revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

13-11-2024 23:34

241113-3kmbta1eqc 10

13-11-2024 22:28

11-11-2024 05:34

11-11-2024 03:05

11-11-2024 03:00

08-11-2024 08:59

08-11-2024 08:55

Analysis

max time kernel
1792s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x0008000000023cc4-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
4200	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4888	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4200	MSSCS.exe
Token: SeDebugPrivilege	4888	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4200	4172	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 4172 wrote to memory of 4200	4172	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	93
PID 4200 wrote to memory of 4888	4200	MSSCS.exe	94
PID 4200 wrote to memory of 4888	4200	MSSCS.exe	94
PID 4200 wrote to memory of 3488	4200	MSSCS.exe	96
PID 4200 wrote to memory of 3488	4200	MSSCS.exe	96
PID 3488 wrote to memory of 3892	3488	vbc.exe	98
PID 3488 wrote to memory of 3892	3488	vbc.exe	98
PID 4200 wrote to memory of 4072	4200	MSSCS.exe	99
PID 4200 wrote to memory of 4072	4200	MSSCS.exe	99
PID 4072 wrote to memory of 640	4072	vbc.exe	101
PID 4072 wrote to memory of 640	4072	vbc.exe	101
PID 4200 wrote to memory of 4972	4200	MSSCS.exe	102
PID 4200 wrote to memory of 4972	4200	MSSCS.exe	102
PID 4200 wrote to memory of 1356	4200	MSSCS.exe	105
PID 4200 wrote to memory of 1356	4200	MSSCS.exe	105
PID 1356 wrote to memory of 1156	1356	vbc.exe	107
PID 1356 wrote to memory of 1156	1356	vbc.exe	107
PID 4200 wrote to memory of 944	4200	MSSCS.exe	108
PID 4200 wrote to memory of 944	4200	MSSCS.exe	108
PID 944 wrote to memory of 3976	944	vbc.exe	110
PID 944 wrote to memory of 3976	944	vbc.exe	110
PID 4200 wrote to memory of 3604	4200	MSSCS.exe	111
PID 4200 wrote to memory of 3604	4200	MSSCS.exe	111
PID 3604 wrote to memory of 4556	3604	vbc.exe	113
PID 3604 wrote to memory of 4556	3604	vbc.exe	113
PID 4200 wrote to memory of 4040	4200	MSSCS.exe	114
PID 4200 wrote to memory of 4040	4200	MSSCS.exe	114
PID 4040 wrote to memory of 1876	4040	vbc.exe	116
PID 4040 wrote to memory of 1876	4040	vbc.exe	116
PID 4200 wrote to memory of 708	4200	MSSCS.exe	117
PID 4200 wrote to memory of 708	4200	MSSCS.exe	117
PID 708 wrote to memory of 2408	708	vbc.exe	119
PID 708 wrote to memory of 2408	708	vbc.exe	119
PID 4200 wrote to memory of 1220	4200	MSSCS.exe	120
PID 4200 wrote to memory of 1220	4200	MSSCS.exe	120
PID 1220 wrote to memory of 448	1220	vbc.exe	122
PID 1220 wrote to memory of 448	1220	vbc.exe	122
PID 4200 wrote to memory of 936	4200	MSSCS.exe	123
PID 4200 wrote to memory of 936	4200	MSSCS.exe	123
PID 936 wrote to memory of 2704	936	vbc.exe	125
PID 936 wrote to memory of 2704	936	vbc.exe	125

