revengerat | a4c7e0fa5387a8d4bf68638494b6a8c0b7299798cb87788edd70963256895e37

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250502-en
resource tags

arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2025, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral25/files/0x000900000002429d-14.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
5048	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3300	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3300	powershell.exe
3300	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	5048	MSSCS.exe
Token: SeDebugPrivilege	3300	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 5048	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	105
PID 3988 wrote to memory of 5048	3988	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	105
PID 5048 wrote to memory of 3300	5048	MSSCS.exe	107
PID 5048 wrote to memory of 3300	5048	MSSCS.exe	107
PID 5048 wrote to memory of 2180	5048	MSSCS.exe	109
PID 5048 wrote to memory of 2180	5048	MSSCS.exe	109
PID 2180 wrote to memory of 2420	2180	vbc.exe	111
PID 2180 wrote to memory of 2420	2180	vbc.exe	111
PID 5048 wrote to memory of 5108	5048	MSSCS.exe	112
PID 5048 wrote to memory of 5108	5048	MSSCS.exe	112
PID 5108 wrote to memory of 4820	5108	vbc.exe	114
PID 5108 wrote to memory of 4820	5108	vbc.exe	114
PID 5048 wrote to memory of 5768	5048	MSSCS.exe	115
PID 5048 wrote to memory of 5768	5048	MSSCS.exe	115
PID 5768 wrote to memory of 3020	5768	vbc.exe	117
PID 5768 wrote to memory of 3020	5768	vbc.exe	117
PID 5048 wrote to memory of 4080	5048	MSSCS.exe	118
PID 5048 wrote to memory of 4080	5048	MSSCS.exe	118
PID 4080 wrote to memory of 4568	4080	vbc.exe	120
PID 4080 wrote to memory of 4568	4080	vbc.exe	120
PID 5048 wrote to memory of 3032	5048	MSSCS.exe	121
PID 5048 wrote to memory of 3032	5048	MSSCS.exe	121
PID 3032 wrote to memory of 4760	3032	vbc.exe	123
PID 3032 wrote to memory of 4760	3032	vbc.exe	123
PID 5048 wrote to memory of 4444	5048	MSSCS.exe	124
PID 5048 wrote to memory of 4444	5048	MSSCS.exe	124
PID 4444 wrote to memory of 5140	4444	vbc.exe	126
PID 4444 wrote to memory of 5140	4444	vbc.exe	126
PID 5048 wrote to memory of 3888	5048	MSSCS.exe	127
PID 5048 wrote to memory of 3888	5048	MSSCS.exe	127
PID 3888 wrote to memory of 4672	3888	vbc.exe	129
PID 3888 wrote to memory of 4672	3888	vbc.exe	129
PID 5048 wrote to memory of 5440	5048	MSSCS.exe	130
PID 5048 wrote to memory of 5440	5048	MSSCS.exe	130
PID 5440 wrote to memory of 976	5440	vbc.exe	132
PID 5440 wrote to memory of 976	5440	vbc.exe	132
PID 5048 wrote to memory of 3748	5048	MSSCS.exe	133
PID 5048 wrote to memory of 3748	5048	MSSCS.exe	133
PID 3748 wrote to memory of 3540	3748	vbc.exe	135
PID 3748 wrote to memory of 3540	3748	vbc.exe	135

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s5a4ckaq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE097.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FBF9299E5A940E18944235468A7CA91.TMP"
      4⤵
      PID:2420
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v21i9-iw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9C6CD83571941E6A2DBC9177E919942.TMP"
      4⤵
      PID:4820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f6kjtf77.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5768
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE21E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD765C0F77F1348F3917611F06EF9212E.TMP"
      4⤵
      PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mpqnmx0t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE26C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc618C9BCDB9414600AF466168E34BC12E.TMP"
      4⤵
      PID:4568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvql7frm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD097E8B19B974852864A85A8EBDA372.TMP"
      4⤵
      PID:4760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\98gj4wjv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE337.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3051796D7E431FA755EB6FD3104153.TMP"
      4⤵
      PID:5140
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ra6jma3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1477CDDBF5BD4C2B811D87A74D2C547.TMP"
      4⤵
      PID:4672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcbkgdfk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5440
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE421.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BF1E635678E4EEC8A6E81FD7991B3C.TMP"
      4⤵
      PID:976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7u9axhdp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34546803C194325BF88F0777DE1E265.TMP"
      4⤵
      PID:3540

