revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

Analysis

max time kernel
253s
max time network
254s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral22/files/0x001a00000002b1ab-14.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4848	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5144	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5144	powershell.exe
5144	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4848	MSSCS.exe
Token: SeDebugPrivilege	5144	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4848	1440	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	79
PID 1440 wrote to memory of 4848	1440	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	79
PID 4848 wrote to memory of 5144	4848	MSSCS.exe	80
PID 4848 wrote to memory of 5144	4848	MSSCS.exe	80
PID 4848 wrote to memory of 5760	4848	MSSCS.exe	82
PID 4848 wrote to memory of 5760	4848	MSSCS.exe	82
PID 5760 wrote to memory of 2024	5760	vbc.exe	84
PID 5760 wrote to memory of 2024	5760	vbc.exe	84
PID 4848 wrote to memory of 4308	4848	MSSCS.exe	85
PID 4848 wrote to memory of 4308	4848	MSSCS.exe	85
PID 4308 wrote to memory of 2476	4308	vbc.exe	87
PID 4308 wrote to memory of 2476	4308	vbc.exe	87
PID 4848 wrote to memory of 3312	4848	MSSCS.exe	88
PID 4848 wrote to memory of 3312	4848	MSSCS.exe	88
PID 3312 wrote to memory of 3576	3312	vbc.exe	90
PID 3312 wrote to memory of 3576	3312	vbc.exe	90
PID 4848 wrote to memory of 5564	4848	MSSCS.exe	91
PID 4848 wrote to memory of 5564	4848	MSSCS.exe	91
PID 5564 wrote to memory of 5368	5564	vbc.exe	93
PID 5564 wrote to memory of 5368	5564	vbc.exe	93
PID 4848 wrote to memory of 1892	4848	MSSCS.exe	94
PID 4848 wrote to memory of 1892	4848	MSSCS.exe	94
PID 1892 wrote to memory of 4788	1892	vbc.exe	96
PID 1892 wrote to memory of 4788	1892	vbc.exe	96
PID 4848 wrote to memory of 4432	4848	MSSCS.exe	97
PID 4848 wrote to memory of 4432	4848	MSSCS.exe	97
PID 4432 wrote to memory of 4084	4432	vbc.exe	99
PID 4432 wrote to memory of 4084	4432	vbc.exe	99
PID 4848 wrote to memory of 236	4848	MSSCS.exe	100
PID 4848 wrote to memory of 236	4848	MSSCS.exe	100
PID 236 wrote to memory of 324	236	vbc.exe	102
PID 236 wrote to memory of 324	236	vbc.exe	102
PID 4848 wrote to memory of 5424	4848	MSSCS.exe	103
PID 4848 wrote to memory of 5424	4848	MSSCS.exe	103
PID 5424 wrote to memory of 4196	5424	vbc.exe	105
PID 5424 wrote to memory of 4196	5424	vbc.exe	105
PID 4848 wrote to memory of 4940	4848	MSSCS.exe	106
PID 4848 wrote to memory of 4940	4848	MSSCS.exe	106
PID 4940 wrote to memory of 1116	4940	vbc.exe	108
PID 4940 wrote to memory of 1116	4940	vbc.exe	108
PID 4848 wrote to memory of 2224	4848	MSSCS.exe	109
PID 4848 wrote to memory of 2224	4848	MSSCS.exe	109
PID 2224 wrote to memory of 4116	2224	vbc.exe	111
PID 2224 wrote to memory of 4116	2224	vbc.exe	111

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5144
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wkxcrjee.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5760
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1ED9E0E4183E4397A8E5F413B2D627C.TMP"
      4⤵
      PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2nac4gnv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41F41FC890854935B7E5A988F6B326A7.TMP"
      4⤵
      PID:2476
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nslj9i_r.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAFE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38609B5D3CF439491D4597FF602B9A.TMP"
      4⤵
      PID:3576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uiylyvgi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5564
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBC971667E034AE7B81F52F23ABFE4A9.TMP"
      4⤵
      PID:5368
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3qaffcex.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DB715E61DF41999749127B493A5BDF.TMP"
      4⤵
      PID:4788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vuzief9o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A3293C1818F46C4AC9F1D27DA79A690.TMP"
      4⤵
      PID:4084
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8vo0t6wo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc870D9BA42B854182BD9874B67B7A8628.TMP"
      4⤵
      PID:324
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-1yu0q95.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5424
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE5E8432BAF41D9AEB974AE81E65FF8.TMP"
      4⤵
      PID:4196
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvzo_1da.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC69F5ED332D5468C937B13282CD61CF.TMP"
      4⤵
      PID:1116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sd9nzhjh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E135B888454D2091B08FC2AE30D0EC.TMP"
      4⤵
      PID:4116