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\045g3yj4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCD7BC924CF3477BA0E78F44F10D622.TMP"
      4⤵
      PID:3892
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8usj3uf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3777643EFB1F4129A13C2874239F69E7.TMP"
      4⤵
      PID:640
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6b0d1r7.cmdline"
    3⤵
    PID:4972
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF865.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33CD12C7F4C74DBC862C502791E0F828.TMP"
      4⤵
      PID:4896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oqazhfsi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93910E20B1F4346941E577EF3952F7E.TMP"
      4⤵
      PID:1156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kr_zpv4j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF94F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92C4ED3377F41D5BADADB96764172C9.TMP"
      4⤵
      PID:3976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thjkxys8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc395736D8DA5244218076F76A237F8CF1.TMP"
      4⤵
      PID:4556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v8z5mceu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD60ED872DEAC48ACB5A4D922BAB1DA9.TMP"
      4⤵
      PID:1876
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k-xor-uf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FEFF9CEABD4EDC974CD356E131F36C.TMP"
      4⤵
      PID:2408
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ot6qt84p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94814F6F196845E883B3FB6D717D81A.TMP"
      4⤵
      PID:448
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmjea2kp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc781DEBC35E26420485D836ECAF4ED716.TMP"
      4⤵
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\045g3yj4.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\045g3yj4.cmdline

Filesize
156B

MD5
4aa2eb15729c8b19c82376f532bc89a5

SHA1
9b8bc2133ff6d0bda4bee665eca944728145c9ba

SHA256
bac714ebfa2bca36d8673a210592b165cb40887cacbc35949a852c53c7fc6a51

SHA512
45f49cd934be41a31c63a646f6d40b723711dca42f388c25b3018bc3ecaeaf3bfbcfb9dee76ca26a81bed496615c624890b2e450ad8e56458d287b91cd3b5ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF6FD.tmp

Filesize
1KB

MD5
5897be95d28fad0bd63a4f0111ce0c80

SHA1
919c7cbd83f446ff1bd076ef1d3b40c68b1cb668

SHA256
6734cc9ca5d5fd29d02ad331d82dd982c39c02d07d6e9879732fd239a125179f

SHA512
fe3cafed8cb379cf6fa3f7526517161ec717e3783d85c1f8396384c3b559969d7e22c668fab04fc076aeec9d23bd3406663192f3ceb05b79b9e6bc9fdd07cbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7B9.tmp

Filesize
1KB

MD5
149eb21633ecabed366c75f66ac5fbb0

SHA1
2d4ec0e68d857fb7dbf5ae054ff37e106beb40ea

SHA256
994b36402939c2b944da001af942dfa68210b3ffdd84a72d885056fa50a1eeff

SHA512
3e26248033665e0cc4be5b4cd9ed67a4c3d37505da6e4abcd95e12aedc612b3431749040bfc6fca749129ba12010483a679bb12f45c8dff832d6b578132058f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF8D2.tmp

Filesize
1KB

MD5
1c138789483335fc7337509ac66decfe

SHA1
9eda2d13d0dfc06400122662c089a10ea3fa1e9f

SHA256
4c0a3476efd51c6caafe702d47d299c2a5daacbb61cc223974295a7fb78eccbb

SHA512
3f74b980411d1acc08bca08ab129c811f2723192d5eead318a3ebdea05ede913b3b449e3a4aa0accfb8bcca4f19cc59a9581fdab2771ee2f20c0d8e49dcf6c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF94F.tmp

Filesize
1KB

MD5
cfdb468c5f75f15f2e795e064a46cd72

SHA1
e6ed923765535f77dce7659810383bf6aad27c84

SHA256
5dd228ef343f7bf9f0dfcef35b490afaef3e55429d0d6f34618af025b3348b44

SHA512
4ab9fcc36a8c0ce91daf85b36fad954459cea4248f4eeddbdf72f07423f90c0a65a6b38e81e5c9a33e857b66d87d47c70037cc282f146e9db6d53e85c5035304

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF9CC.tmp

Filesize
1KB

MD5
8ef5c130bef8e5c4024db4a99afff819

SHA1
1ad091ecab3e04a270f105e395dbf8e8b352c8ac

SHA256
8c8a56f9dbb7195b6fe9f31fc8d76248d25fbf32ef4d883789c20998c48bfa2c

SHA512
c98553e33438a845f813de51193c0f26bef324f1fb90d02ddd82e59ee6adf02132cef63a0922ef2fb450056715d9bc6771950993a66e1231150b300313d1f406