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ra6jma3.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ra6jma3.cmdline

Filesize
170B

MD5
8854a08893e49711802e6782992603b3

SHA1
2e36710451d05f9c7828ad7b6f11a7384b5ed331

SHA256
179b03d8c8765239a1a7c471b15e02f77b6dbd48aac433939d7b69f8c5a2cf93

SHA512
c848b354bab1365a03119eaedc1213f46eaf31c5b2e5d355376d2a68119c0eedc297f43891cf3f70cda1df721c521cb9d37d46249cde50c146182355b518a5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7u9axhdp.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7u9axhdp.cmdline

Filesize
173B

MD5
93c3b6d2682e6c2446a34d88a0277767

SHA1
b423f502721801f572d37761bd613344765747ed

SHA256
c95aa8899fdabe70cf9f047589a00ad40cf37e4d3dce00ceba3929f9addccb8f

SHA512
7ad8d60a42d04b85fd6edeef308e55898c2b5110ff7d8bc75ad3ba1844bd1563428816c5b233c5fff39f6daeeafe9943b5ff8d8361bbe790c1b1ae7b9708284c

Download Submit
C:\Users\Admin\AppData\Local\Temp\98gj4wjv.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\98gj4wjv.cmdline

Filesize
164B

MD5
b8c46ed99a97529f15e9f06a8d5aa9f6

SHA1
8be23b5fd8261831be9a134b6cf620b756cfa383

SHA256
f48ed60310bd914d248dc97a8d5b3067306b18f16de66cf0bad3606be7ded41c

SHA512
00b2e972ab8f8701cee6136fc5572e4f5e446adfa3b0f6baaa1ccf6a3329aee0a619e2cdd97d3bbf1e7dc7a69cd07d1233fca29a43c2f7b59e3d55d225df7375

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE097.tmp

Filesize
1KB

MD5
45a340a1b4d7110e11b8a40c7161a2e8

SHA1
fd90305d40103ac5c0e4b26afd6459142894406e

SHA256
ed022a90d60bead7110ee66f79c3142a013a67f0ce514395f8029963c19ddc11

SHA512
b811dcb47685a59af646a9df6ae81caa94f28aa02fda674b300d6f68ff703bede9a4c35b3c33c4b466ce86635ebcf38182e07441a854325b0a30e420b1db8c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1C0.tmp

Filesize
1KB

MD5
165b4e2c774112dd69fb317dadc898c4

SHA1
e12edf0fc6398b585182221a7a0045c650a425b2

SHA256
1f3740c096885572d331c5dce271e199efece42ddddc00e69182d3f6492545ca

SHA512
7e06450420b3c8addc1f25b65400ac8caace2ce1bd1dea16bd387845e45b38871db5b191dead2e2bbbc161c5a81baf196d096c6eca8a32d4ef16b0676049d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE21E.tmp

Filesize
1KB

MD5
b1829dbfb7957f9a8160fcff5bacd439

SHA1
8f75b862aa9481b6bf631901d0f77292a8b67298

SHA256
a7a629ac405e2012fd0a12e813e10435a59d406eb509f16d16f17c782e3ce2fa

SHA512
5e00fdb97178ecb2f4496faaefb0a2a58d827909dd8430b8c122f5d8f9ad708d1ee009ce9911a3bad19369224fa356103e12a5b6c5da4119abedc157daebfb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE26C.tmp

