Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:21

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krpwcn4t.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB34D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F37443CB80743868C3CE86C4A5ACAD1.TMP"
          4⤵
            PID:2948
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0zrem5ll.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41C9763B19A4372BCB69F5FDF62CDA.TMP"
            4⤵
              PID:2592
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbtetmp4.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB486.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADFC9675A0C94B1FA62369D8466D310.TMP"
              4⤵
                PID:2556
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8b3tfms.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4816
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB503.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD7ADBC052024355B0D9800908DCC95.TMP"
                4⤵
                  PID:2860
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\puzpdy4f.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3048
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40501BDCA30545308ECED9AA43F45CD.TMP"
                  4⤵
                    PID:2868
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ynnxqemf.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4544
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB60C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E578F3163C2461BBBCB460C6CA7AC.TMP"
                    4⤵
                      PID:2164
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\grju_kr9.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2776
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B61EF7BBA0947D89A8B213C803587D2.TMP"
                      4⤵
                        PID:5112
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5v8cujd.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:632
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB716.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A15AACE2D634A4883D7C61AB94D9286.TMP"
                        4⤵
                          PID:1488
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytvkwqpz.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4696
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB774.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAD29AB9A4DB4DCB98E6A4CD1B1C78B5.TMP"
                          4⤵
                            PID:4580

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0zrem5ll.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\0zrem5ll.cmdline

                            Filesize

                            162B

                            MD5

                            0e9b38c5a44f27932c0e60103d472677

                            SHA1

                            184a45da342f19fc18fdb4eb404099eeeaf427e0

                            SHA256

                            3d4ac9773060f6295b76e01d2a794ca21e6a2e2a6ab851069225ef3fe6ff8361

                            SHA512

                            a10845de230f98284b95a669f085ed5d859dc3f5ca0e0586fe0019cb60db58e9bdc520456d14df5cc624e8196efdbc1fc658ac4624ac36bc14184f73b7c0f66b

                          • C:\Users\Admin\AppData\Local\Temp\RESB34D.tmp

                            Filesize

                            1KB

                            MD5

                            50b875fd9a77ef109149f9a91567958e

                            SHA1

                            37534ef8b5b6c1b7135f17e3064be697c555b660

                            SHA256

                            bf1375caa5d3d7705176f9256676853aaa137b63ae26f2e71ca337f6d78b1158

                            SHA512

                            168dacedac209359f29b6659dcebb63de3c01d27fe92bd81c6c54c75257be6f6ca01e377801d3751e4bcc6c32fac182a31ac2928790c43684da6a92b9c5070e8

                          • C:\Users\Admin\AppData\Local\Temp\RESB3DA.tmp

                            Filesize

                            1KB

                            MD5

                            9826053f71aaa2f3864e7d8156d62c73

                            SHA1

                            fb8e4aa055229213d2dd3b07b8b5360d8307abee

                            SHA256

                            2f85a9124a312d48a62297769df31e647eda56939149de847dbb330b6c45d419

                            SHA512

                            8622c8048d9aa0fd9c7202b1a84378ad5f04c73b40d15ac0cbd468a556e03ff835b634a2ee653c299db415363778a3311373f469b38bf01fe641e637b30d3e98

                          • C:\Users\Admin\AppData\Local\Temp\RESB486.tmp

                            Filesize

                            1KB

                            MD5

                            5ed4e454bd007133d957b7bac6365275

                            SHA1

                            d5aeb23ed453b31bc629bd3e2f240a1e2022de6e

                            SHA256

                            d24ae0f4a1e138a25dc6d1ec3bc30159cbeb087d2de4987788e51998d34ec19d

                            SHA512

                            519c50e25d18b929fbd792583dcd0042ab2044ba0034ba543840e6eb62ce19220e345c2edefc291a2cedac86dd92c4c25e758c08fb05c767b3851332687d7df6

                          • C:\Users\Admin\AppData\Local\Temp\RESB503.tmp

                            Filesize

                            1KB

                            MD5

                            e292903d56f1ff7f4a94a98cc34bb3c6

                            SHA1

                            6776543ad3a40df85b399cd40727660447f50b1b

                            SHA256

                            07c0f431f780b932662e171c44cd4a7d81353256ce2dcce491aa59dedaed2ebb

                            SHA512

                            6ce6b06a870a90854b4020fb65ece541c4243439dd1d8a12b44228a923eec14d776fbcb44c2fca9a15d2c281244deb8537148c444f178a96cf183ae9530bd996

                          • C:\Users\Admin\AppData\Local\Temp\RESB5AF.tmp

                            Filesize

                            1KB

                            MD5

                            c692551e1bdd1740fa099a0f1be84c9c

                            SHA1

                            a42439f5ea6dfa89cfb6d63b5e87991fe7a3e9ab

                            SHA256

                            cfdf446bbe7f30f05a1f68203470d17271a032a444c6917086ec90cd6bafe588

                            SHA512

                            98754dcaf95340af79a3909f6e1195ad958f7d03a649aebbecb1b74e0ddc17660bbf8a10e0ef0e224338178a14a23c5c4e70fe926c53006e46d508592d0ca21c