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA2A.tmp

Filesize
1KB

MD5
11edcccdbf2d69db8f214569bda1ac0c

SHA1
c2af0743ca1a573e111029cea8eb7ea80cdb152e

SHA256
5b9c4184d5ed3a78cd029db6e2f43dfb1bfb62a1d75782a4ec9722cffaece36e

SHA512
6cf4b98ccfaf856c744ce5a628454acb7eeed3d723d25edd64f190fa4fb5eb5df5b8bef56c152d70c95e56f36179049bd8097927c65284c03093b2231ef4428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA88.tmp

Filesize
1KB

MD5
8615c7778f5ad3bdb9ccd169349cbeef

SHA1
e3aa6cb5ed3f8f9d82165874938bd2321d3cc42a

SHA256
d2acca7747c3e8d8fc6769e1424d7c389e7f041f5500e6fe407ed968e17f2fa0

SHA512
cada8ddd22a40eb2459e73278e0cbae0e8185dfbb0370e267c3e16a11f07aeb0035fb382988acf9d17b30e66c4c49e712b7913fad9f8d12ffeee439f9314bde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFAE5.tmp

Filesize
1KB

MD5
b552846a1da76019ae7377bc74d83cf4

SHA1
5a50067274da6038a400cda4e093dbcef202c8a7

SHA256
90d2cd849914216dd48dd8467d2ab67749ef72179405d4a7125ec92fec30ac32

SHA512
f1b3ffaa0eb6d0586be07b5efe68bae7052fbcdbc1245becb5f0a827619d18ed85dba1a5af68957544341b7aee87deb12889f8e15ae2f8decd380f49e1152e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB34.tmp

Filesize
1KB

MD5
92df81e4d01a64abe2fb38f9e35f0b5f

SHA1
4cff55e6e312b4bbe6830cf75f3dc0d9e1492273

SHA256
d5e739a8f8581656e9f5cda40c35ba46e7805766eade7f887b62b15fee4c2ee1

SHA512
bac5cd89842d306c676f26bdc6408f4f241fa5afaf16a6f1b61b5059cf3088d3f32c44b00055a0ee29e095b23a3fd9930bce751d9cf6851f56126a66c86f7942

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbx3thor.dzc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8usj3uf.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8usj3uf.cmdline

Filesize
162B

MD5
ebd9843c845eaf0895e5730d5466f5a5

SHA1
e03aab950e520b2b64f46d7002a8d3f63d9349d8

SHA256
47e88de13b9b46a8df63427c00abf473e1ae801f2dd105ef9eea8d3bea6a82c8

SHA512
d8dd12112161ede36a9186a79bea942cb0b36dd26706b12329952e2e67d1daa210b4594b170bd05d1f0fe031963aeb1986eab575113a71f1c37f1edfd9636f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-xor-uf.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-xor-uf.cmdline

Filesize
164B

MD5
041e370a7583991721c675a77e9d8240

SHA1
ad6feab0d4351c3ec873e3fe867aa7f2bbdcdf31

SHA256
9c8307c19f86e0f9ed75daa320f122072a4d61fbaef939c408976c98b541d48c

SHA512
383ec46acc70b69fe456c90e9f7da1f3bc514865f7196694a27921d823eccfac4fc56217afab2a8a40a051bacec659016024c9682e65d2c272776f5e6147700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kr_zpv4j.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\kr_zpv4j.cmdline

Filesize
172B

MD5
9b199b36981760b39e95fb2c3c73dc86

SHA1
0ffd06a86b97537332d0745722c7438f42c088d9

SHA256
c6afc4184316acd2c79237d0f393464b101f2282bc3e0ae5e54077800e7cb04f

SHA512
7834d21c368cc05961cda1fcc5c7c964a402403d2f966c6c6bc736cb2932cc62a079b580f69388c5f2b8a2056dbb6fbd8405876fe3a9dcaf195b3e300ece710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqazhfsi.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqazhfsi.cmdline

