrote to memory of 2320	4676	MSSCS.exe	121
PID 4676 wrote to memory of 2320	4676	MSSCS.exe	121
PID 2320 wrote to memory of 5840	2320	vbc.exe	123
PID 2320 wrote to memory of 5840	2320	vbc.exe	123

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mtl-wzwe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5880
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D11487C1B8B4587A04C48FA9A1A3F0.TMP"
      4⤵
      PID:5828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpornumt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2188A99D686F44DFB542C6253CECA322.TMP"
      4⤵
      PID:868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j9br2w0j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FC8990238474580A05A6F12D4F2EA.TMP"
      4⤵
      PID:2852
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uytgen4z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDA6B35AA8E24F8EBE47B916FEC9E182.TMP"
      4⤵
      PID:3492
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejy5d4ln.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD2136AA74514A2B9E92917F3ADE94A.TMP"
      4⤵
      PID:808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6lok3g_p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9644DC575774781A3DD7082A1A6B7DC.TMP"
      4⤵
      PID:1876
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlszx5p0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA86DFCBF554F427D90A54DF675169D7.TMP"
      4⤵
      PID:1356
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\occlwvms.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB021.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB92806E1DBE42799E38BC54393328.TMP"
      4⤵
      PID:3992
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsozkqpx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB08E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E66C60F7C1F4635A8381537CFD5A07F.TMP"
      4⤵
      PID:5840

Network

GET

https://www.bing.com/th?id=OADD2.10239400704906_1CITMCUBSU14W9D3C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

95.101.143.201:443

Request

GET /th?id=OADD2.10239400704906_1CITMCUBSU14W9D3C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 802
date: Tue, 15 Apr 2025 17:48:29 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.3b367a5c.1744739309.4a4fdb2
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.179.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Apr 2025 14:18:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Tue, 15 Apr 2025 17:40:49 GMT
Expires: Tue, 15 Apr 2025 18:30:49 GMT
Age: 519
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

84.91.119.105:333

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

260 B
5
95.101.143.201:443

https://www.bing.com/th?id=OADD2.10239400704906_1CITMCUBSU14W9D3C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.9kB
6.0kB
17
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239400704906_1CITMCUBSU14W9D3C&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
84.91.119.105:333

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
142.250.179.227:80

http://c.pki.goog/r/r1.crl

http

476 B
394 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

260 B
5
84.91.119.105:333

MSSCS.exe

156 B
3

8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.227

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6lok3g_p.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lok3g_p.cmdline

Filesize
174B

MD5
ec3e6e466fb42e799f49aa45b0465206

SHA1
d8c527b76c2c2f0f28d9f2e4ac93a848464cb8f7

SHA256
2da3c34b82901f744045b95e163488905c90fc4c4e326964ed3fe09d01489365

SHA512
60404a9b902b054f80fddcfc3948e209ca54018c68d1ecee20bfeccc21aee217ce96d4b4553efae879ae456ab44c47e78f190c2be7a8f5f990e16934ed786924

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC87.tmp

Filesize
1KB

MD5
3102df75af80d1069a2be4cdb16de19a

SHA1
be984b2bddf7a0f8d6c64dbcc24e75c14e249f91

SHA256
b301238cd1340bb78dcfeac6c679a96f29444e9b2aa7b234d5fc415f9347762f

SHA512
c1dfb443c2ccbae62bf491d6d9662843b60453764d16125532f8f68d4fbd234af7a4ac47eed2a4940c009ffe0e704e95fe39c6f850d277d53ee0ac3183f19c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD42.tmp

Filesize
1KB

MD5
5ebf1c0a8cb5772d205da23bed04f4c4

SHA1
10f93a2becc8323ba2ad31dff47eca768635e41e

SHA256
1fd65bb0e6a70594c102bb5a7f2a3301977bf13f21d6551c58d38d2aa0202a07

SHA512
1f199a51abae98aac6ba67c4886c6dd8e06c0b3b6eae7314b7d7431e212f23ac02ff2578617f23cb9a948e50a3b8fe50483d94901c7e3adb74c5bc4f3b3f171e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADEE.tmp

Filesize
1KB

MD5
bc1e34c6d7f6bf46c50658f32f4ab80a

SHA1
8c8f391793457f5492c0f402f9e7a9046fd73a94

SHA256
7236d3a2e19f3433a97b33b205df46d801a986864ac467696ebfa6d46df48a84

SHA512
0c14022402304327e8d1640b9275ca055caf737c35410c4f48a8e50b4d37ba16fa471775d0378893917b146d4a5304d77e9b058bc4448ad4745ad98fc3248b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE6B.tmp

