revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
143s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x001a00000002b098-14.dat	revengerat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
3964	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4568	powershell.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	powershell.exe
4568	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	3964	MSSCS.exe
Token: SeDebugPrivilege	4568	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3964	2672	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	83
PID 2672 wrote to memory of 3964	2672	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	83
PID 3964 wrote to memory of 4568	3964	MSSCS.exe	84
PID 3964 wrote to memory of 4568	3964	MSSCS.exe	84
PID 3964 wrote to memory of 3996	3964	MSSCS.exe	86
PID 3964 wrote to memory of 3996	3964	MSSCS.exe	86
PID 3996 wrote to memory of 1516	3996	vbc.exe	88
PID 3996 wrote to memory of 1516	3996	vbc.exe	88
PID 3964 wrote to memory of 2216	3964	MSSCS.exe	89
PID 3964 wrote to memory of 2216	3964	MSSCS.exe	89
PID 2216 wrote to memory of 4288	2216	vbc.exe	91
PID 2216 wrote to memory of 4288	2216	vbc.exe	91
PID 3964 wrote to memory of 5200	3964	MSSCS.exe	92
PID 3964 wrote to memory of 5200	3964	MSSCS.exe	92
PID 5200 wrote to memory of 3008	5200	vbc.exe	94
PID 5200 wrote to memory of 3008	5200	vbc.exe	94
PID 3964 wrote to memory of 2032	3964	MSSCS.exe	95
PID 3964 wrote to memory of 2032	3964	MSSCS.exe	95
PID 2032 wrote to memory of 5156	2032	vbc.exe	97
PID 2032 wrote to memory of 5156	2032	vbc.exe	97
PID 3964 wrote to memory of 5756	3964	MSSCS.exe	98
PID 3964 wrote to memory of 5756	3964	MSSCS.exe	98
PID 5756 wrote to memory of 4476	5756	vbc.exe	100
PID 5756 wrote to memory of 4476	5756	vbc.exe	100
PID 3964 wrote to memory of 5776	3964	MSSCS.exe	101
PID 3964 wrote to memory of 5776	3964	MSSCS.exe	101
PID 5776 wrote to memory of 1456	5776	vbc.exe	103
PID 5776 wrote to memory of 1456	5776	vbc.exe	103
PID 3964 wrote to memory of 3124	3964	MSSCS.exe	104
PID 3964 wrote to memory of 3124	3964	MSSCS.exe	104
PID 3124 wrote to memory of 5220	3124	vbc.exe	106
PID 3124 wrote to memory of 5220	3124	vbc.exe	106
PID 3964 wrote to memory of 5900	3964	MSSCS.exe	107
PID 3964 wrote to memory of 5900	3964	MSSCS.exe	107
PID 5900 wrote to memory of 5568	5900	vbc.exe	109
PID 5900 wrote to memory of 5568	5900	vbc.exe	109
PID 3964 wrote to memory of 4264	3964	MSSCS.exe	110
PID 3964 wrote to memory of 4264	3964	MSSCS.exe	110
PID 4264 wrote to memory of 1116	4264	vbc.exe	112
PID 4264 wrote to memory of 1116	4264	vbc.exe	112
PID 3964 wrote to memory of 4652	3964	MSSCS.exe	113
PID 3964 wrote to memory of 4652	3964	MSSCS.exe	113
PID 4652 wrote to memory of 904	4652	vbc.exe	115
PID 4652 wrote to memory of 904	4652	vbc.exe	115

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lihyez21.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8519.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2C6229CE19D4BB0B42C77549A865D9C.TMP"
      4⤵
      PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg34fwot.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8587.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6951C0158C940D2A5A9698CDF7289B.TMP"
      4⤵
      PID:4288
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xtgb928r.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5200
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8623.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BC3477A2B984D88B4E4A05A548FD5.TMP"
      4⤵
      PID:3008
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yo0-a6uu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE48360609AA74F5383B4702D66F29F9.TMP"
      4⤵
      PID:5156
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzm_gwh2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5756
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES875B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC05E83558184240815EBD97B483049.TMP"
      4⤵
      PID:4476
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbjsrln2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5776
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc332E413BB9D44349A7514247EE7CEABD.TMP"
      4⤵
      PID:1456
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrqzbizc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E96C76C550049C181B980BD6A536B6.TMP"
      4⤵
      PID:5220
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vaghkg_n.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5900
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8884.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16DF4D998144834B38197BB1B7D32CD.TMP"
      4⤵
      PID:5568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\npacvxdj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc290FA6DE27D24650B0E796F3DC188F6.TMP"
      4⤵
      PID:1116
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bzbiwyqg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8920.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9928847F1A844A6BDA492CCB7F8E926.TMP"
      4⤵
      PID:904