Filesize
171B

MD5
8bdc9e8cef0f1affe42d4fe4e006b773

SHA1
bed16dfb8b136d4612f943025c5d0da7469f324c

SHA256
c5db04cdd45ef64aa3c49afcbc52c2c5daa3046d4df9fba9f49036a981688c99

SHA512
3c16135e2545fd224e9fc3c6d6267aaa109f27450c4119618f0b17a396e0ee9c6f2affd7e36d2e7ace181f0c0d3752bf4e659345a0bc5801704f18414b3ea608

Download Submit
C:\Users\Admin\AppData\Local\Temp\ot6qt84p.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ot6qt84p.cmdline

Filesize
170B

MD5
6e3ad3da7d9165e67102e511dc773c55

SHA1
d9976abbed130572c771629e1369a6be6405228b

SHA256
dfafeaf4489002ed5c6c4cd0bf96eeb370a7e6285285a545fd9c4777b0030f0c

SHA512
df8184eb3b0d3d28dab2daadb1c2db8f6f454d2d220868aaf757cb22b69f1ef8309c97873ff1b14e7231dad9deb4607f204b1723c84f41579a6074f4afa24255

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmjea2kp.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmjea2kp.cmdline

Filesize
173B

MD5
af94626481de23d6ade256d09fc9d2e0

SHA1
35371cfbda86a402f9f69d48d69a0dea90dece90

SHA256
58e8f27a043f06d61dca830342ba688fd29e610705db03202b93a30a9fd3d005

SHA512
0b3d265bffa56a1f400800e79fdf5f2093b94d4017e6133ee2bbf11448ceb3d4c66f23e73e4bd54a21eaf86fefc5051abeb075522027d61a7cc2141503e8c89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\thjkxys8.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\thjkxys8.cmdline

Filesize
171B

MD5
e39bba2432e8443df46a0c9120c3a7a1

SHA1
321c79eeab344b9ccfab91a429b7b4f6dd799463

SHA256
06cbcb8d9495b714d406ff96c5c69fa120552e511bbc1c7c93bde013c1f63869

SHA512
f28ccb9a96ece7eb3217d8769b2cfefea6494344749c1f0b95ae45896164acea8f2fcc6d5b645dd27b11398e6bb4eafe04e937ed060baaf567226a8721137d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8z5mceu.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8z5mceu.cmdline

Filesize
174B

MD5
2610ff61a01301635e6205a7d1714718

SHA1
51b875cf018bf816c909649bd7253d9b10c61ff0

SHA256
1fad73a519e010798633f07bd483d1fb2032b50d021ed93fdbc6c10c90720b74

SHA512
73428e1dde8ec3119a957ea75554a1134d873371dfdb2d5453c348d9bbc4ad6eb76c2af4d1476f585c15306e6e802e14ff5a53150a6d67dff30085df768cfe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3777643EFB1F4129A13C2874239F69E7.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc781DEBC35E26420485D836ECAF4ED716.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92C4ED3377F41D5BADADB96764172C9.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBCD7BC924CF3477BA0E78F44F10D622.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD60ED872DEAC48ACB5A4D922BAB1DA9.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/4172-21-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4172-4-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4172-0-0x00007FF918595000-0x00007FF918596000-memory.dmp

Filesize
4KB

Download
memory/4172-1-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4172-2-0x000000001B590000-0x000000001BA5E000-memory.dmp

Filesize
4.8MB

Download
memory/4172-3-0x000000001BB10000-0x000000001BBB6000-memory.dmp

Filesize
664KB

Download
memory/4172-8-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4172-7-0x00007FF918595000-0x00007FF918596000-memory.dmp

Filesize
4KB

Download
memory/4172-6-0x000000001C520000-0x000000001C5BC000-memory.dmp

Filesize
624KB

Download
memory/4172-5-0x000000001BC80000-0x000000001BCE2000-memory.dmp

Filesize
392KB

Download
memory/4200-18-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4200-22-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4200-17-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4200-19-0x00007FF9182E0000-0x00007FF918C81000-memory.dmp

Filesize
9.6MB

Download
memory/4888-40-0x000002067F7C0000-0x000002067F7E2000-memory.dmp

Filesize
136KB

Download