Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 03:41

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4672
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j3xe1fai.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD00D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc359C48F898974FD3AB49ED5222D98554.TMP"
          4⤵
            PID:2240
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvillewb.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A27352CD4B43D8A41A2EE9EF91183.TMP"
            4⤵
              PID:3672
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_ssn5t2.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD164.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E8C8089606F4FCEB01AB87E5C2340.TMP"
              4⤵
                PID:2788
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cquam7s_.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3828
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc246842FBCA8D49029BADFC6E29DF36A.TMP"
                4⤵
                  PID:6020
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qo19_q1u.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:5368
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD25E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC24B2B0528F9417CBB768791EC36FB93.TMP"
                  4⤵
                    PID:1620
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfxok2vn.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5744
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2011EBC4A7243B1AB1BB2A05312D6BA.TMP"
                    4⤵
                      PID:1296
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btowih2x.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2020
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C4EC7C2F1C4534BF18D426A07C48CC.TMP"
                      4⤵
                        PID:5196
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alyrkeml.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:6008
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD368.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA07E5B3AA2F24602B1912A7DDEDC924.TMP"
                        4⤵
                          PID:1884
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znhvnkzi.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4132
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C6791B4B99C477CABB6E019FA718C3.TMP"
                          4⤵
                            PID:4468

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\RESD00D.tmp

                            Filesize

                            1KB

                            MD5

                            4ff72c238f084fbaa2279db83849a383

                            SHA1

                            abf84f1c14aad119c1e9c5e3156180aa91a62760

                            SHA256

                            3f5a3984834a62b2e6ca7e043c67c0f6aca0263d52e2ba4ceddda8130bc52dea

                            SHA512

                            a4e217f04c785a0f7bedbc4eca3ac2ac1f56332ebe56d6696a980914be5edfa6f820ac3a991c65eb6605b66bfef40113da711650e8cf63de46cf674d52131ac7

                          • C:\Users\Admin\AppData\Local\Temp\RESD0B9.tmp

                            Filesize

                            1KB

                            MD5

                            c37d6d2302772c7bce6c3a68f9e3c1d7

                            SHA1

                            66ad3f6e209553c655b84d20c608533e600ea31c

                            SHA256

                            d9333efaf010bf4740c414926c172ef78ceb33641b62f26cb25478b53a7094bb

                            SHA512

                            e76868858aa786b931aa870d398f3f8642298b3aae43045f1c9323837e6fa2bd8ea4187c0ccca2777d905775c9de789427879ced58ea8c131e953689654c5184

                          • C:\Users\Admin\AppData\Local\Temp\RESD164.tmp

                            Filesize

                            1KB

                            MD5

                            584752d67cf510b4d9bfe8f82e151769

                            SHA1

                            078b236d5bd64228433dfdff853e6d6ed2a1e119

                            SHA256

                            05801a9114f347dc0a0e760d403d3bd233955577e25d8a09df3a247a8ce795c2

                            SHA512

                            f1b044393ae7e612c472319c763497f738edeea5b841b1b70124a2674279ba52afbedf61d829c7198730ce1d38c3ef7a0a86273592df5fa8db8865058e209b99

                          • C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp

                            Filesize

                            1KB

                            MD5

                            1e4f625e8d85bea596cc57f656490c99

                            SHA1

                            3f75b670a827c3824c137da2eb916b921ca97a5c

                            SHA256

                            adf15118b327a3e6d1b879b891c1f94cc0279203be60a7400bc5c5ffdf0fc4ef

                            SHA512

                            38d88c772430f7920bb83a41be491f0c131b51a3f450a0bec104c481aa27b2660afceb276ca969bebf7b70a495afd5e5e4306bc02e11f21fccee27b7d93cde3a

                          • C:\Users\Admin\AppData\Local\Temp\RESD25E.tmp

                            Filesize

                            1KB

                            MD5

                            f84a585231a4143e7c0b72dc6223f14a

                            SHA1

                            ec85c6d9726edc5bea969f114b419c0ede759040

                            SHA256

                            7bfb74ff69e96dbde7c5e56afce9bb7af70bf20d4ccfb1116b5c96715b78b539

                            SHA512

                            e6a4f5b4722ffa7814599ea8a1a810ebee3254aacbc331234f8cf469640746847eca9d267bb6bd54a84808e19441c36ed98f571c1078ad94814f45866b3587a3

                          • C:\Users\Admin\AppData\Local\Temp\RESD2AD.tmp

                            Filesize

                            1KB

                            MD5

                            60c3f3ee8622156b1353f015fd2c08b0

                            SHA1

                            ac2d20e59a2157a286f72178a3c121c39c9145ab

                            SHA256

                            0885aac99991f5995f9a5b2ad243db69a87f7e44a012c6f29bdb9c055605c46e

                            SHA512

                            4ead0ada5b5faad5cdb0bf2075a1097d718a49e68229b7598248fe4fad2995bd2dbabebe118289e4f191c8fbfd03515c48029616d36a4bc289e3079af5b25c65