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-1yu0q95.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\-1yu0q95.cmdline

Filesize
170B

MD5
e624b9c9b9f9093bf7338c16a2b7113c

SHA1
60e8c53ea16bc956df2479975d99efbc6f029197

SHA256
7a37cb739cc4312403c5cd3601e26894e8ca9015d10fa4a7d0d35d6c93c88e0f

SHA512
0a390d78c9213c5ba45b5b151c187d99f7dfe77a09b8c63ec7c6112b1253fe5195936eb51e4d1c47c5ecd104d32a3b7b8782f155aec14f70d9408943af2233c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nac4gnv.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nac4gnv.cmdline

Filesize
162B

MD5
48c2185ce79f9e30c8fe9f501281c549

SHA1
d4a662983aaef5e4a8b77a85f71820c1f42c761c

SHA256
458ec2e5a242fdb5c63374742e5d83aa570726f31d17e7ade074884947e7e7e0

SHA512
738c370b4ca5de32ff3870ac587be8596ace71b98b67e5f04756afd0a8737caf36aacf9d22deea75c1a8f5f2b483b52cebd7c69a24bc357e7fbac66a148eca9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qaffcex.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qaffcex.cmdline

Filesize
171B

MD5
64993b691d37ba6085841093c67ef884

SHA1
012ded4903bb6a2648018d379cf5bc62dabefbcf

SHA256
51308486729fab58fd6d39bfbec08f63794d3fbd62b7c7dcac9af0c71689a52c

SHA512
cf169098803442cc54be6615400d5182fb55637a79d834656d4fdcb4ce106a408d5715225fe08e68b7e43fba96f02ab0bc91bf3497d44305f9b95b750aee7f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vo0t6wo.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vo0t6wo.cmdline

Filesize
164B

MD5
10b37906112c9019fd38ba40b3c27b9a

SHA1
e94c74a06132adb495f68195d24e35896db3cceb

SHA256
baa9650b8670938eac35eacf9c9ca53ea6c69a3c31e2311754642eef34fb1274

SHA512
3837b4c565e13c511faf8dba75029017678da0f69f34dec49933943c3a78241c36193652e991586fb04b883993a559f2bd09f73407dfc0fc9b27efbe7ece05cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9D5.tmp

Filesize
1KB

MD5
4c4d447eaaf9813adc7bce93b3cb638b

SHA1
5c916d9b6fa1cb768b3c5f25b264c971ff8b8f3f

SHA256
e9fb66ef5f918ab4327b0529781d0f0e8b818522cb26c451538183d1b98a83d3

SHA512
355f9d845947eb6600049313ad57a6395114fa01e5d95a204b0fb3f7e612982918e17220888bbe0ea99bae62fe2615150b9095dd7c8b72f2015c79c09997cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA52.tmp

Filesize
1KB

MD5
5dec3b0faaf36e98680f962721296fd8

SHA1
f0b12127d8fe68ac6397180921dddf74aa40e6f6

SHA256
0b63fac8d48b6697c152a9230321e271d2fb43b8af336757200715b44a8e6d93

SHA512
e5d75a26f31edf8d609a52c5169f08558e42f9d3634cdb71829d69f8d62609fcdffce9f610c904ab50a2a6ef47ca33b041435887d8cccaf2cb633f10c8e08aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAFE.tmp

Filesize
1KB

MD5
6afadd0e5ccf4c317701ac6c200a3de2

SHA1
530e08c826ad3dc7cbec66a519b5ad7bff9b3461

SHA256
00d32e95addeef9d29fd5896a9b57969537a7adc5291ffc22c46ffcda850ae9f

SHA512
c2cafdc5735ea1510d5723b750aca50dcec4244536479cab4105cb5ecc83e8a13c6405aedf43b99c11c5adca1ce19776718aba2dcc79a68973aba81ea7a6d4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB8B.tmp