Filesize
1KB

MD5
0eca744188d4e67d876ed5224b1aa434

SHA1
2a1bddc5978d28d04514e0109d59bd323051a785

SHA256
db7e50b2b8a17870dbea2b1ef314f2f0c841d8d625b033ba0d68f836c00a1438

SHA512
2d808c2d68d716760d3c331f94e65606e123d1e3f141ccf50e3ae941bcfc4f92fedac472edf7d89cc592f00f7996d89383c7bc277f02812458fd2b11f2bffcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEF8.tmp

Filesize
1KB

MD5
9685be0b87f7285b8885b8cf59501b47

SHA1
8023685c392ff00f7ec5a2e5d4161516fc4ddc97

SHA256
5ca5eebd2156d8745a93a1b5a92174f3c89fde304755e13b004676830caff070

SHA512
a1f0dca92403646beb2eeeb9aa6d49c174f8ce73b1a05830b4be6cf96a0dd08989308c800bf08f8ed3334b2c78b2473760c5d32cbbc334d4f039355ed43c4b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF56.tmp

Filesize
1KB

MD5
b3465be291950645bc289f83f4a9cc55

SHA1
d2e25f5918e076afbd137911958ddcb86bd688f0

SHA256
6f8ec4e5d5f6c3674492910178d56e723d97453a7e7131eb306636f985882071

SHA512
0bc01178ba263e1e024f7f362ee20c56dbe8659ab928050f0f7a5aa6472fc784cbd8e2eb9b8a6790bd1770280b43a0bf466024fb56e94d886304754cc2be2858

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAFC3.tmp

Filesize
1KB

MD5
9f81c97f9ca840e67db432c18ceed653

SHA1
7e2da732efac50c60912bf8f81aab1acb86e35d3

SHA256
3cfa0e00b83d3cc5e9302504d8abf9aa84d8aaccaa8f38c5e01d51e072e8278d

SHA512
74cb2431970cfcfc7a2f2fd0025614a0571a3808bac66d075f3823db1d0d63169bd30dd62599f5eedde867f12b42a9adec0542a710d6acf83ed883ed4f955309

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB021.tmp

Filesize
1KB

MD5
fde75692fafca6f57c770d8cf42f11d8

SHA1
b6df7eb3cf79e2995baeb491f850f39341786bd2

SHA256
8542dd99955f44f699342f159a81454bfa0256963a9331f062e01e0eef20c27f

SHA512
22846b3c525af6165a40e58f671f8905d9398d8d4debeab99efe287b825f78d7d1cd0d7cbec07e0f5e8cd28ef56d4a2eb931ad0677c63789f1eed02bada62852

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB08E.tmp

Filesize
1KB

MD5
44670afccf33bbf401480b5bffe95b0b

SHA1
8b35fe873b2bee7d08bd79128b52b80dc19eb567

SHA256
9f60426596a82cd2fd3cca44f8651d9f3920c362e4d186b800e7c4213e6e707a

SHA512
e95c451aaed3e5b096096f90b0159eb177131ff878f938da599015e862ba6598d4cf977c40cc524d6d79aca01cc5c908610e1475d2e74d45ebd8036458c62a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_if1vykap.ml5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejy5d4ln.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejy5d4ln.cmdline

Filesize
171B

MD5
9fb6dbfc0431e7aa38bea9d0b55a8224

SHA1
b8b6cde875e3ca0329f95c7f7a881e6aa04f83f3

SHA256
4a8f3a32dd3ace3d58d9ac3b12f6f808c7671391866e289acf7ad6bc322d5566

SHA512
54542a4e2fb17a22a82fefe4290dbd1924f3ec6f384e3995b6563b5acc21c5153ebcae24162e9d3a21552efd27c008bd23ac7050c96a087d474edff35ca6a11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsozkqpx.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsozkqpx.cmdline

Filesize
173B

MD5
9bfbdadcb4ac5b79e6c0efd09b957ecf

SHA1
8c13bdc0d2cfde9e6f29c13049038e7d5d5677ce

SHA256
28c38dcc44f374eb44792e03464393bdd5c09a00e15e128cc380114458fec494

SHA512
c460408f9039878eb0a048be738aef210027124d42e5880c20b08eeabd2845122b36046ce2ffc1307ed0f96f7dadb6f7996cc33cdadb3b75a15f01af669c46ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\j9br2w0j.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\j9br2w0j.cmdline