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8519.tmp

Filesize
1KB

MD5
b838a768695957a1e29e7f26ccb89a14

SHA1
c81ddabb3859b6e327848b19c40efd7e56e1e827

SHA256
a48fb38b86ecda851682e365ce5ea35a5d8f8d56f36b1686264cec368c17d9ec

SHA512
f11e16529e3d2d45cb640eb843137f95be9b8098075046582d3460ea671b20f81b27fa4e9d9cf8952495f599d2e906ab776bf6cfe43e6962be939d375aca0b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8587.tmp

Filesize
1KB

MD5
e948e9f3123306115e95c9821f410b3f

SHA1
8ce49825bebd9937cbfb8ab3ec4387139e4cf012

SHA256
128829d9d5da733d2babbf9412fdbe20f82aa3e1d9769018923117efe4e568e5

SHA512
54f284ae737703bfe502a6e3a7fbe7a0a5135a90c4da894d5c519986cbe43b13fa9b665ce3a0a2335e719e1e0a57c35642bfa897365652c0b6fc66083c1693c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8623.tmp

Filesize
1KB

MD5
8297217ec0485e4080888e95e1dc6274

SHA1
e60a456b80f56a204dce33f80c87d10e41bf9fd8

SHA256
5601738dacfd81a6108de6111a6685b3ae80c5cc6a285d2e9124e28f77b690ea

SHA512
34dd1022044c299915989f4af69a9e49ac52b3c370926fbf4e516174d11b59c02b1e80810d0228615d871e077f4a212448dc3a6d7d7e0333862c47157f10ad83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86AF.tmp

Filesize
1KB

MD5
fe0995bc2cbf7b56a785689a68919a47

SHA1
4852cd76ada071c0cd4b116186b2a87f76c64b6c

SHA256
df7fb04b329b28c9b610b09668a397be3621ecd8bb706121b7d3e177aa1921fc

SHA512
dd646a7ccbaea0be97fa966514c36e7f8ea51d1b7bbe293c486ae21428a1bd74614d512d92deb0fd5fc5429cc35978178293ba7b2c746f80f37e303da3707134

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES875B.tmp

Filesize
1KB

MD5
7fd1f2a047856d3ff4b0791af0684d15

SHA1
b3d93ce9eb30939288d2439afaa2927bf4e6bcdb

SHA256
3a35378fad3ad82ddad28c73d811c72d0a0a97a126688a6444104b58ddaedbd8

SHA512
2c5e5953c55954c839ab0bf2b7348c259e8f25cfcd2c38a23fc4d56a872684a5a7e3f6969aad80ad4ebac6a4ef83adbe78303e9f510ae4817bc0c46e3ed5a338

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87B9.tmp

Filesize
1KB

MD5
5c205ee53301261b2764276e73f37cf7

SHA1
0dd4c0cf10b1e164d1b189934f84d8ae4f4af190

SHA256
4b0836cc4fc7a32b9482b76183c098349ddfac2f57857dd231b223489f9e0e61

SHA512
aae400c7727204a0b871faeafa14ba580eee755577c61e59126614a8fea63dc922afbd56c247c02bf574d96b593aee6755543b2077132d6af7338ee90bdea33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8807.tmp

Filesize
1KB

MD5
1ff384be15848136b06c3c8c60194baa

SHA1
3b1bdf57b8add3507ebd957a6e60cc3947c98546

SHA256
7303fa2289a45826500e384ef2bd590e5a208800f9429f205df2512b6c4551bb

SHA512
fd562c7c7516c487b960f2378910be51d576d391650084f107e53157f94c7b0140f034d9decc2987ce9144912f1bdb48294316fe6c211d1abe40b20f44ea9d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8884.tmp

Filesize
1KB

MD5
646109ef09c0b75f027d393fd176bba6

SHA1
b2e3b3e6cf25668f3d25a67784a779cb79c5c062

SHA256
5f0f6c5cfa80bec2a9038cbbdec902c282ab822040b2f7e655bc755461a0c496

SHA512
c196d568021c220826fd8a848ce5de6df46b115b8489035720f16eed5b1a181adf40e449704287bc90a42704338e25d8cc258cf49827e6488d950337d8e49a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88D2.tmp