Filesize
1KB

MD5
ba646c72f334332f5c055d71b5daba06

SHA1
dfdea53f9bec3956474cff2081742dbea42cb270

SHA256
4474e0781f0b8c399f8f0538ebc603b475065cb798c7e2b36c131c29f8db51de

SHA512
ed060905c5d7d594957632bec32cdf969f597e161f978e13577e187ae96fec31d05fb9d65c4973452b11fbaefe4e2f10c24df88fb4bb494d20354dc2d2ad23ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2D9.tmp

Filesize
1KB

MD5
c926ca489ffdaa586e78487dc9a0aa90

SHA1
41f7ff81905ef4b83f60030f42c9becb1e695324

SHA256
84e3e52029c19b05d84deea12433fcae3ea85d6cae5c29d64057dc021d394fa7

SHA512
d72c2b7310cce833223ced282a94dd938fd2e2ffb0f8327d7035688a63a77c1bd6290f6287871d034aeb349c06b526fce885037cfd75014cb4385e847f276ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE337.tmp

Filesize
1KB

MD5
06c5095216b295f8eb05b89a5c1cd4e7

SHA1
bf7ccd7f41737d39e00bcfca947b5aacc423daff

SHA256
a14cae7d7d052dea5b48bf3cdc0fe71aec30c7a176d40f1360ca87d3a381ed8d

SHA512
41ff2217f4e01076a5153e7c16260299edf000e7758fd6d48cff4ec0c8b34ebfe2280adb79b721de8ab4008c7feb0d5a572a70a9fff6278f65b20fe14c77c59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3B4.tmp

Filesize
1KB

MD5
706e5a3649889d6fb7695b83444d84a7

SHA1
4ce1d4734c7fa24a8e19fe6424ecb81544dd5831

SHA256
66a7e574519438bca05ec4d0bd2129f4af7ec7c08cbcbcef86f98e9b21f3a643

SHA512
ab5bc918fca3a5bf88bd91e7ce8743e9b7fad31944af4716767d95f4aeda6aad5b3be2ba578a7ee4c0eb7e286bd38482779a05b1cefb1868124490c279704d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE421.tmp

Filesize
1KB

MD5
c7b0bb91d5594e20e50c0d22ec019150

SHA1
26ef24d79c75cc2f5ba91182904ab2438b2d3d78

SHA256
ace2b623412e18a32166d0225c487b4c8f3ce85ee63be1887cef4939b17ad69b

SHA512
a6028df63fd00d30c4df411c8abbf6a928a7a7d69ba118b4ba3c45677b6d03faf17f7605c91b67f39d25a4b1972a0f1effb1611b18f4601f09fb4ce84bf4266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE47F.tmp

Filesize
1KB

MD5
ae31fc6ba2620cad86d34094407fac48

SHA1
21a20a210596869f7df20ebfaa63a0461a9249a6

SHA256
43f1047d9777a70430fa82d5d42123135e5d0038af78e88352e7d574b72fe7fe

SHA512
58a7faab03cd48914213e258838ac8c18fdef0133397387eb0b9ae8110568853a32591d9fdbac7e59441cecec9700ed026a61b917ea96c2774733720df565375

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktgxrvqe.q2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6kjtf77.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6kjtf77.cmdline

Filesize
171B

MD5
b8aafb4254d8de108232ac0fe942176a

SHA1
ead15517993e56fee18960361496f51f74af3e29

SHA256
7451cc552a7c1d83bd8f4135eb41adfddd4c21d8ad55d05c7d654b372e61bef5

SHA512
5fe3f7bb34dd21ec8b57a0edf2ea8c1b330a36a275f83c6386443d62083adfc60c66fea5b197a774260fded9f226e1383f7402ff06d578291591a22339e490ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpqnmx0t.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpqnmx0t.cmdline