                          • C:\Users\Admin\AppData\Local\Temp\RESD30A.tmp

                            Filesize

                            1KB

                            MD5

                            4b27a202b5837e1bb5afe47f7bdb5e29

                            SHA1

                            b116d3a530c8aa47f528cede21795ade1659b19d

                            SHA256

                            9a3fa0ec7b06926e62ea7c8fa3248adfcf662760e1a78a25c2704f6b8c57de17

                            SHA512

                            7e1e31cc4e72e30a0c41f9e9b77fe8a7da3bd34317231413ec349482529cefa392274aed1f37389fc4631c2cc8798d1096b55490712225079a935cfc548da409

                          • C:\Users\Admin\AppData\Local\Temp\RESD368.tmp

                            Filesize

                            1KB

                            MD5

                            3b131ca21f29daf4f8f01775597dc18a

                            SHA1

                            a3678d025bd32745a1e06e8d47d9e0d057ad2738

                            SHA256

                            9ee2f1e5b0ff8da86c65463a9587d4bf3fb8975402238b25698b9d87da4f50fd

                            SHA512

                            8b1757caa465cb04c0a1fbb4954f35536d245ca6faf4cef45e068cd3bc36b9c6bfe34d45cba36e99ffdfd1f107d6d85f7d8349ed1deba2f7adaaf0027ca65269

                          • C:\Users\Admin\AppData\Local\Temp\RESD3B6.tmp

                            Filesize

                            1KB

                            MD5

                            2b736c01f8962ab4e164ce9f61a0f7a9

                            SHA1

                            0e6ab21698c3f4f8d03bc675a0080e91d8c743f0

                            SHA256

                            84b42d4ae27a4e27a39120c8518ad40e754694b3fbd612e5a1a67fbd0093e80f

                            SHA512

                            72d28ad9cfcbe125f6ae0194191b35c74efebe6c1ee976215fae9bbb61d2912583b82c8b5f6df5efef7ebb6064ea6040182355a850f284b2393a89d61727cf58

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3mryen1.zq2.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\alyrkeml.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\alyrkeml.cmdline

                            Filesize

                            170B

                            MD5

                            e0422fe35c21f6c408bd8740bd0f427f

                            SHA1

                            f878a5601d5db3415b3a4859d0eb8ed66d71b000

                            SHA256

                            97513a17974b5df53cb3ff3244d3eb95ef896b315078c1e028fa72f00cf1c71d

                            SHA512

                            feb52cdbdeed335eabe2ee1f1f084d90ceeefd7547861ff3a103fccfeaa7b9103e6dc1af979a056c7fe3f0c35aec647005043da61e3e0e13ed48b2ddd628e813

                          • C:\Users\Admin\AppData\Local\Temp\btowih2x.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\btowih2x.cmdline

                            Filesize

                            164B

                            MD5

                            e5702663b8881456b22996f8f0edee2d

                            SHA1

                            7ae766b5496b98eea562e73a02c52dcd4e242838

                            SHA256

                            d35fa0cbed6bc7706b00d7ae6e00878c1c0a0570c152f9d59c02c6314accdbcf

                            SHA512

                            b1237b31f4cbd90fc9c7f6c77157ab3932b26411eb58a6d96abf0afd49d72896c6ecbd714eea5c5a99f6e8008651686014a68afd8900cb322427e3216af9d356

                          • C:\Users\Admin\AppData\Local\Temp\cquam7s_.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\cquam7s_.cmdline

                            Filesize

                            172B

                            MD5

                            c9b3bf5c85092e5597d61845d8587097

                            SHA1

                            e202335261414dae59ef4bd390ea2598e1fad270

                            SHA256

                            4b2a590db8f294710e6999c9770136f1cb9fbc62a88d792a2689daeac3ca1f23

                            SHA512

                            d4592c828846328a17f5c381803d60b3e1aec0c735a6ea38609515bddcb52e6c621053db4e1d29af5b21c961e67d49e8befbc9ffed6db70239129fddc6b6b27f

                          • C:\Users\Admin\AppData\Local\Temp\dfxok2vn.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\dfxok2vn.cmdline

                            Filesize

                            174B

                            MD5

                            2d1a2e3e52717aefdf12eb938812b2c6

                            SHA1

                            2048fb3e9b97ab48c31e9ad7d5e4bfb38a4db06e

                            SHA256

                            c48002e990c4379e4dd78e301b6feeb7cf7a220a7cf34dd16781024e792a3536

                            SHA512

                            21480282a3936bf127cc0d4e4ed3ac981a00085c7bd1e98ebd536a70e4f60059bd77934de268b1ff033dc29c976fc04e90aa5cd30507cdaefead51d9eb610b29