Filesize
1KB

MD5
02269cf16629dec3cfdf1d14306f8095

SHA1
f1cc0b4ae07d8a11880e8026cde1b3a51914bc34

SHA256
ed8162d445593086d6505a849710aef8bdb18a4341b1604955656bfe396f05e1

SHA512
6acf367a5a90e6899d375e14d22e28b41efc64d03bc35e037f851455ba230c8df5259a5b36651666922c6729be3c7ef22b2d34b7f428770b8474056910d6db3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8920.tmp

Filesize
1KB

MD5
d8237fb9906113dbe0f56baeebffbf95

SHA1
d2d33abd85c56cc64a76eecaec705448eadc6a88

SHA256
95779d9be94bd3619ec7793417334c5499c1ac8618263d612fd15f06bcdb910c

SHA512
ea0f57959753c04b4ae5969b994dc432a34d6eb4ac0841d977621f83f7de31ac9690e42814df4de3c140504ecafea595cc1f934451db1c9bb4472d2931df07cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bn1fnxmz.a15.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbiwyqg.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbiwyqg.cmdline

Filesize
173B

MD5
25ce0da4296aefdd4dce354176162ad8

SHA1
d3b50c05bc14ba7d52267a476aacbae3e83c20ec

SHA256
358ac08da3b84bb21aaa40ec8533fedddf41b5808c33bffea04e856fbb390133

SHA512
4041f8ed8744a4ff329159494a20583194d8938cdf3a5ba3ef7602172bc655f7207a6fdcb2e50486ff357c7f52f101d2466c229b2b5f758a61f123669725a161

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg34fwot.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg34fwot.cmdline

Filesize
162B

MD5
20b4535859b9e76843bea23f4158d404

SHA1
6f1a7861a42202d5d0b31bcf745a343b47ab0293

SHA256
90b8858922732b6da4c5be8aac70a3c5e4fee3f18d8bd2733cb5e20260c8b0b9

SHA512
10018eb6d5236ced3ee92ea56f7c71f3a05a587f3f5ee93b67c95bc22070526f0f73e31b74c28d8a9fa94e209cd2da38cf03370c0e84aa2801577431055d66ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\lihyez21.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lihyez21.cmdline

Filesize
156B

MD5
d10071a242f7ea61124b2d2577aacd48

SHA1
3d30584a32f9d643b3b559c4eaff6ae41118f4e3

SHA256
a32777dbbcca814205983640f2bfd5c383b90189125e15b33d7a8314b666c358

SHA512
22505adc81daddf78882b7db4e84ba91582d00e22f27761e601b99504026b99ddd62f0d5e84f3ff78d025f062edc723b2cf98d0f7248f8db89576639d47b1416

Download Submit
C:\Users\Admin\AppData\Local\Temp\npacvxdj.cmdline

Filesize
171B

MD5
6f724263f84443b20eff74a4c7aa209b

SHA1
c2c001aa7249c856b928f9bcffbc9f6086014cbd

SHA256
16aef0e802139eaa8bffe2fc994b9a9a35bf3279392bd3f53127c8c6b275e5cd

SHA512
9507fad1d71143b4889ed91a34eb2f0a4010d6a69f9f6d79b43c97286615411ff8537c3a619e3c633e2593e0860afb3faca2f6ad4154a94646a40f952e0b61f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzm_gwh2.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzm_gwh2.cmdline

Filesize
171B

MD5
7c2d546e8db7bf33ca72d58b6218af42

SHA1
62a6a813478cebb822489a2cac0e52a665f3e351

SHA256
47f220ab1a680bdcda6d9e551bb9b170dbd7c9390b743dde4ddcec153cd04a46

SHA512
d70aec71dbc0e98cdf999308e67f783c5801770ec455d653e706f7c8732f2bd7cb545389127596e9016713efc4eb5da0ec88f334e34669d78bad15ca9b198e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbjsrln2.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbjsrln2.cmdline

Filesize
174B

MD5
5a2bf48a741335e25108f18e90e7eab1

SHA1
c1ddc95b465acaecc3bc243c72920b8f64ac56f0

SHA256
de6614edcef712dc0a482ad9b413fb1bfb3fe34b6616e4d09cd1961e4808b6cc

SHA512
3acda39aa643423cad94efd9f1bb019e2ce16ff5b820d66f65af401896d924465602ee902ee3b01cc5089eab10bd6525d14a4788f59510100cd9f604fa47db65

