revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

max time kernel
299s
max time network
298s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat xdsddd execution stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x002900000004628d-9.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
3796	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3796	MSSCS.exe
Token: SeDebugPrivilege	1440	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3796	2468	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	83
PID 2468 wrote to memory of 3796	2468	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	83
PID 3796 wrote to memory of 1440	3796	MSSCS.exe	84
PID 3796 wrote to memory of 1440	3796	MSSCS.exe	84
PID 3796 wrote to memory of 964	3796	MSSCS.exe	86
PID 3796 wrote to memory of 964	3796	MSSCS.exe	86
PID 964 wrote to memory of 4616	964	vbc.exe	88
PID 964 wrote to memory of 4616	964	vbc.exe	88
PID 3796 wrote to memory of 4916	3796	MSSCS.exe	89
PID 3796 wrote to memory of 4916	3796	MSSCS.exe	89
PID 4916 wrote to memory of 4860	4916	vbc.exe	91
PID 4916 wrote to memory of 4860	4916	vbc.exe	91
PID 3796 wrote to memory of 1060	3796	MSSCS.exe	92
PID 3796 wrote to memory of 1060	3796	MSSCS.exe	92
PID 1060 wrote to memory of 2768	1060	vbc.exe	94
PID 1060 wrote to memory of 2768	1060	vbc.exe	94
PID 3796 wrote to memory of 1460	3796	MSSCS.exe	95
PID 3796 wrote to memory of 1460	3796	MSSCS.exe	95
PID 1460 wrote to memory of 4120	1460	vbc.exe	97
PID 1460 wrote to memory of 4120	1460	vbc.exe	97
PID 3796 wrote to memory of 3400	3796	MSSCS.exe	98
PID 3796 wrote to memory of 3400	3796	MSSCS.exe	98
PID 3400 wrote to memory of 2968	3400	vbc.exe	100
PID 3400 wrote to memory of 2968	3400	vbc.exe	100
PID 3796 wrote to memory of 2836	3796	MSSCS.exe	101
PID 3796 wrote to memory of 2836	3796	MSSCS.exe	101
PID 2836 wrote to memory of 2776	2836	vbc.exe	103
PID 2836 wrote to memory of 2776	2836	vbc.exe	103
PID 3796 wrote to memory of 4188	3796	MSSCS.exe	104
PID 3796 wrote to memory of 4188	3796	MSSCS.exe	104
PID 4188 wrote to memory of 1292	4188	vbc.exe	106
PID 4188 wrote to memory of 1292	4188	vbc.exe	106

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6z9hmjg4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC917.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE0C424329EF4252994E49A1A6ED59C6.TMP"
      4⤵
      PID:4616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_phljh6f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA31CFC57365E42A0B5F75AE0596CB581.TMP"
      4⤵
      PID:4860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_rbj-yuj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C36F30E8E9B474C88471AC9DB815C0.TMP"
      4⤵
      PID:2768
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgd24zc0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46A65B3C6CF042CDA4524043DE7274AC.TMP"
      4⤵
      PID:4120
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dd6ofj_6.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17DE787AF5AE4DC996E65742074C3A3.TMP"
      4⤵
      PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dl1yxkp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7B47CF36EE24E078F39373356F62CBF.TMP"
      4⤵
      PID:2776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xdilhetu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35B929B7AE6E4150A42E2B21BE694FF4.TMP"
      4⤵
      PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dl1yxkp.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dl1yxkp.cmdline

Filesize
170B

MD5
76e36248e10f10707528cd88d2a05b5b

SHA1
98f581ecccd73d6fa69d382f652cc67ffc27757f

SHA256
dcf35fce787be5b2634081f4034982e8708c58a657c39d299277d7f0074da6ed

SHA512
85b148ab910ff52e6bed9e0e11bf8b038a32ad1c7955647d90928c5b6d0efc653b0f971cccfbb6a38bb3baee21b30a621ddd2f4316fec97c4b6367a817258de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6z9hmjg4.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6z9hmjg4.cmdline

