Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:31

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6036
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7upl6us.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD481.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8ACA40592A849AD80C4FC97154EE720.TMP"
          4⤵
            PID:5616
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74d0cp2p.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD50E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE67929D4864D42198F9F5C92B6C78972.TMP"
            4⤵
              PID:2772
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbrzbjji.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5532
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc421BFB07EDED467D8F83699DE645478.TMP"
              4⤵
                PID:2000
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_pjsd72s.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2092
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD627.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8C960BCA75E4845A36A1CBD9D421989.TMP"
                4⤵
                  PID:4196
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dogrxygj.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1020
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14211A9FDA944C7EADF358A554F8D1E9.TMP"
                  4⤵
                    PID:6104
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ba0pssq.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5836
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD731.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF353B0639C6E46E2AF2776699BDDA8E9.TMP"
                    4⤵
                      PID:880
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1mm57ro.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1744
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BCA45AA7AE843D8A3E56F58F2AD295.TMP"
                      4⤵
                        PID:3108
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5wxnjwn.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2688
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD80C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3FB68D21C7A8462EB5F396BA56F43DB0.TMP"
                        4⤵
                          PID:3444
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\motojpqd.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3648
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD879.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14DB954453D14246AB806C48CCD8F85.TMP"
                          4⤵
                            PID:1704

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\-ba0pssq.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\-ba0pssq.cmdline

                            Filesize

                            174B

                            MD5

                            9bc3c579d1f91d7d18feaf64e0cf2512

                            SHA1

                            a1f15a358d2d49bafe8509da92f06486d4a4e2c1

                            SHA256

                            f8d440fa3a2264843fc18eaaf25f2a13fe7aa63e2980eec667f6c8663f11dc10

                            SHA512

                            a4c28feaccb7e6b95ee3f36637266866d7e409ed57fc94445b9b8c092c08b9bf47a0d9ffb3b4979b9133307bc64c0434d5c468410d00554964a87ca0690abc36

                          • C:\Users\Admin\AppData\Local\Temp\74d0cp2p.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\74d0cp2p.cmdline

                            Filesize

                            162B

                            MD5

                            02da007f3b9a48dfdee158621533fb45

                            SHA1

                            17ff1ee29582f8f73199f55c39012700b5600fc0

                            SHA256

                            e95450d9c7020cfa08b8145a15e696287944dc1aa7846fea5940bdee6b9ee670

                            SHA512

                            1f5f4c028907ac99c1fe89304ed111c0d6ed8c45232286b51f754e0fa6c4a26d6ffbe3a6113c70084e0d81018071159aff0f911d711bb1e0a82c06955a9e00d7

                          • C:\Users\Admin\AppData\Local\Temp\RESD481.tmp

                            Filesize

                            1KB

                            MD5

                            68a27659ee066bc46c830208f8e9edd5

                            SHA1

                            f7e5a784f6dae94f1f9c5dbcbc7519b2d5290bd4

                            SHA256

                            7755d1c84919817385082f88cd1f31c80b031965875fc9521359eeed337430ac

                            SHA512

                            2dae753a7ca3b32c56c582b8b6b4d019164848b8042f05a755338d51b683fa6cf5d1bf3114be625998accc9eefec696d35f1e8b4eb8908a045aa928d6f794ea6

                          • C:\Users\Admin\AppData\Local\Temp\RESD50E.tmp

                            Filesize

                            1KB

                            MD5

                            0e6109532dde4c4b6158dd9e655eb2b9

                            SHA1

                            3c3f818344e5053970f62ebb2bc2d5e894cc1f21

                            SHA256

                            6212c96744f23870b403e2d98bd4c07e27d7cb5b9e9dfdcc97459fae317db8f7

                            SHA512

                            ab286f2694a2b3add0aac6cf610c9c807abb5c3f2df6a75d1407e28672b0e62754b5a3d96ce8bf4222d02986c09158dfbacab8fe685cb3357059e32233d28043

                          • C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp

                            Filesize

                            1KB

                            MD5

                            cbf983ad2bf345a894f1309ae1e1a40e

                            SHA1

                            9626d59df1cf8bb1068a7917cc6eda1464107e89

                            SHA256

                            a4597e2a626da995f61e8336280cc8195ca4711c6e2efe85c873130c45325c9a

                            SHA512

                            a047a3d2f779e1533294d52d91cd5186a51f1d3ed3f4131745bd76429172d08d7e9dc4bfd6cf6677f4a49de728815a768381f326865e8acb30d1de417627efe2

                          • C:\Users\Admin\AppData\Local\Temp\RESD627.tmp

                            Filesize

                            1KB

                            MD5

                            e16dc859c0a2c7a12474ebb3ee367b8c

                            SHA1

                            4767acc6ce6b68e9b13a8a3b702a3d7d8b309460

                            SHA256

                            53e5f8e29e37535bec3693fa039eae1605a43b3cc34c2f91e7f6c077d8b01550

                            SHA512

                            498a589d4f10bb8af233b58f968c7413c1585bf8861bff2f0c05f7ba254f54f4354a038934f4f280c6ad0cd506603b77909bb5c1214ff388bfd8c49edf0bc63d

