revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
143s
max time network
153s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/04/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat xdsddd execution stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

XDSDDD

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral11/files/0x0008000000028233-10.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Executes dropped EXE 1 IoCs

pid	Process
5944	MSSCS.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4868	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5212	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	5944	MSSCS.exe
Token: SeDebugPrivilege	4868	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5212 wrote to memory of 5944	5212	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	90
PID 5212 wrote to memory of 5944	5212	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	90
PID 5944 wrote to memory of 4868	5944	MSSCS.exe	91
PID 5944 wrote to memory of 4868	5944	MSSCS.exe	91
PID 5944 wrote to memory of 2920	5944	MSSCS.exe	93
PID 5944 wrote to memory of 2920	5944	MSSCS.exe	93
PID 2920 wrote to memory of 4880	2920	vbc.exe	95
PID 2920 wrote to memory of 4880	2920	vbc.exe	95
PID 5944 wrote to memory of 6076	5944	MSSCS.exe	96
PID 5944 wrote to memory of 6076	5944	MSSCS.exe	96
PID 6076 wrote to memory of 4600	6076	vbc.exe	98
PID 6076 wrote to memory of 4600	6076	vbc.exe	98
PID 5944 wrote to memory of 5416	5944	MSSCS.exe	99
PID 5944 wrote to memory of 5416	5944	MSSCS.exe	99
PID 5416 wrote to memory of 2212	5416	vbc.exe	101
PID 5416 wrote to memory of 2212	5416	vbc.exe	101
PID 5944 wrote to memory of 4468	5944	MSSCS.exe	102
PID 5944 wrote to memory of 4468	5944	MSSCS.exe	102
PID 4468 wrote to memory of 2508	4468	vbc.exe	104
PID 4468 wrote to memory of 2508	4468	vbc.exe	104
PID 5944 wrote to memory of 4624	5944	MSSCS.exe	105
PID 5944 wrote to memory of 4624	5944	MSSCS.exe	105
PID 4624 wrote to memory of 1888	4624	vbc.exe	107
PID 4624 wrote to memory of 1888	4624	vbc.exe	107
PID 5944 wrote to memory of 5596	5944	MSSCS.exe	108
PID 5944 wrote to memory of 5596	5944	MSSCS.exe	108
PID 5596 wrote to memory of 1256	5596	vbc.exe	110
PID 5596 wrote to memory of 1256	5596	vbc.exe	110
PID 5944 wrote to memory of 2480	5944	MSSCS.exe	111
PID 5944 wrote to memory of 2480	5944	MSSCS.exe	111
PID 2480 wrote to memory of 6124	2480	vbc.exe	113
PID 2480 wrote to memory of 6124	2480	vbc.exe	113
PID 5944 wrote to memory of 4472	5944	MSSCS.exe	114
PID 5944 wrote to memory of 4472	5944	MSSCS.exe	114
PID 4472 wrote to memory of 4308	4472	vbc.exe	116
PID 4472 wrote to memory of 4308	4472	vbc.exe	116

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5212
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebcd9z7g.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD230.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E3F94EDBEF49B7A8F1A17EE923AA30.TMP"
      4⤵
      PID:4880
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hglrbipi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6076
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc778E51E2B3024D098E1916D050A43E8F.TMP"
      4⤵
      PID:4600
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3y4iwxof.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5416
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD397.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B7BDED42BE2419FB828F2F8348963BE.TMP"
      4⤵
      PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5pskiagh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD424.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE01B7B6B82E4521B15645B361CE2987.TMP"
      4⤵
      PID:2508
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3a3vipor.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD491.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5ECE6151D335454BAC99AD8DC381145.TMP"
      4⤵
      PID:1888
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n8bhzkx7.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5596
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76FCF1B3A1264B75979A3B58C321A22E.TMP"
      4⤵
      PID:1256
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyrrm-kq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD56C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB840FD309CEE4714A0EB58FF5F399A.TMP"
      4⤵
      PID:6124
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s0mejuq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4675BCD23144F09934A6AB4A9B2AC4E.TMP"
      4⤵
      PID:4308

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a3vipor.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a3vipor.cmdline

Filesize
174B

MD5
d54338f6bba3baa3576102095262b9e3

SHA1
9ffbcc715877991a12b87dc3eea4926d0d6fb219

SHA256
4d94505a1334547f19bbb8bc147f079282ba6ae2eeca55924176f21ea9340fe0

SHA512
7c766915d0be323c233836e14aa307b622c6343a675d385ee0d37bd2544e1285836e4037333110b81ea414fba94d77b98bee70fd74f961279512f276100bc0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3s0mejuq.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\3s0mejuq.cmdline