                          • C:\Users\Admin\AppData\Local\Temp\j3xe1fai.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\j3xe1fai.cmdline

                            Filesize

                            156B

                            MD5

                            f6e3cc127dbed949e25ee3fa000726df

                            SHA1

                            efe52610492c0b8a3c5c409b091d0f80767c45f5

                            SHA256

                            abb73c1716c9386b09d8d4c3c84ae58c2af00855098f1b42db53902ebecbeab2

                            SHA512

                            0e619ee51064c1812b5c5c9bf9ded2fdbb4b94416bb1ec0052ef9e7b917146262fc1412a668aca807105de1ed7d3c61ef2d54b762b01b21f1dd75e255c598010

                          • C:\Users\Admin\AppData\Local\Temp\pvillewb.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\pvillewb.cmdline

                            Filesize

                            162B

                            MD5

                            927ca390af6ac49586a3d4a3a633cd78

                            SHA1

                            472fbe91842b8f34bf19f52042f6669184247939

                            SHA256

                            69f2dd24d006834c159c7d3665df4c59e02b782cf1ed8aa182894d7e6a06ab44

                            SHA512

                            e9886fc4b8c392568879f3fa8a88547bf2cc879922541c22a22767d7b2d815c1f429c654ab770a45c4dae2df62d15b59c4899f012988cb0953fa1d048523ad44

                          • C:\Users\Admin\AppData\Local\Temp\qo19_q1u.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\qo19_q1u.cmdline

                            Filesize

                            171B

                            MD5

                            622661626f3697527baeb3297390fb64

                            SHA1

                            e9f9608707691b091574825b01f97f8583be5241

                            SHA256

                            9528480bba0149a6c096aa94b8cc74fb2b896ad6712388345e7e76f451883260

                            SHA512

                            eb7f52dcac35ec3b55785c426fd633d3d71b3ed21b6169e253c389c51652ae3939105813f83e5776fcd9fcc7935c3de21b038e16d9e2533584368e5a2fad57a9

                          • C:\Users\Admin\AppData\Local\Temp\u_ssn5t2.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\u_ssn5t2.cmdline

                            Filesize

                            171B

                            MD5

                            3f24150e07aadcc959b3aa794bd8a478

                            SHA1

                            8a797d63fa382329c7cd1c622baf1ce9304b599e

                            SHA256

                            6846d0753598ce85cc7d58bb3c5efb35246097b0d72e8e8964fb687cbc003a32

                            SHA512

                            7ff144bccc15b80f2060617ffe4e9be3393f17fa3f3220d6c02aadb71abc57285b200273f6078fc4c5992bc210fcc14e38534b684b83fd2deff500411ed91773

                          • C:\Users\Admin\AppData\Local\Temp\vbc246842FBCA8D49029BADFC6E29DF36A.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbc359C48F898974FD3AB49ED5222D98554.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc3C6791B4B99C477CABB6E019FA718C3.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc7A27352CD4B43D8A41A2EE9EF91183.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcB2011EBC4A7243B1AB1BB2A05312D6BA.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\znhvnkzi.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\znhvnkzi.cmdline

                            Filesize

                            173B

                            MD5

                            37f54daca34212388e5d825e9c22909e

                            SHA1

                            1702db3e0b20db4d3f4b73523313a0bb0f6e38cc

                            SHA256

                            6879de88b1d64cf1db528dd5a7cb3b4edde166f361764b83767de5f6128f1ba0

                            SHA512

                            7d5d5c2dc5da0eb87547cdc81e008deeacefd27ea10e0696b16826ffba2fdd64941c051dcf51a96e2ee1eea931cb37830dd488984d4ad294017aa6da70c401b0

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/3052-0-0x00007FF8AC1C5000-0x00007FF8AC1C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3052-5-0x000000001C010000-0x000000001C072000-memory.dmp

                            Filesize

                            392KB

                          • memory/3052-1-0x000000001BA70000-0x000000001BF3E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/3052-21-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3052-8-0x00007FF8AC1C5000-0x00007FF8AC1C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3052-7-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3052-6-0x000000001C810000-0x000000001C8AC000-memory.dmp

                            Filesize

                            624KB

                          • memory/3052-9-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3052-4-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3052-3-0x000000001B480000-0x000000001B526000-memory.dmp

                            Filesize

                            664KB

                          • memory/3052-2-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4672-32-0x000001A3A7850000-0x000001A3A7872000-memory.dmp

                            Filesize

                            136KB

                          • memory/4984-19-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4984-20-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4984-22-0x00007FF8ABF10000-0x00007FF8AC8B1000-memory.dmp

                            Filesize

                            9.6MB