Filesize
172B

MD5
8bfa2e0949ded7d7d07cf11bf3a2e285

SHA1
957d1554bb744c92a98af5f2bc93ff0947ce4b83

SHA256
f9ad15c99a2ea9fa7e791292182585ad7aa4981064f3825dad0103ed64efab44

SHA512
b399c603d91057eb464ef07b47977c92bb3b6624837f01ded5ce4c7c373da640709def9659989bc1d1652dbf3499d3469a5001a83d71e4ac4c1b322f14e09584

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvql7frm.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvql7frm.cmdline

Filesize
174B

MD5
cac5b822fc2d8294e7b1effddcd1dfd1

SHA1
765114980b166d0e13db4c1269a2c86bbfcb40e8

SHA256
7d04b77e7711f11a795373fd3ae8feee0bb892c7b830850bf8cb11e73d3d3e29

SHA512
fcaf241c6b9baad85fdd1429193200961c6b80c8a1730044ceb84a3aeb4fb01122e6853e229f24392cbc5435e5d47aa4d350248b3397bb2763bccadf9af171e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcbkgdfk.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcbkgdfk.cmdline

Filesize
171B

MD5
471cd23e9a1c8eb6938d276a11d8bb16

SHA1
6b057d78525dfe6187ba7606860d0c3a2e2c5359

SHA256
8ca879f4f1a86b9ecfafef4880f64561e0625617ff52457046e362e7ffd3dc50

SHA512
ffcb8846f3adcf5442ef69701f42346cc910ca5d038c2de62ba2dba86d6e6c1cbb78663d27d751518d121903b1603b2dc11921b319be2d53f108ac9aab4b1287

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5a4ckaq.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5a4ckaq.cmdline

Filesize
156B

MD5
4b30b57df2cc6f041006d2472d525b80

SHA1
d73d4d22e887ad9820b36fa791aee02e1bb7a6ce

SHA256
74c54d9d802547466e543613f075ca77d07c333824510db0d6ff2d8d4969dfdb

SHA512
a4a717a08497595a6f5e9866452eb485adc58abd1d614d245fc94566f3fc3a0f688f15e514a7f5c429fd8bd858cecdd0396b133f49b6a3e1335499122d010fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\v21i9-iw.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v21i9-iw.cmdline

Filesize
162B

MD5
fe05498fb880c8f96d2314cffe5e122a

SHA1
50609fa6a2b8cd90eccd0c0c2b18365b1bbe8635

SHA256
2896f0762060dd4fe629a5a6b92895aca8826d1b8137e1acd219d7a2ab277b94

SHA512
554fb6cf5d0d59c3e527df965d4a83568e49ade876c4fe0cc682da673533e2faac19a19bd1509972374c3e884fbea4e98be5feb221a5d17208158901658613ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FBF9299E5A940E18944235468A7CA91.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34546803C194325BF88F0777DE1E265.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc618C9BCDB9414600AF466168E34BC12E.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC9C6CD83571941E6A2DBC9177E919942.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD097E8B19B974852864A85A8EBDA372.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/3300-36-0x0000025150930000-0x0000025150952000-memory.dmp

Filesize
136KB

Download
memory/3988-1-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-21-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-5-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-9-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-4-0x000000001BBC0000-0x000000001BC22000-memory.dmp

Filesize
392KB

Download
memory/3988-3-0x000000001B060000-0x000000001B106000-memory.dmp

Filesize
664KB

Download
memory/3988-0-0x00007FFC4D6C5000-0x00007FFC4D6C6000-memory.dmp

Filesize
4KB

Download
memory/3988-6-0x000000001C2C0000-0x000000001C35C000-memory.dmp

Filesize
624KB

Download
memory/3988-8-0x00007FFC4D6C5000-0x00007FFC4D6C6000-memory.dmp

Filesize
4KB

Download
memory/3988-7-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/3988-2-0x000000001B630000-0x000000001BAFE000-memory.dmp

Filesize
4.8MB

Download
memory/5048-22-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/5048-18-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download
memory/5048-19-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

Filesize
9.6MB

Download