revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/02/2025, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat xdsddd execution stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral29/files/0x0004000000004ed7-8.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	2944	MSSCS.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2944	2608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	31
PID 2608 wrote to memory of 2944	2608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	31
PID 2608 wrote to memory of 2944	2608	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	31
PID 2944 wrote to memory of 3036	2944	MSSCS.exe	32
PID 2944 wrote to memory of 3036	2944	MSSCS.exe	32
PID 2944 wrote to memory of 3036	2944	MSSCS.exe	32
PID 2944 wrote to memory of 2952	2944	MSSCS.exe	34
PID 2944 wrote to memory of 2952	2944	MSSCS.exe	34
PID 2944 wrote to memory of 2952	2944	MSSCS.exe	34
PID 2952 wrote to memory of 3028	2952	vbc.exe	36
PID 2952 wrote to memory of 3028	2952	vbc.exe	36
PID 2952 wrote to memory of 3028	2952	vbc.exe	36
PID 2944 wrote to memory of 1592	2944	MSSCS.exe	37
PID 2944 wrote to memory of 1592	2944	MSSCS.exe	37
PID 2944 wrote to memory of 1592	2944	MSSCS.exe	37
PID 1592 wrote to memory of 1756	1592	vbc.exe	39
PID 1592 wrote to memory of 1756	1592	vbc.exe	39
PID 1592 wrote to memory of 1756	1592	vbc.exe	39
PID 2944 wrote to memory of 2332	2944	MSSCS.exe	40
PID 2944 wrote to memory of 2332	2944	MSSCS.exe	40
PID 2944 wrote to memory of 2332	2944	MSSCS.exe	40
PID 2332 wrote to memory of 2444	2332	vbc.exe	42
PID 2332 wrote to memory of 2444	2332	vbc.exe	42
PID 2332 wrote to memory of 2444	2332	vbc.exe	42
PID 2944 wrote to memory of 2180	2944	MSSCS.exe	43
PID 2944 wrote to memory of 2180	2944	MSSCS.exe	43
PID 2944 wrote to memory of 2180	2944	MSSCS.exe	43
PID 2180 wrote to memory of 1448	2180	vbc.exe	45
PID 2180 wrote to memory of 1448	2180	vbc.exe	45
PID 2180 wrote to memory of 1448	2180	vbc.exe	45
PID 2944 wrote to memory of 1136	2944	MSSCS.exe	46
PID 2944 wrote to memory of 1136	2944	MSSCS.exe	46
PID 2944 wrote to memory of 1136	2944	MSSCS.exe	46
PID 1136 wrote to memory of 1700	1136	vbc.exe	48
PID 1136 wrote to memory of 1700	1136	vbc.exe	48
PID 1136 wrote to memory of 1700	1136	vbc.exe	48
PID 2944 wrote to memory of 1432	2944	MSSCS.exe	49
PID 2944 wrote to memory of 1432	2944	MSSCS.exe	49
PID 2944 wrote to memory of 1432	2944	MSSCS.exe	49
PID 1432 wrote to memory of 760	1432	vbc.exe	51
PID 1432 wrote to memory of 760	1432	vbc.exe	51
PID 1432 wrote to memory of 760	1432	vbc.exe	51
PID 2944 wrote to memory of 696	2944	MSSCS.exe	52
PID 2944 wrote to memory of 696	2944	MSSCS.exe	52
PID 2944 wrote to memory of 696	2944	MSSCS.exe	52
PID 696 wrote to memory of 1608	696	vbc.exe	54
PID 696 wrote to memory of 1608	696	vbc.exe	54
PID 696 wrote to memory of 1608	696	vbc.exe	54
PID 2944 wrote to memory of 1032	2944	MSSCS.exe	55
PID 2944 wrote to memory of 1032	2944	MSSCS.exe	55
PID 2944 wrote to memory of 1032	2944	MSSCS.exe	55
PID 1032 wrote to memory of 848	1032	vbc.exe	57
PID 1032 wrote to memory of 848	1032	vbc.exe	57
PID 1032 wrote to memory of 848	1032	vbc.exe	57
PID 2944 wrote to memory of 2148	2944	MSSCS.exe	58
PID 2944 wrote to memory of 2148	2944	MSSCS.exe	58
PID 2944 wrote to memory of 2148	2944	MSSCS.exe	58
PID 2148 wrote to memory of 2468	2148	vbc.exe	60
PID 2148 wrote to memory of 2468	2148	vbc.exe	60
PID 2148 wrote to memory of 2468	2148	vbc.exe	60
PID 2944 wrote to memory of 884	2944	MSSCS.exe	61
PID 2944 wrote to memory of 884	2944	MSSCS.exe	61
PID 2944 wrote to memory of 884	2944	MSSCS.exe	61
PID 884 wrote to memory of 1600	884	vbc.exe	63