                          • C:\Users\Admin\AppData\Local\Temp\RESD6B4.tmp

                            Filesize

                            1KB

                            MD5

                            c7830f1ae5b0736e6992533cc25d5233

                            SHA1

                            5888033be5f9dbaf1f559aaea318f9e43173f3aa

                            SHA256

                            24f0afd8c18b3dc0e97039df92b4fd751375a10e9432761262c9cd77643ccf94

                            SHA512

                            a0af54986fe1454eaa2bd2cbd43160d32345aebdad2d36b732a165d4c03ea7f664a38ba719a0a1eb98fd039ffaa1e2e9aadcc11cec847015608bb3f6479c90b3

                          • C:\Users\Admin\AppData\Local\Temp\RESD731.tmp

                            Filesize

                            1KB

                            MD5

                            fc1917b33bfe653a1655f87fb64871bd

                            SHA1

                            30f4c204359e4c8df5f647842e8ff4e2834905a7

                            SHA256

                            288ff8a5d1e09922fd6ef8720593e6f2c1dd5dcc788d97cbea97025ca05f0a7b

                            SHA512

                            9f9780418a30ead0a83f1e665bce800a40e69f3d3c7f4298216b7d2fd20c330758e59cdfcb88ed7eb0ed87a0b4a18b1c874d6cac9ee15aa1faa24f787a8c42df

                          • C:\Users\Admin\AppData\Local\Temp\RESD7AE.tmp

                            Filesize

                            1KB

                            MD5

                            580fe8dc7ca21c141a7005477e1aff90

                            SHA1

                            8d58e02badb7d6636d5111d094aca10495ef2108

                            SHA256

                            c3bafdd0d5c39cfc97ade963feb130de1cc5353b6dcfd2d6b4302eeb670a6fc1

                            SHA512

                            181f0d7aba1dc147f850fcf6d837b2c515992b346ba50d06261ec2ecd79d4369cdec9c0507f0b803e2fb6f6597090c36563ae3e0c4aae4552efe2ae6e2dd83dd

                          • C:\Users\Admin\AppData\Local\Temp\RESD80C.tmp

                            Filesize

                            1KB

                            MD5

                            49a560b604b7b1513a7371b701464d6b

                            SHA1

                            b383b6fd45cf0b2e4336cf1751f2f00196cd46dc

                            SHA256

                            8e16a3091c1c0b183561156eb83ebdd3ec2f5394ab1d83d18f72b08d2fd4f17f

                            SHA512

                            b603490ce3ec2f453196917029b297c371de9f3a3cbcc68f8fde48dd7d13d8068031d2212eed6a929a4c0bafcc0d9cbff5fa50c3eb75f5ddd63980af35b42d7e

                          • C:\Users\Admin\AppData\Local\Temp\RESD879.tmp

                            Filesize

                            1KB

                            MD5

                            5754323c3829cfc58991f2c5a951736f

                            SHA1

                            7788524515f22429170c8e768f19202ab30e517a

                            SHA256

                            fa399c1c87f8b1744349b42fed73af8ad3bbfd509304f29477869a89ca85c1d8

                            SHA512

                            13072f3337ecb5be24e8d9f21f5e4821954c6242a011ded19048e1e9534eb52d9781c4ccc8db89c69e36264257046da9ba9bb6aa9bc0bf2cb2190caceee5a049

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oewzxfq.j2j.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\_pjsd72s.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\_pjsd72s.cmdline

                            Filesize

                            172B

                            MD5

                            4e97537c96dea052c59016b1163fbab6

                            SHA1

                            9275bd7939e1eaf766182fa67f85ffee44dc13a5

                            SHA256

                            85e40447876ffb68dff79d3e8ea11705ba034941d5ef20d1d363c342c01a0c3d

                            SHA512

                            bb643403d773d38996676f5bc2c2a4953a303e85f1b1cc974789ee2a4960f4ebb5003d6ca49e77ca12f9371b134e96a5d16dac464d328bb898c73c2440f7a9e5

                          • C:\Users\Admin\AppData\Local\Temp\d1mm57ro.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\d1mm57ro.cmdline

                            Filesize

                            164B

                            MD5

                            e8434b114d67d140c34379d165b1b8d6

                            SHA1

                            e9b83d1b027b1cc071254c2f56b18e2b0b8d0933

                            SHA256

                            185bb4c2b3f01f858ac93163f206ec50d3fc4f2d357650ecfb64797ae293ed1f

                            SHA512

                            ebb44cc97d6b06cf326b02262782d5cb5ee27e79bd56f77b0238f5589f6d68f889e45326655a11ab6b6f727f02774fc5370a705a06bd534e944a899452b4e6fd