                          • C:\Users\Admin\AppData\Local\Temp\RESB60C.tmp

                            Filesize

                            1KB

                            MD5

                            ba10f8f9b3d8d39229208f0435f8c46e

                            SHA1

                            00c51ec29967bec69ead32ba3f0ef7c74853e074

                            SHA256

                            c7eb203086b8ebda0db96138a70988d7bb3b02aacb15b812f78b660ad1884db5

                            SHA512

                            da3d8167032406dd7c77f233d91d4d60afeab86ebf3e4a219ad89cb9751551aca6afd7b8180ee39e1962fe15a5e7fc1c7515460095e7ebf516eb0f168cd52c16

                          • C:\Users\Admin\AppData\Local\Temp\RESB699.tmp

                            Filesize

                            1KB

                            MD5

                            1860047feff150c1ac408fcb9f254fd9

                            SHA1

                            f9464274557735792b8721efdc1b959556cfc2ed

                            SHA256

                            3ae7fd2d62632ef068af400996ff58dc3eb0711a98d816b8b9e88347ed1c8544

                            SHA512

                            99cbdc5abb4ad8f96177cd1065b30a246609e32526b2b57d2454d1cfa4211681c81f84344c51a95af5b35fe8ef2b02d58a482a581069f942b0e1c89cb1575fd6

                          • C:\Users\Admin\AppData\Local\Temp\RESB716.tmp

                            Filesize

                            1KB

                            MD5

                            2c87d10e512dd8d1bae5503168481911

                            SHA1

                            02e49ed35624aaf316808711118febb71e58aff0

                            SHA256

                            424f46e1172fa925979df5014619e3de40c05d1f1850dbfb8e07f009dfdc1f12

                            SHA512

                            abcc6592bc215cb6a83f1fdd3a21281c6bdb7087eec95717d424f666f368a5c9997af0ad5e3b1a22e577337ca9313e244c3344104c7c81e4286f983f22e91739

                          • C:\Users\Admin\AppData\Local\Temp\RESB774.tmp

                            Filesize

                            1KB

                            MD5

                            0b36ab90f7b0994e2c0b573c95be8095

                            SHA1

                            edc5808938f5755619ebd106b48d52fc4d9b6638

                            SHA256

                            ee1167e3486f14e52a5188bba85f6f26253450a6630146a3f8487acd291d2a9b

                            SHA512

                            8f8644b6558b9f47231ee855fcd6eeb55cebcab75ec1ecc9020b7ccd36f04a2175f3f72386d6b878a673a728cd4be5b8de62dbfc3c3e055bec6caca253a1a8b1

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3w0guzou.2hh.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\b8b3tfms.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\b8b3tfms.cmdline

                            Filesize

                            172B

                            MD5

                            4dcc795efb4469dfdfd153755b21bea8

                            SHA1

                            db4d90fbdb9e15fd79c49e2893176ae9b7ec2c2e

                            SHA256

                            934bd0e8aa993c7afcb9dc428fb6aacce5190935d7b1f66b48e010b1e847c323

                            SHA512

                            51c3c2844280f20f4bf93900ed6845b04ff45b302b954f09e2d351ca036a7dfd653ce2ff27ae0d57525303b3e502d52c62ed4b0f7d76c014b3032b8133485e53

                          • C:\Users\Admin\AppData\Local\Temp\bbtetmp4.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\bbtetmp4.cmdline

                            Filesize

                            171B

                            MD5

                            3ee91afd604dcfbdda90c66f67db682a

                            SHA1

                            3238db2b820cc1cb03dc68eec60303f6e09e3f86

                            SHA256

                            d4a90ac84ea1c9a2daf87cae7607bc608e30966105f6e6951ef0e82a3c826863

                            SHA512

                            e04a462a53dda27bf81bcaa73e9f8ea3c6339c9e8ce5b7f8f7689836fd5ac3007ff7986f688111e9054383320134ef25ec8a2b780528a5c65de7109e7c32d310

                          • C:\Users\Admin\AppData\Local\Temp\grju_kr9.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\grju_kr9.cmdline

                            Filesize

                            164B

                            MD5

                            4eebf485b2a0aac53feabe77847da0e5

                            SHA1

                            3229dd767eec96ce1835603eac7eaea9f95e26db

                            SHA256

                            45bf6fce8fdd477b6606155731ba87fe007a0a67e165c599c390ace8fac5852f

                            SHA512

                            f315041690fe29375604236c5cc1892ae54e0ecc4b8d00e1d8bb05cb33166f728229f3512e28a1e88a60111bd1e5fa27ddca8426979fd0b2872b8ddca734bb7a