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rish10vl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA46.tmp"
      4⤵
      PID:3028
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x1yhbl4p.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAA4.tmp"
      4⤵
      PID:1756
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-hwc-uz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB02.tmp"
      4⤵
      PID:2444
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmmwzyae.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB5F.tmp"
      4⤵
      PID:1448
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thg3-ijf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB9E.tmp"
      4⤵
      PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zcdnnmf1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBEC.tmp"
      4⤵
      PID:760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kjetjplo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp"
      4⤵
      PID:1608
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mye_o0lu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC97.tmp"
      4⤵
      PID:848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y3dmlhn-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCD7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCD6.tmp"
      4⤵
      PID:2468
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iyxy2qdw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp"
      4⤵
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFA47.tmp

Filesize
1KB

MD5
e01d6a3861415394cba74271c5d7ee72

SHA1
00bfca153a378816df7507a6374733c0eb293084

SHA256
82749de00187e29883f6a3f8dbf102e6589b126b59ebb90c94cbed90a8bebb27

SHA512
30a6d1b0471168a599eaaeeaa23e9cecd5baa25ba27a9a8e2718e019ec1c65214bd22446e1401e1d1ee9794ad5a0c489a1db4358ad37980fda26b1d994ab2c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFAA5.tmp

Filesize
1KB

MD5
5c40aff8a5cd5212cfff688f4821338b

SHA1
01e5a24a8e8f9cfa2eabde67eb2c14b10612e7cb

SHA256
b36d88d2d5b0005c326ca750ce7ed0a3bfb6a675133d1040af0f071add23026b

SHA512
1865a6008d225da8aae996bfb8f86aaaf4a694b41873968d35015bbc60b7a96b885e984dd956dd2a200240953173222f069fa1a6bb2e1ca92966b446de93a3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB03.tmp

Filesize
1KB

MD5
7f52b5bb83f4ada43554468801f19f31

SHA1
1135ae5a7fb60a5dc62c697901281e3de82e62c4

SHA256
b1574eb76bb45ad654569b72909fdcfa714ea84c58e64fd740d977525b438e22

SHA512
b6a769b87930db4a3513060e5fec37ffbc44f9b815df69fed3b593dd69d8dc568be69d58fcdbc158b0ee50e8274ede174a2887d25a8e9cbc53b7905c6dc31516

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB60.tmp

Filesize
1KB

MD5
4109e9a34f80389c9baa7f826fae5138

SHA1
e2332c832e42be4046587f427bf3d683a4abeebb

SHA256
d5a13bb6b27a70fd1d58349d795d571ee9c42b5fd14ffe28642f9b93ec5bf606

SHA512
3a62ba9e7348f03bca8ced97ff1e57c216371bec9be788013143ab25963e55a6d6c1cbab342dfa2bc76d7cc97bea4305328c6ed150d8e8491668434fa35a92dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp

Filesize
1KB

MD5
fdd1b064bcdb24ed88e56ce8ff38f70a

SHA1
51e37d8a0372a353b60bbac117cf94d0e16d825f

SHA256
8a4bd2e32e0b5e05d922e6bc4775f06291f37b794b452781bcde80d727b12024

SHA512
748107ddf9d34eca56fb037f35d758c9e9399bb0b33c8e7436f57418e7eb57d6819f69e52dc4b1549bad5c0353268bd66edb1cde693ec36753702c87477731d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp

Filesize
1KB

MD5
e619b17a4c669820f5c440874c937a0f

SHA1
0a671d598973d05ed9e2ea501bc5d6f614b3aa52

SHA256
340c6c2be3a16e032ab7c8346cf8fecc1dd42549da5eaebef46ff4f9368af977

SHA512
10535e84a432caa05a3936062e6b0cdf00715a9687f984d9bf103c6e7dfc4c736874010e7489c1a16ac97d3b917d406b4120ad02a3489a76c3394ee17ece6529

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp

Filesize
1KB

MD5
602ec0b879c84b3457bdae299ba72b26

SHA1
7dd2150ba51035acd3765e4b6e0ee0c3af258e1a

SHA256
7584e9accbde40fe7412d0e72bbe38e6ff61ccdec6050cd4d45f05c849cdfa64

SHA512
20a3069153e3b2bf0c599c20c56e1398604cd7ed3b5ab31980105f71b70bdb0fa19b05878e7a20e2cf36f113e95ca02c07fd8f918bf392b8783fff018be990fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC98.tmp

Filesize
1KB

MD5
fe868de9d8b46982cf58ef3c5b963af1

SHA1
677ac0233718999ceb13b1c6295f6eed2722e02d

SHA256
2736b6cea7e10ead4e9c7082546c261a736c2adf660a28b9d0b790bb278652d0

SHA512
1d31f2d0f07d2fe25945138cbba9f201882260568bdbf5d7b92de84c9cf85b8af0a33408e51cf766475ad591ce6328531acddfbb705afdfb49190426a8549c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCD7.tmp

Filesize
1KB

MD5
231cbf012da8a2a1743558b32c76fdd2

SHA1
16e2741208a69a8222ec158ee66201e86dd25e43

SHA256
9af89bf8cccbe0ad3f4c24c718932e005fe73ec6ba9a146afdb177aeb41b87e0

SHA512
5d3d61988483e45a3e4b5280ed8ed87e58db508412b6cb79d36e495e20d1ec832bbbce8ec79a7714e2cc67ef2abaac38ed11dde3efbddde75f33ec205af0bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp

Filesize
1KB

MD5
c64a42879373595ffe82f95c272a2150

SHA1
7e570686215b98cf2764933169f02dd68e49971a

SHA256
4e1f929168e4149aa71fdaea4e49b88d8be3fd75525d0e2f599496c1566c79c2

SHA512
63a90f4cd24c8278869ce112ad95e9ca9b4487daaac31b1275c87f46c2eb90fd081262171c6656731cd8686bad953f100a3d8766d35fc3affd0a7bd5d2ec68b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-hwc-uz.0.vb

Filesize
265B

MD5
cbdf61e7858f1274d58258756e185765

SHA1
15f0d177b5924a5176ff82f0b79bfa3db558145c

SHA256
d0aa53536d1316c420848db8bb089b24f9669f1baf3be092a7e0f0a0bc1b997d

SHA512
ab21cbb170e38a2600db2587ce92b74499107e361d55bbcd5e6281568307ffb1c087aba905c042e2e8960e2e554c84057a197dc4c03121b682868def94c5a038