Filesize
173B

MD5
ead996c4d41f706afd880ea7c3f0f46f

SHA1
e3c89038186b1234c234ef2185bac09762540bc6

SHA256
5643eb1c8ae828b90f38901dc1eb7d263f053daaec8875960ab08057d95b1690

SHA512
df60a2ec4b656ab3925524512a89c377facb5f2106ae31b3072954f676931195927941ac2b8770ee1e11257f318c7cea82fec0d16626ac497527716b9af9aa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y4iwxof.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\3y4iwxof.cmdline

Filesize
172B

MD5
d0fbc07e2738d6d154a5ad434123301a

SHA1
612f0edb81ddaa240d538fa888c0629bd58b51df

SHA256
80b45f8ab8d87e391398513f2aea7018b2383b58f7c5a53092fc8aed9ec0a442

SHA512
10c3a5161cbf60d8f8af8b15feac5933c40ebe7c3dec9bb0f8b17a9ab73912322bc9922bda830167ccdedd2ad257578ae90c99e09f6073cf3b80eb17831ef822

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pskiagh.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pskiagh.cmdline

Filesize
171B

MD5
ce827dbf6770e606ee7836dcb3980ce1

SHA1
151d0260d2e3cf25830f44f7dd8b3923ea8aea5c

SHA256
afc4ca2b2f553ed179f81a71f2dcb6080c0ff7a1b7799064e1a115ab40aaa572

SHA512
6b77b4c8527ff7a5e219822b9e943ddfa6af7ead71d4ec74e328e5e1e090d25dfcea706eaa3e1845be69508a8fa90c0c1101075c1078d1563e22fa14f7ec8473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD230.tmp

Filesize
1KB

MD5
6d4e9e59f10fc11e84b91a53bd516533

SHA1
3a35a90de1c6573ff4f03355e1b4735d7b5ed12c

SHA256
fc5e9763b868dd0c38d467e50c0d5cfb2636ce94643839b8282b44a1577fc636

SHA512
0cee00996fb837ca2b9dcf6b5438dcaf28bb1189f0a51c2705d482f26a690866904816e99aec42e4b95b6b21b3f2361f9161276fbe200e8a0872044a228037fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD2EB.tmp

Filesize
1KB

MD5
bfc7bfd7074da4b759cd627803b8af09

SHA1
57f9a1776d31a0387ad69598dd17b8027e5c34ad

SHA256
f5dfab0fba0918ad4c296cd7a830c87ac1b2238e06994455d02dc2beb6cf36af

SHA512
196e23cb39013a847558e5ce05b07bd05b3c1bb2e9ca706d9ba449417cc13b8c55e5d6bc52dfe0bbdcf4235b2cc751dda2ae02ce9f87b9ba4a18abe60d841d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD397.tmp

Filesize
1KB

MD5
df3b5100ab76d77ae56c0dc045902b3d

SHA1
ea8e80839de495576c667b99743b5c1ce6790061

SHA256
4c324a73c5b51faa3e9136e7c7be3d079df6c4a7938ec8b1aba03bc8772fc5e9

SHA512
6d883eee549220340e90983f79236ffb19c6270727822bc77bc4156cfe57f5c1904184bce84d809fbbf66e135ac1afa71e2fd2ce4389eb4123c4058991c86d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD424.tmp

Filesize
1KB

MD5
bf183edd18d2c67ad08121fcdc2223c3

SHA1
a72c04e68983b4ced71e92cc4734cdd3fb715e00

SHA256
e2c1053c87cf60697f924eb5449022710837a3ae30fe6d0abd4fe07955416ecb

SHA512
af0070b503af56c4e473842235d5b0593af0b474acbc5e17105f940e57ebd8d13b835487f5300e273e81100099d639eb8747cab576fa2af9987ab813dcfb2276

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD491.tmp

Filesize
1KB

MD5
c178a2442d03b35109ab98bedbe99916

SHA1
1f526a30888470e7738a77f7f24eac848ffcb888

SHA256
11e3c54a514403c7338e98e04a5f4c085c6fe1aab62e1d68ba7bb1866be86c8e

SHA512
e7ba6f374a36aa4732801d8f501e9feb692bd3e1be28f281e6db753518bcea9858cf167a75e9bbc1ded34b493e286d861ee6aabc53c5556bb7c5382cdc573f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD4EF.tmp

Filesize
1KB

MD5
f03169fc338470e91006515058f3d0e5

SHA1
3c9fd19fc5d4477d4ee701350b28df1284a263e4

SHA256
52c67e7a50160972c8c05f1918833c51894d2fcef5095868dfe35c768bdbbdc2

SHA512
6f21dbcf432b8cc8143f4a391e6315cb945e095b3de29b1a9366a3087650928d5b847c1c91b952a4752a40ece223f1adc970bd1ab32436505479d87eaa680a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD56C.tmp