                          • C:\Users\Admin\AppData\Local\Temp\krpwcn4t.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\krpwcn4t.cmdline

                            Filesize

                            156B

                            MD5

                            8e419bc1a1f8a2c76b8550d038174ebe

                            SHA1

                            ec57f8d28e68fc24422ebd8afcd7d1e0c8984d8a

                            SHA256

                            81c6e81e0566cc4f9351ab69db18a32347bb8fed7ef15a977f86cc869fa0ace2

                            SHA512

                            57e8353f1d6ae4705521b6cbed653673bbd8ad24716b47521a02938f80023967d3269bc5239d8b0a62344812359db6a5761b9be72f4a7e945d7942366d912347

                          • C:\Users\Admin\AppData\Local\Temp\puzpdy4f.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\puzpdy4f.cmdline

                            Filesize

                            171B

                            MD5

                            37852584d0038a3439e57648b5ba704e

                            SHA1

                            843de2cee088c3657b535ac4b81b9caf28b38007

                            SHA256

                            d81f984e2b1e9f90e31ce7aa46b98a2b6201f098233a6c8ff1a956bf362a1e47

                            SHA512

                            2997f2fa6351c3d18bef47d8baa933a62824820d1f1a087de4c227ce66447a445debe29be1db52b7000663068ae03f327c324c6d5390bc8f82691ea4a5c9b22d

                          • C:\Users\Admin\AppData\Local\Temp\v5v8cujd.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\v5v8cujd.cmdline

                            Filesize

                            170B

                            MD5

                            19ec7d954e3d77b7f34c633651cb4e18

                            SHA1

                            dd6623f69d85b641de176eb7edfdc37cfa30dde5

                            SHA256

                            f548b54384665f6c8865f26e4d79b25648e015683ba8ca5aa06150495576295e

                            SHA512

                            cdac86db9c20dac8e59768fdf547a29442ed6127bad42e5a43605cdd716585d9185141375dbefc1e93560d32a89d4f57632862d91f559d9c5fad05a3ee93651e

                          • C:\Users\Admin\AppData\Local\Temp\vbc41C9763B19A4372BCB69F5FDF62CDA.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc6E578F3163C2461BBBCB460C6CA7AC.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbc7F37443CB80743868C3CE86C4A5ACAD1.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcAAD29AB9A4DB4DCB98E6A4CD1B1C78B5.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcDD7ADBC052024355B0D9800908DCC95.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\ynnxqemf.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\ynnxqemf.cmdline

                            Filesize

                            174B

                            MD5

                            d3b71835d913926fd1fe556c1835daa1

                            SHA1

                            599c62573b15b531d18426e625aeab2935e62651

                            SHA256

                            991bbb2979c3782ba4056eef80cd5ad01fb44e027f17502ebc3967e0fccca6f8

                            SHA512

                            b762d83a9e8ce2ca4004dc85c77c72a855c555d917e4fbd895dde9dd330010aee68bc1078af671c09a1ca54dbff2546532508401cfbe13fce1d333df2b69e9eb

                          • C:\Users\Admin\AppData\Local\Temp\ytvkwqpz.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\ytvkwqpz.cmdline

                            Filesize

                            173B

                            MD5

                            079e75a30c27c0aa05d3bb4346f428a4

                            SHA1

                            2c2a29f80790368e5cad58776e6fa7fe5eff7b12

                            SHA256

                            c95e0c62b24b5362bc5727f66e0cb7ad9326ade7676dcac63da5b2c419bb4d7b

                            SHA512

                            27210cdaa385c30dcdd97feb0a461915a37d25d9a4516c6b2a2aa184615282333bb4bf113d67d30ac4463aabc0a79c2628dcbb012ae324683a0c66e28900669b

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1016-18-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1016-22-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1016-17-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1016-20-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1324-35-0x0000025D9BAB0000-0x0000025D9BAD2000-memory.dmp

                            Filesize

                            136KB

                          • memory/2712-6-0x00007FF958865000-0x00007FF958866000-memory.dmp

                            Filesize

                            4KB

                          • memory/2712-7-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2712-8-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2712-5-0x000000001CDB0000-0x000000001CE4C000-memory.dmp

                            Filesize

                            624KB

                          • memory/2712-4-0x000000001C580000-0x000000001C5E2000-memory.dmp

                            Filesize

                            392KB

                          • memory/2712-3-0x000000001B9F0000-0x000000001BA96000-memory.dmp

                            Filesize

                            664KB

                          • memory/2712-21-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2712-0-0x00007FF958865000-0x00007FF958866000-memory.dmp

                            Filesize

                            4KB

                          • memory/2712-2-0x000000001BFB0000-0x000000001C47E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2712-1-0x00007FF9585B0000-0x00007FF958F51000-memory.dmp

                            Filesize

                            9.6MB