Filesize
1KB

MD5
cd4429b75846b91ba81a69da34d8795b

SHA1
6bfd08407a89e0995307dda8b513a148e69d2e35

SHA256
3a2dcb458fb19015aed0a1fe0ce306c757ffa06e845f88801f4dcf1bcede477c

SHA512
0d706b935c4ba74e5c5618cba8a21d98e6f57517a9534684ada36db0db853acb608ea0bcf435aa5ea3cfe41f4486b4c9742929ec8d211e1e603c0ee3f0058a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC08.tmp

Filesize
1KB

MD5
49fb4ec1ddf09d596534e9193ea64b88

SHA1
7efb75fbaea494c95fddf7a7c271b4f7571966ef

SHA256
76ea2806c67742ced1f95742e49f55093a50e4bdcabe986102b168ba52b48485

SHA512
04744f2e17cfd566821db02b9646a19936661ed8ad0a06289d956a41cc2f9e0bc689e5f5fdda239784aed3796e88233ce2b1a4f4a63bc2f8de5cba35418c01e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp

Filesize
1KB

MD5
df2edc3825dbb6002d70f034aa700199

SHA1
7c04370979acb17cb15677fd77a4b3e118509917

SHA256
dea3405a249f82f0ae576446e0b05143dd2156b45671a50683677a15a5a09b55

SHA512
07a42740091dcc1a7f9def6017bc982aeb8d401c633849f6019852be04f10cb81ab5fc39032cc070675547cb4dca3a158949f730b53dd1395f110165a01017c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCF2.tmp

Filesize
1KB

MD5
d5692bcb4f11edc1c3514b0c86ccda83

SHA1
52387c8cd0d3125096fc6122decf57c2f3573c41

SHA256
763dd7a68f59fdbbfd743a4f91ce0800921a1ded921ceda5f219bda2a61d6bbc

SHA512
6f32f8b9b3c76f676ce9df3aa007a458880eb00df0dd9574ed86db7652d5454649abd1818fdb0eb3974c4e0912f75551b96318d5066a16319a375102445e53d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD50.tmp

Filesize
1KB

MD5
1b7fe92e0dfa3eb6a5a217022bbcae9b

SHA1
07bdc16e7d5166ee1daba0f410790cbd40668b2e

SHA256
77171bb133d9288f5958a5c4d3510b788a5babdb55d7832f2b2556dbe6ce1be9

SHA512
1ffbdb80a8c417d2665df88e405e7bf0b428d4cd110e885724eb51fe4bb9c8c4949d67ed3b34e5102879386661e790112c0867319a84704a415d7414562a845b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDAE.tmp

Filesize
1KB

MD5
52a84fe8728f8b313473ca5c7f504b08

SHA1
167cb26bf8f0f8a07731b9c7882242e784d95c59

SHA256
5274f8e36c43950647ff3e0fb6a5f3d345a36d83d35d25e7aa764c7ae1d6860c

SHA512
e3fe71b7ab2064fd86db4c39f706ed92dfc4bbd800636d1dc582dbe842715641bc690ba94c96d68c112e100283efd8e3bf14b9dc56a10bff633a84a8d6e960ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE1B.tmp

Filesize
1KB

MD5
97f8eb71ea5ce525f2cdfb026efc2e42

SHA1
5ebe5f5b751904653c3d9a0a787a8257b6930084

SHA256
0fd739cbc5df142e3ecfe23957460ae5216d897f77b93d688cf6457d22f88868

SHA512
7835647a0dde61ed02b65396a5272082c5826e5673933718c91c70ad695a67ad5113817166b458ed912e8c597d327ad2c54abf0ae5dcbede077f3a2ae84066c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzdo4wwn.jtw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvzo_1da.cmdline

Filesize
171B

MD5
2227d6452e2ea10ded47e901520610e1

SHA1
c328b45f84b70458c0a07736451cc1f330b492c9

SHA256
a6bff72cf08d407b7a9ba3fc9ffab34d1563f9626a416ff2f14793df4b2dfceb

SHA512
692f4f34e82a2272099e0f935b4f6f558064e3d6a0a0444e394d2e7ef9aa416c15b12eec3a06920438a87c4a6af8290fe244276ab497eba09989ebe835c68c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslj9i_r.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslj9i_r.cmdline

Filesize
171B

MD5
551ae1738941402471b79f40cecb2414

SHA1
74df42e7750c3ebe20549dec80cfdf387e1a41e3

SHA256
5b5186c4324d64b7ea99f9a3a21ae6b303d2dcf4e81ed51df79b0fe03d99a8b2

SHA512
0279ba4e48231ca3057a5696b260e5977711d1fe1eda7ab849206ed06fd9a7ee9795635111c34645dea0fa5c4c8f71fac1bb7f045775053bc07805dfd6d44e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\sd9nzhjh.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\sd9nzhjh.cmdline