Filesize
171B

MD5
5ec92a7f11fd3e37fa38866bd006171e

SHA1
9802b9c5800f790335d9b71495d737f3afaaece3

SHA256
76b9da4d2035cc65d70c95b8c8b79df7aee2f6aaa1f5305a32d98b23d94b14b3

SHA512
1c124c2da75a1d6d4c6768a3dfd006ab3766f729355645f319bbe402a4c5574337c09d2d17b789d64b265d38b464461129b9198238bf0149e5918ac40adfa89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlszx5p0.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlszx5p0.cmdline

Filesize
164B

MD5
659019814049ee8e2d13f07297c2e4b7

SHA1
3ae35e57e884722d51b3b77d2a1ef77d4ee1078a

SHA256
bb1624d62c4818f6edf8240f5ea1c38856b388d5ee83a3ceb8fc4df2fb9bbb57

SHA512
ff389ca4a72402b17c276719439ef39cda3ade98c732cee03e24521c411d65ae72c518bd03d4cdcff712ac75170661a494f30bd24237e5f6942f9b0e02324f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpornumt.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpornumt.cmdline

Filesize
162B

MD5
6101af03b62fcad1269bf7a9ee534e68

SHA1
2290ed81cd7126741451eae4c30e49e08850e165

SHA256
ad6227f3db459e8f64d8fbeb14762d07eb621fbe6c186c95692a4282825bfb7b

SHA512
15d1be67a49b0e5c9d84504cd468332f6e8e6ed9d02a1d484dc7240cdbaa3e65d0c30e5336c80cdd081c26903b9c3126406a46f7b1617782bfb026e7b4799e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtl-wzwe.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtl-wzwe.cmdline

Filesize
156B

MD5
e506cf6c336c44173ffff998bb6ef26a

SHA1
9014b14b1f5a967182fbba4fbb94f31ea77351c2

SHA256
b0f42410d49c42b093266c485e735ac5fb88b35a8c9870c4184c94e5ae50d0dd

SHA512
d5428f2e73634a5be8f77b635ab492fb38f6f0fa23f76c065c947a953ae9fd4be8ccb0787a96bdb25d8d37b564e3a6e44865b75ebec0d987be0bfe98b16c45a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\occlwvms.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\occlwvms.cmdline

Filesize
170B

MD5
084af4bf0954dadfaa4af7ec5baa4e11

SHA1
5b64cf1366d5eb64a8bd439c02563c501a1c33c7

SHA256
dc7953e2f83f4b42209e197578548065de4df23a9ac5b055ecd00fb7f841d957

SHA512
bca98c190fc1aa563941fb8d6ad161eed550f3000e50b47d95d533f278bb73d1890fcbda2d0ab4955ddef00cae8f97c0deac35819e9523a96c4e0a71b00bf6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytgen4z.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytgen4z.cmdline

Filesize
172B

MD5
dd4672f4d16d7ebe5b288712a10429f6

SHA1
6cffe81e4260227733d36d9eb932bab141c5c4e3

SHA256
294f20899d8fa6d3f9d33adc321af6d889ed867515c51840a6fc79a9d6bcbf44

SHA512
937f15fcd53ddcc1a67caebf6566eb50dbe67a02384e42f84551464b25071f648672692bb52cb87ad5c038729cabdd57ff468e03fabebf958f3aaba25fc808e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2188A99D686F44DFB542C6253CECA322.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4E66C60F7C1F4635A8381537CFD5A07F.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D11487C1B8B4587A04C48FA9A1A3F0.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9644DC575774781A3DD7082A1A6B7DC.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDDA6B35AA8E24F8EBE47B916FEC9E182.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1724-21-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/1724-8-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/1724-2-0x000000001B440000-0x000000001B90E000-memory.dmp

Filesize
4.8MB

Download
memory/1724-3-0x000000001B9C0000-0x000000001BA66000-memory.dmp

Filesize
664KB

Download
memory/1724-5-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/1724-6-0x000000001C300000-0x000000001C39C000-memory.dmp

Filesize
624KB

Download
memory/1724-0-0x00007FFC6C3A5000-0x00007FFC6C3A6000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/1724-7-0x00007FFC6C3A5000-0x00007FFC6C3A6000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x000000001BAE0000-0x000000001BB42000-memory.dmp

Filesize
392KB

Download
memory/1724-9-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/4676-19-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/4676-18-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/4676-22-0x00007FFC6C0F0000-0x00007FFC6CA91000-memory.dmp

Filesize
9.6MB

Download
memory/5636-27-0x000002809BD40000-0x000002809BD62000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.