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-hwc-uz.cmdline

Filesize
165B

MD5
b5bd59af5daa08c8fc894a410a0b5b9b

SHA1
e61c8e54933102d75ad21bc32db930eae571117b

SHA256
9e8b21ba22a67c8a631c790682572b75d0a5b6409c5806505c2bbfbe464d2653

SHA512
f0dd3913c3d0c25cdfb91734e273e9cd91fbe660bef1dce5d424633f46a4eb3b11f8a614965bfd7034c084b511406c2646490efa193387f01db98469e115812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyxy2qdw.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyxy2qdw.cmdline

Filesize
173B

MD5
50e9ceca45e0e67820629711419d7f2f

SHA1
8ccd939fb66c669a414cf230aacdba038472d47c

SHA256
f9a7c9fb3f69e4719aad548c488691237a0158c543e3b547a78b24b364903670

SHA512
5a782056e4eba8a4ed6817819964c982943824905814b46ef6b9c464c0052ec7ae0fefe176e379a17832b327b11e6f998b40b2f8ebe827f8b78363afaadbae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjetjplo.0.vb

Filesize
271B

MD5
b19384e98248a2c238e2360d2fecf049

SHA1
25f5ab6303d0a81f4ef3cc44c0bb53dd3e564fad

SHA256
296feb4019e37af5174b813d3ac19fa1b17c4db9ad91b06eba610939983e3262

SHA512
e9e4dd4a302d643fd1d0dd46d058ca7a45c8e6d8b299c129e1a412d1d3309cfe4d4da6f9d893460dde7e96c40414d65e02dbab9c1411dd945581e749ae8438e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjetjplo.cmdline

Filesize
171B

MD5
de04314b0cf78c2b5353d3137bbb417f

SHA1
7727829242f9095add7299ba641466d0cc5228bd

SHA256
0423627ac789c7b195462949af02cd88d04ba190f8bd7db94fe5824d1fd47a4b

SHA512
e8586cc13f33ee4ffdfafded1d9dd0c4d86e9c883129a0775f3e886e3b69320b7059c85109e9d3852ce50f607e886a2c1a09fb60964112dc458f983b9b021f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mye_o0lu.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mye_o0lu.cmdline

Filesize
164B

MD5
48911192cad33bea6cafb0bd98899e3b

SHA1
bbc051284990555fc870faea5a3fa6b164d69f38

SHA256
3482967252352b4916462d8549cea01dc7323c11d4032a1b16d3824a7f74899d

SHA512
88a2bfd4f54414f33efa6bef1d53d907b162f60ad48efbe83dfa11f0f5ea8d96c51c9f2530129cb0b7402a796b499a8bb11c9fa1b76af53443b5a0ecb8dfa3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rish10vl.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rish10vl.cmdline

Filesize
162B

MD5
0148834a9e1afc15ef0d4e69c3fb6966

SHA1
1e07eafd085ed29df180349c250315095bcfe856

SHA256
fe6f966dcfef26d9e77e2dda9daee2634f8cc072a887093fada7075e64b5094a

SHA512
4feb59147c41af1c7452b2a28e1424607bef25761a3bf32f9cf4ef446f6b699029a87036ac8c706c82252082ca4928534b64d7daa8f88bc9d83e4d29cf5e3834

Download Submit
C:\Users\Admin\AppData\Local\Temp\thg3-ijf.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\thg3-ijf.cmdline

Filesize
171B

MD5
f8e3e8ab423ea4da15865ab01c55c90c

SHA1
b4a7366f2b6ad5d65d3d183e5cfe8b51fd983fcb

SHA256
ba2973e7d2cd70194d118c3031d19e25b123f7cf4bf160b35637d63c8fb9f230

SHA512
7c47708efa2a9898aa48b95bdd8260f4ee5cc6fadfb0f40b9488fcd94485157dbb7ce99c024c882e6fb3d850f1058884ba2708cf6f203f5374fc9b3b2958ac67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA46.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAA4.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB02.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB5F.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFBEC.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC97.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmmwzyae.0.vb