Filesize
173B

MD5
e9ab03ef8c8b48aa0936cddafddf3904

SHA1
ae156aed5509d3dde3158e73d0c2c2db19b3d45b

SHA256
c3659769a4f350a38849e270d0ba9858165be316b4d50bca4778995add8cc08e

SHA512
39aaf8bf427e54cb960868a33bc157a56ffa643bb1588c442bdf5419a3d5f31690ee606b01f626b0244e16d76236ada94e32228f49c47973ebe458a72495ec2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiylyvgi.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiylyvgi.cmdline

Filesize
172B

MD5
cecb88d87ab8e63b90c319928e9e933e

SHA1
2628561fc0facbe5cfeb9eb4daa8c0fb7e4b598f

SHA256
41a2e1c574218761321eb9925991b364b53eafc6d00146ddbde3393cd72d0289

SHA512
cdc6ebd1de0a146a690152f0674f98cf624152bd7bf26a0507cf974398c752e031222e27691d7abeb59ff40e961820fb83e8d2b0bae18236f35ca9253cc86b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1ED9E0E4183E4397A8E5F413B2D627C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc41F41FC890854935B7E5A988F6B326A7.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E135B888454D2091B08FC2AE30D0EC.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A3293C1818F46C4AC9F1D27DA79A690.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFBC971667E034AE7B81F52F23ABFE4A9.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuzief9o.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuzief9o.cmdline

Filesize
174B

MD5
d3bb6329404b4821093f11e74b5ddf7d

SHA1
9ab83242b312669733b01e37ca3e2cb0daa9af72

SHA256
edcbf891275f6458328ed32c77f97b679df18327100ae41944cef014f740db20

SHA512
cac69bd5fb682d00678cad26b25459df6281e5d3e7fcdc81f9049d9d11301dca06731ce357fb51201bd67c3de474b3d974e348c88c3a86130a36ec198bbb2010

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkxcrjee.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkxcrjee.cmdline

Filesize
156B

MD5
97046489842e051931eb246f1c9d0e83

SHA1
1679d8d3c7fecb2620d34ff93b0eae6b4e18d8b3

SHA256
8ba4a6e2291cd964bfcff22f48af56a38eb97db6650e5971b33b108c00098660

SHA512
fa9879d4b9106045240edd71eb92863b6b3535b2286d5157f803ec0a388bd6fc02f63f0365335fb74812e127f17b8ef9f7d57b04eac25ad1200b8d6428250765

Download Submit
C:\Users\Admin\AppData\Roaming\Random\Default\Microsoft Edge.exe

Filesize
6KB

MD5
275b17232e22cf9bc445a8f80d74ada8

SHA1
255f7d5d33cac0c8212a2b39b546459dbb26a0a8

SHA256
a9e026cdb8dfeb8ba6f7399eee1c784ab579fa784f0c347592ec67f59a86745d

SHA512
c0ea3142d47000f0bccb1a2926df3b0e86d4100d92029951e9699796c1d93ac0885ab1b4a95107d37ce7be6c5d34532520854a351836f8ff711c2b7e4f20bd6b

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1440-7-0x00007FFBB8445000-0x00007FFBB8446000-memory.dmp

Filesize
4KB

Download
memory/1440-5-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/1440-2-0x000000001C100000-0x000000001C5CE000-memory.dmp

Filesize
4.8MB

Download
memory/1440-9-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/1440-8-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/1440-22-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/1440-6-0x000000001CEA0000-0x000000001CF3C000-memory.dmp

Filesize
624KB

Download
memory/1440-0-0x00007FFBB8445000-0x00007FFBB8446000-memory.dmp

Filesize
4KB

Download
memory/1440-4-0x000000001C640000-0x000000001C6A2000-memory.dmp

Filesize
392KB

Download
memory/1440-3-0x000000001BB20000-0x000000001BBC6000-memory.dmp

Filesize
664KB

Download
memory/1440-1-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/4848-19-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/4848-20-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/4848-21-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/4848-23-0x00007FFBB8190000-0x00007FFBB8B31000-memory.dmp

Filesize
9.6MB

Download
memory/5144-33-0x0000021E5D8F0000-0x0000021E5D912000-memory.dmp

Filesize
136KB

Download