Filesize
1KB

MD5
bcaa01af5de99f6a259927ca9c3cc26b

SHA1
51b6aad45cdd50450f9165aa5b53a030b7e838ae

SHA256
5153e5344289e9021a9062aeab5b8d4114a594041656c5263da09d8a6407a1e2

SHA512
e65e362f63aa57baa7c2443125b90dcc5ee45e6dff291733f74834da87e36c5abc8af094574477bcd052f332e9f7adbac28d1acd2440cff259d3947dd335bb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5D9.tmp

Filesize
1KB

MD5
edd13641c35e6ef7b0fc7de8abeef776

SHA1
7c4ec50e519c5cd2a35d4644727f4b5297939201

SHA256
c3a8358dacdfe23c9a14d5f5633dea1b61f3b7c059320ecffcb5c1331ee6d1a3

SHA512
79c37b0b6c4f55f6290fe3bfd14ca527cdf28b519213b1bc192bf0fe49578c063992fd88ad743a457809958456a24dc6de7441ee42bb417edf215555f0496f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ya0m3ldk.3ke.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebcd9z7g.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebcd9z7g.cmdline

Filesize
156B

MD5
1ce17c09121f7b96adbcd4ef3b585b90

SHA1
993a44c1654ff41ed3dd6fe7d03d154d0f0ab801

SHA256
b466e99781ab825ec791b202431f9c9dc7d613eef991b598107f6b2565d4b438

SHA512
5d5d0d0ee2dc0b20a02deef4cd9247029cf0381d0fb4561e4fe42d983e065652b3f7a495017c2be117f2ea735a5a5531e051d541210d939926dd40a32a45114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hglrbipi.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\hglrbipi.cmdline

Filesize
171B

MD5
069727b15aab7bfba61a5b4c61d3ed73

SHA1
474f594614130e55efe76249c867a3e058ba9e52

SHA256
e907500a185be885fded63e60697c208596f1f04b97099417548860a481ddf55

SHA512
3939342b2de5e2c8676a0f09f3691439103e879d9441e18624084c2c859026959812b755c268eb02a010304c70215e2427e04012c1de77c71a7a89e356155571

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyrrm-kq.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyrrm-kq.cmdline

Filesize
170B

MD5
5b883313b4f82fc9be6edd3f578a9c11

SHA1
324228716c20c9be4f361542e6951524f11f427f

SHA256
d6c8e1e6e4aa632378d76c526824d436c25a8abb328a8014898680636b1624c4

SHA512
330d8d8af2418fb3a7fc2b0797f29ee57f7feb6c629eea14089cf41e2d3606b8eb015ab1ce5da0dc09b38bfcfc15e7b19bda8168bbfd6a6a721af170d2463f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8bhzkx7.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8bhzkx7.cmdline

Filesize
164B

MD5
7bfdc75ea529d8c74638b4034cac88b6

SHA1
51c0b74a4089f4160b177899e15c739002b6bf7e

SHA256
599c3ef2b248946a82cd185f40591ee75a6f7f52b8464d5a6aa321692a8912cc

SHA512
47ea2c85d1738c609b808fbe98e3bcf4543c39fc2eed7d85d9b80f21340f5958c2670b3b9804b62890cef486840dff34f6e338a474d147b997de34baadb2a228

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1B7BDED42BE2419FB828F2F8348963BE.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5ECE6151D335454BAC99AD8DC381145.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc778E51E2B3024D098E1916D050A43E8F.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8E3F94EDBEF49B7A8F1A17EE923AA30.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4675BCD23144F09934A6AB4A9B2AC4E.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/4868-21-0x000002CA47540000-0x000002CA47562000-memory.dmp

Filesize
136KB

Download
memory/5212-5-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5212-4-0x000000001BFF0000-0x000000001C052000-memory.dmp

Filesize
392KB

Download
memory/5212-7-0x00007FF822B15000-0x00007FF822B16000-memory.dmp

Filesize
4KB

Download
memory/5212-9-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5212-6-0x000000001C860000-0x000000001C8FC000-memory.dmp

Filesize
624KB

Download
memory/5212-2-0x000000001B9B0000-0x000000001BE7E000-memory.dmp

Filesize
4.8MB

Download
memory/5212-0-0x00007FF822B15000-0x00007FF822B16000-memory.dmp

Filesize
4KB

Download
memory/5212-1-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5212-15-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5212-3-0x000000001BE80000-0x000000001BF26000-memory.dmp

Filesize
664KB

Download
memory/5212-8-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5944-16-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5944-14-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5944-13-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download
memory/5944-11-0x00007FF822860000-0x00007FF823201000-memory.dmp

Filesize
9.6MB

Download