Filesize
269B

MD5
d8ec3923c7b4bf7ae4ba2dd32ba5174f

SHA1
bd232f852b5428b0360c9708604793deb513c36e

SHA256
316f5f33d99324745cbdad4dfe3ece93321e270a177f3646d78d72d1f7a1d648

SHA512
062694e7951b534e5c93d4d2e65c65cc59b9be7f3f1e469b1679d61e03f1770246222009461c6e2a8ddfe41fa367ed6ebd83f53e0a1c3f24db5e97932558ce11

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmmwzyae.cmdline

Filesize
169B

MD5
f04df7957047e80c80dece2e12518c01

SHA1
b5e75c991927125836f2590708601acf53d1e3a0

SHA256
73f451c776c0f72bbbedd7d87f6b733c5f8435094ae9cb01fbdd82ad6ed387ba

SHA512
f40805d05d7c6a4c7e75421fb1553e0c5fca83bcc2d3af3ee9066b5795b0365cd5dbf14a4b8b4ee2912ec3940122e4c09ae3e41fa1bd193f58352612ad4d1f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1yhbl4p.0.vb

Filesize
266B

MD5
debab8fb1bbcbf74ca2ac313d4d5aa7d

SHA1
2a4058378b3df8ef9aa547d1511a425ef043d848

SHA256
0f1d45b4fd6c36693c7d96bda036a41dccffa4313b92940df6ad180982607744

SHA512
8beaad01c2f7541532842aca72324eeee7c582d50db2454bab3288dcb2922fdc1f2a0a3e2347a74e744e92c9f8304916c0f52a18754d2e3a5eb2fe6f9fbf6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1yhbl4p.cmdline

Filesize
166B

MD5
b4373778c1ea84851aefbd734047745d

SHA1
1278df5c10f211b1012424068feb53294a17547f

SHA256
c5610d9ebcc05b9d5e9fb5cfae08ebe2e989eff4f9830e3cb3bf52a31dbcf95a

SHA512
62c695fa3c404ed5b46ea247913a59c75af1b9753f978ca5f3abfff602e679dabbb23174a263a674ab159c2fa07b430bea2f701a635218d70b7382738b037d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3dmlhn-.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3dmlhn-.cmdline

Filesize
170B

MD5
00bf0dc9de277bc925278742a284df5d

SHA1
a0383b368615be0829e59af45c5ab91c5446d613

SHA256
79073912eac953552d339be43912479f8119ffc2bf603aed5838f2447c4aa0bf

SHA512
b198358e186750e09226232f15877f24cc1cca093d613df4108f72c83bc91c59b8ba6549bbfa83d8bc68e326e2a87c22c5ff6ed3842102b36807378890793164

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcdnnmf1.0.vb

Filesize
290B

MD5
ce1182df38f7b4c7a89d1e4d1886b0d8

SHA1
ba5cdc6e13b761912d14ec042639566eebc23eca

SHA256
e87616f590de6878e0a1051e52bb968d39bad4c7b086cdaecc064c6aa9582e3a

SHA512
7be8358cbcefde4b1e1a28480eaea0daf5bbbd25aba3d1bd8c589bad3adb63a90551830efabc6e0d2b01a406e41e44c5797502abc88566694fbff7c2091e05a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcdnnmf1.cmdline

Filesize
190B

MD5
9d27e4709d22bd43b05a0bfe418697b4

SHA1
dee09b50c480b30d7fd49abb54919558cd410cdc

SHA256
8ba097a84ca75d2363ec5dce37596a49cc278931dd330ff214e8d5e54b34b3fa

SHA512
5f31d78d42d866f83f64dc0e337e277b7131a50c906ac947b8f824c4fc37af6259bf086588d0ebd0a2da98c08243f488d90b03d2541aeec15a5b01d6381955d0

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2608-1-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-2-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-3-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-14-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-0-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmp

Filesize
4KB

Download
memory/2944-11-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-12-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-13-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-15-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-27-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/3036-28-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download