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaghkg_n.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaghkg_n.cmdline

Filesize
170B

MD5
f91b0f0a7adfc3de3a05d4c3e37482e4

SHA1
4bd25177ba2c82f5a02d0db3fac7ed667e9639fd

SHA256
976e66125ceba64afd0d077ff4a80cea03cc14f8eef18c9ebc94b5f9c28c5e1a

SHA512
433c4c84467c603b3c5aa5c61890f6db9c74fcd80ee80fc734cd7c63012f389f78a53ee047df421aa55124cd9da3491554bd548fdcfa282ddbb7a0d0b64520c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc332E413BB9D44349A7514247EE7CEABD.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6951C0158C940D2A5A9698CDF7289B.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9928847F1A844A6BDA492CCB7F8E926.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2C6229CE19D4BB0B42C77549A865D9C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE48360609AA74F5383B4702D66F29F9.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrqzbizc.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrqzbizc.cmdline

Filesize
164B

MD5
a8038d4ec0907a4380ec8af05127f262

SHA1
212de43a45779e189191e45ed20df23fbd72a390

SHA256
1fbc6fb986509ab16be83caa39789efa887a9b6c6ca0867868a336eaca91908d

SHA512
d80a30422b79d1bad6a78c8a05e41020499ce3e105e830ae1ffbc873c1d88777b6cc99dff0a9f7304959dd03efcdfdac5a7acb24009ad3758950e5764464106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtgb928r.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtgb928r.cmdline

Filesize
171B

MD5
62b3019eedeeeb03ac83964c2fa39437

SHA1
79529fa356e88527ff5e17a9460428056dc7786f

SHA256
32759f55afe8c032238e22aff66230e76f770391277095601f09073cdfd06a5c

SHA512
06faba89ea4ea1897dce4513dcfc54a2aa64432361bc2f07bb05cb9136192ddcb314ff44a30c2b7cbf8ae21b38400ed21ef33ce9aad1d864e8ac43ed15c81df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yo0-a6uu.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\yo0-a6uu.cmdline

Filesize
172B

MD5
402b31e82abbfb766ddffdf078d7ac7c

SHA1
07517ee166c4386401daf35daf2c07cf0370dfb5

SHA256
af8971e1affbb0e4160ba44ab77133cd93bd4a2ea76035fb4ac0ca120be940ad

SHA512
b01a69bd01e2ce251f21ee826e2064268a386fcac909abbd5a47f7cb72d6d95f261cfd0838f62b14fb96d1488097aa95ea5b6cbb722ce8aa7068daf3c791adab

Download Submit
C:\Users\Admin\AppData\Roaming\Random\Default\Microsoft Edge.exe

Filesize
6KB

MD5
2637fa05854f54e187cfe87cff740aee

SHA1
4abedc29d160a1e74430e6e4576540b0f5853e66

SHA256
afd2775fd13bfee042cb02bd3f0c86d3bfc4eec4e7fddbac990c244cc139bc03

SHA512
c250c74f7f5e124e8730951aacc1ab34bbe3c7563d8afe9a212305949845ed0364530f237c3127b7736e707c1ddc559e31f4e79b2027a35bae71b92559704d78

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/2672-4-0x000000001BBD0000-0x000000001BC32000-memory.dmp

Filesize
392KB

Download
memory/2672-0-0x00007FF90ADD5000-0x00007FF90ADD6000-memory.dmp

Filesize
4KB

Download
memory/2672-2-0x000000001B600000-0x000000001BACE000-memory.dmp

Filesize
4.8MB

Download
memory/2672-1-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/2672-3-0x000000001B040000-0x000000001B0E6000-memory.dmp

Filesize
664KB

Download
memory/2672-5-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/2672-22-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/2672-6-0x000000001C450000-0x000000001C4EC000-memory.dmp

Filesize
624KB

Download
memory/2672-7-0x00007FF90ADD5000-0x00007FF90ADD6000-memory.dmp

Filesize
4KB

Download
memory/2672-8-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/2672-9-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/3964-23-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/3964-19-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/3964-20-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/3964-21-0x00007FF90AB20000-0x00007FF90B4C1000-memory.dmp

Filesize
9.6MB

Download
memory/4568-36-0x0000015FC7110000-0x0000015FC7132000-memory.dmp

Filesize
136KB

Download