Filesize
156B

MD5
beef4c254fffae1eaebf52df2555c497

SHA1
a2ea84194c41bc5a4d24f6e06d2a7c76ef3c4061

SHA256
b5fa0b6efa83a94fbbc663c5d63e6ed4051bcf7d0cc973b5ff22ce64460bd50c

SHA512
e0bae1ec95dd61529e65ef8d1998a84a25eea432c211352364a9781afe9367da57c387fb1ea6428958351c12a4c4b1f2deccd6dad9c8d93f4bbc48e7947adf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC917.tmp

Filesize
1KB

MD5
1b0dc9054ba699acf178310819126bff

SHA1
938d66e599af5875960baad886f123a2197f314b

SHA256
2080d1f8c29c98438cf2de129728ebd86de0a67ec805259107fe8cf38fa18180

SHA512
92ef0094402212eeb83c6506eafd84305857e53186a9b6e5bef04b457c69dec1d402878326010653f7f1dc7b77822f2b0c52992c4948d278f4653da7dcc476d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC9A4.tmp

Filesize
1KB

MD5
719477a3385ee7d623203b361fb8926b

SHA1
962fb9ef5a4e20d993c7de2d0dec8ce383308dc3

SHA256
f1997f1d9ac89f44b8b5139039ff6ddf5e9bfff9dc5ea753a716dd6d60eed960

SHA512
7f33d861dec639def91e1118d4a4862d9320e485cdd93aa398da6c50b5ee487974f2c552f5922357c006838ffe7812b3455eb5b81af6b176ec411cf91e529d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA40.tmp

Filesize
1KB

MD5
3592283d83c7586ede2d19d0aaa53e4a

SHA1
619145e8915912792f1229d85fa66a66d0a5c59b

SHA256
343e08a471da95136b28a0f3c8461b2d0a7530c1b1248103a8e3462ba60766f0

SHA512
1c667f8dcefc841142e90669ddacce81eaab6a0a467e2e5c220003906fbe29ef3b9cbb603656db7f7952f5b2b1d81e0c64abb7b0a7a4019fd314d0f1c8433716

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAAE.tmp

Filesize
1KB

MD5
903e7eff505387bc81d4cef65b5a94e8

SHA1
e0ebf44f6e814c96c0e52f1d4f3497c6f4cf3aa0

SHA256
20a06d02e29cfaf79b5e005c7463db75b8e50078f32a149bc38bc6c2eae5b3d8

SHA512
392f8cf01bfb9feb55c15feabe62945c467a48a20ab3cbfd7da77b2c9a76e2f592c852cc0df6f12f7bd69d11ecaa3cf8533380ace8b569d582624e0d08e7e016

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAFC.tmp

Filesize
1KB

MD5
a9d1318a9cdf83a38cad19c3cd6f994a

SHA1
93c68f4ca92b194ef6f72ab9f1a5fa21096e6054

SHA256
963a4376d8e2a50d6e8d85ef3e4bee5ef162fed14792a96dc1d6cf40b3ba85ed

SHA512
549b8a457fb210f1f3b39e69ec0a81e66001cbc505108b61af943047760b42254e716f24354003f0c77ae189172415abf6c17b68ce6ab731292f8e9c3546ad93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB4A.tmp

Filesize
1KB

MD5
054a0da61a53c476cd2a8ad4c49d6a69

SHA1
39b2d8fc0c4cb4501b2c0705d882db9850b9cb8b

SHA256
1ad8a00b24f0bd0ab457886a7d438d1f3493b13ef9eb0e137db63a7c1d0ce264

SHA512
443eae553262cfa2f5558e4134948420e52a7876c3d25ff351e4f5569dc025dd17c297c6d65342de62e089e1253049f7ad8860f50610c081d7b5e18ebb4e387f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBA8.tmp

Filesize
1KB

MD5
0aee056cc1b5401274d8259ac432fefb

SHA1
42fa7ef2f66023e08a19a6e34183536b51a51f10

SHA256
1ec95a7ff9d8468a034e543774eafcdb6df9aa7173576b6942259df13b045c55

SHA512
420710abd1e23ac912bd3bae208721882d6341fb3d4cbe487a8294374b6b60813f0431ce1aea5e3e08ecfac6116c5ac7763262b17a4167e4f4f902ddcd786bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_on235xpj.iau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_phljh6f.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_phljh6f.cmdline