                          • C:\Users\Admin\AppData\Local\Temp\dogrxygj.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\dogrxygj.cmdline

                            Filesize

                            171B

                            MD5

                            db67a123fd21a76b5f06acdd445e756f

                            SHA1

                            2fa1399e70b8a7256657b7d5dbfc8c4032debd66

                            SHA256

                            15c0c9bbc4e4c9aa363db27ebad1ecf9f4d60d0bda514f7e8df2906df2d77a98

                            SHA512

                            583475bfd0930a460b52533f95f8e01909168c145dfe421dd4e437474c2a231d6d6772be6f65d431295818284fb36f1d8332f876606752ca49794c27c3820f7e

                          • C:\Users\Admin\AppData\Local\Temp\fbrzbjji.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\fbrzbjji.cmdline

                            Filesize

                            171B

                            MD5

                            31a19fe1be27f6d3b8b38d08dfeb7333

                            SHA1

                            de16b6704f027f6ea9d009f71e5644acd1c236a3

                            SHA256

                            d7fa53789ef3727ad9e8aad2dbb246a77760a74fab77e70f047ad8ad9c0c5a58

                            SHA512

                            d6a27694677b23b2d644bd442c54c8181100cc77479af804b23f1af7dad6bf8980045dce1b9b06f6f2435d73f261801fa432bf80400da8715ffcaf9eca49743e

                          • C:\Users\Admin\AppData\Local\Temp\motojpqd.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\motojpqd.cmdline

                            Filesize

                            173B

                            MD5

                            217cb3fc51759c4821f2b57bade64c7a

                            SHA1

                            303009895a6b1af2d8becaf25691b8b559aadc2e

                            SHA256

                            7e1adedd593e270e584773bc0fb92f6f5587a1f4fec6a863b760f73384d89808

                            SHA512

                            6cec4e48c96e8e8350d3fa5ae88c0f9f24cd2a2c66fcfde2f4f66c6ed9b30cfa776c026d540e54a916890ecb552883bba4d80b4f2148632af24ee08a70b4289d

                          • C:\Users\Admin\AppData\Local\Temp\o5wxnjwn.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\o5wxnjwn.cmdline

                            Filesize

                            170B

                            MD5

                            569a792ca2c319703fec7465f5356e79

                            SHA1

                            cf298b532e3f0ec2b0eed4d807707db2063d1761

                            SHA256

                            804b6d551bdc745d7b7291f6d576b8014b478f5ee18984f19972e40f663e289e

                            SHA512

                            cc1c8b8e1b5019f815d5c15a2bf8331f17f912d34b70430b6cd216f176ad4ed35eb63d2fc88dc382693205badb130a827acb7fb208bb9d2d7f3152ab451d7456

                          • C:\Users\Admin\AppData\Local\Temp\vbc14DB954453D14246AB806C48CCD8F85.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc8ACA40592A849AD80C4FC97154EE720.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcE67929D4864D42198F9F5C92B6C78972.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcF353B0639C6E46E2AF2776699BDDA8E9.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcF8C960BCA75E4845A36A1CBD9D421989.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\w7upl6us.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\w7upl6us.cmdline

                            Filesize

                            156B

                            MD5

                            cc037f722eb1bd1c1f81317af9764450

                            SHA1

                            b052513de7cf816ac97b2e37262489566bdd1607

                            SHA256

                            7417fd5d191b60b99fcac638bfe5962ac772dd6095aee87dc294dce2b92f180c

                            SHA512

                            80aa5791076d591e7a581b9676ea7ab4debdd1b3c1a5f80eecf2ea0d523d6836f7e0dc2a48ad5dcc68eebeca06be9ad69ff3e727d6fadc3ba884123e7318b46f

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/4992-28-0x000002D8F9920000-0x000002D8F9942000-memory.dmp

                            Filesize

                            136KB

                          • memory/5760-21-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5760-23-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5760-18-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5760-19-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-4-0x000000001C510000-0x000000001C572000-memory.dmp

                            Filesize

                            392KB

                          • memory/6036-3-0x000000001C3A0000-0x000000001C446000-memory.dmp

                            Filesize

                            664KB

                          • memory/6036-2-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-22-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-6-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-5-0x000000001CDA0000-0x000000001CE3C000-memory.dmp

                            Filesize

                            624KB

                          • memory/6036-1-0x000000001BED0000-0x000000001C39E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/6036-0-0x00007FFFBEE45000-0x00007FFFBEE46000-memory.dmp

                            Filesize

                            4KB

                          • memory/6036-9-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-8-0x00007FFFBEB90000-0x00007FFFBF531000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6036-7-0x00007FFFBEE45000-0x00007FFFBEE46000-memory.dmp

                            Filesize

                            4KB