Filesize
171B

MD5
0d3980d44c60a25ee4787565b7619e31

SHA1
150be3cbeb1d63227ccb7a5a42355d0d161e11c1

SHA256
f4136d3aca81463fa32b36e769dee57726561bbf5191427d8568145f2eab049c

SHA512
8af0fa07ee62d9bd428c62c5889ab60ce9835c0771a76c654a99aad66e41705d36013b1b26992dd4f31e5cfba94aa649b1a2cfcb4719a896d84b03c5262ac351

Download Submit
C:\Users\Admin\AppData\Local\Temp\_rbj-yuj.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_rbj-yuj.cmdline

Filesize
172B

MD5
ef7e6e5ab19c213ae52235df1e465b94

SHA1
899ab092b8ec74e9aa64f80f25bc1c41dbbe1a2b

SHA256
c4be2e55f66647ead12694cbec30aff6dcd11bc65f5a581eed16eb989b7f5d24

SHA512
b7695bd33ead2ab368ee587768e985c76446987324fd6e350828b59167c7056bd5c0c39136fb53dfe5868c568026c3fd7c02931f68fa85d4722fda43dcd4bd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6ofj_6.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6ofj_6.cmdline

Filesize
164B

MD5
aa57c1ae59095adde1fc9e63f3341233

SHA1
03bb5ad6a0df5dd0faf0bb1db83314b30c2a2061

SHA256
b2c0eb406dae938934761a20593f8aa4df44b9217b13872de4a540e52e41407c

SHA512
98c69dbea19fad70d0e577931b015d651669b05d636181cfcdbe89d8d3d062b58ae2e7213496f19c49a0d3b56b6a2efda333a44ecec08f32984d2fcbf0e31636

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgd24zc0.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgd24zc0.cmdline

Filesize
174B

MD5
a703c7af79cad012b4f7094b851b611f

SHA1
e2d0a11c835e67e59d51cd1e6050e2342fa5ea6a

SHA256
8b50dd1d8dc40973ca2877ad66f2448c3fb59b7220e8799671bbe23669eeb18d

SHA512
ae33d91aa55df72a87ba390b7fd431f37786e866f3b0021dfd3fc2b50e593a5ee6a81011a555905dc575d80393e97cc1fece6a09311c80d45e3c8233e2b03e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35B929B7AE6E4150A42E2B21BE694FF4.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc46A65B3C6CF042CDA4524043DE7274AC.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C36F30E8E9B474C88471AC9DB815C0.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA31CFC57365E42A0B5F75AE0596CB581.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE0C424329EF4252994E49A1A6ED59C6.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdilhetu.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdilhetu.cmdline

Filesize
173B

MD5
ca0ce465ee6b3727686a9238776c9e2c

SHA1
5eab2c6b4f25d78c5884cc709d45bf207a47882a

SHA256
b361b3f566bd57ac884591f6b16f771bfe80476c39de197b512c324f1ab46652

SHA512
b4b4c9ec38c06584dc8fdd987ee96228c64df804b4705f8249c35b9168fcc0421e97a44c49aeecf03629f29bbaca6d796880bc18a59f51b75d50073e5f4ceaaa

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/1440-26-0x0000019C59840000-0x0000019C59862000-memory.dmp

Filesize
136KB

Download
memory/2468-3-0x000000001C500000-0x000000001C5A6000-memory.dmp

Filesize
664KB

Download
memory/2468-4-0x000000001C670000-0x000000001C6D2000-memory.dmp

Filesize
392KB

Download
memory/2468-1-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/2468-8-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/2468-7-0x00007FF880435000-0x00007FF880436000-memory.dmp

Filesize
4KB

Download
memory/2468-6-0x000000001CEC0000-0x000000001CF5C000-memory.dmp

Filesize
624KB

Download
memory/2468-5-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/2468-0-0x00007FF880435000-0x00007FF880436000-memory.dmp

Filesize
4KB

Download
memory/2468-14-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/2468-2-0x000000001C030000-0x000000001C4FE000-memory.dmp

Filesize
4.8MB

Download
memory/3796-13-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/3796-12-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/3796-15-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download
memory/3796-10-0x00007FF880180000-0x00007FF880B21000-memory.dmp

Filesize
9.6MB

Download