Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:35

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mw5ekqce.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5972
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6B13FBE7696485692119E5F092AD17.TMP"
          4⤵
            PID:5064
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aanaguei.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc195D5474EFDF4945A66B69F058568751.TMP"
            4⤵
              PID:3340
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5cgks63.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4944
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc65AAF694A1014A36A3FD81E183612621.TMP"
              4⤵
                PID:5052
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\44uiu8w-.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4188
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc144CF8075C94C0AB094E21AEAF4E27.TMP"
                4⤵
                  PID:2480
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssb4-5d7.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4952
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE104.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD54BF70EEE834EA7B72E48968F346EDF.TMP"
                  4⤵
                    PID:5144
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0yjybtvz.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3056
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE172.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7E182699CA141FA81F6A745E55592A.TMP"
                    4⤵
                      PID:6116
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eijp8am9.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5780
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA163B7F68F29488EAB5E8A4029C9A825.TMP"
                      4⤵
                        PID:1720
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nsyu4rru.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5748
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE25C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA93CC62EFCA742DC9BA5C5A97DD995BC.TMP"
                        4⤵
                          PID:4480
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9u4lfoxr.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5320
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB34AF5538C442C39A8F6DB195FD6A84.TMP"
                          4⤵
                            PID:2732

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0yjybtvz.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\0yjybtvz.cmdline

                            Filesize

                            174B

                            MD5

                            30efc7230aeea109fe5eddef400c25bf

                            SHA1

                            c25bb1983804bdead4040f608f8084bda376377d

                            SHA256

                            854efcfa5314fc9101882ca6655b217979dcab47f936ed04144e77c38c724735

                            SHA512

                            c2b98cf33002a50f17d5ea4788412dfb6b0e4ec3d25f7300ea9e0f45596eaf6fdd4b8acb7c7f74ea6bea07380e725fd93e8f6db5210d1a0f70961d77094c41f4

                          • C:\Users\Admin\AppData\Local\Temp\44uiu8w-.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\44uiu8w-.cmdline

                            Filesize

                            172B

                            MD5

                            abbf01fea53411fc0a6a3f131968a76c

                            SHA1

                            ec3bb45965bbbc4152ef8d61c0aab2478d8e79e4

                            SHA256

                            ec284b7b7e74472e201e76046fd65adb1d0a5206c698b87f25e126ae459a38b9

                            SHA512

                            3bd63b0be05051a9671461e049cff8d1b6aeaf101fdc4c007e56f3e3a9c9338bcaf2a1cbd624e136f374f359c0d33ae489999ce805cc391d12e210176dc85136

                          • C:\Users\Admin\AppData\Local\Temp\9u4lfoxr.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\9u4lfoxr.cmdline

                            Filesize

                            173B

                            MD5

                            df83edecb38db71227ab0805123cd7a4

                            SHA1

                            68effdb53ef83747442697b830f54724d1500317

                            SHA256

                            4baf4a3ad12b6c538b0674357f26325afa8088d70cdbe99a80d7fb215843f1e4

                            SHA512

                            38b66d738758b2033075b79472e63623c95aece826508c8edd275912b71b20adedebda4684c6f993c4f948e63090db614a850b56a686323a84223fab7ff64009

                          • C:\Users\Admin\AppData\Local\Temp\RESDED2.tmp

                            Filesize

                            1KB

                            MD5

                            e056327d360e21e39d62002c73174e24

                            SHA1

                            1684510a57f7dce9da6ed3582385f17cd5e70710

                            SHA256

                            cc5b4b08ecd42efbbad686fc92ee44ad149b6e392d5383626aebfb7f234898b7

                            SHA512

                            a5f15d226313784dd7964d5dfe2b0681a8e0cc80b631dce09a24a164d6914aa481b86d7b4663316d385ac6cc94b24028f613d77983050d8870bdfd688402a9e2

                          • C:\Users\Admin\AppData\Local\Temp\RESDF5F.tmp

                            Filesize

                            1KB

                            MD5

                            b5271fabc194d5f8dca3351c64b85f1d

                            SHA1

                            776011d7c0d5bd10d82408158b5a34c2745f55fb

                            SHA256

                            5298c724b5f363ce0abdb48fcb334c09fdb551d2443fdc6f940d32cba98b956f

                            SHA512

                            4e1d35d5a96a9068e66453ae783bea73627a7861dbbe9df560e9e08b9d3860ea9f68208a848a0d48eca4b8b3dee5108cf298ab9ad625c40280ca46a4d1fdfe5a

                          • C:\Users\Admin\AppData\Local\Temp\RESDFEB.tmp

                            Filesize

                            1KB

                            MD5

                            610d223cda51bd080536d088a352bf13

                            SHA1

                            b0c1ed55e75d728b65970d026bb5403ce6706a34

                            SHA256

                            36218b73844cc3450ed2aa1fb5e7757058d12ec7a0edd2df939fa72ab439a42f

                            SHA512

                            2509e86ad1c37ead8964e71c6bbd30956b21bd60da60ac25b5256b9059f6c38ecf0b27eea2c5fbc0f4643f07f1a85a03f3f400054126e786bdf7f775a0f9e2f0

                          • C:\Users\Admin\AppData\Local\Temp\RESE087.tmp

                            Filesize

                            1KB

                            MD5

                            6994f6acbce25ad8c3cf4dd0ee78c316

                            SHA1

                            3a2c1bafb7ae9a63b7a6b62a89b3803271e1ef59

                            SHA256

                            70ed90e9c989c37c78a344931d7e41391fe08aba4cc9e644404076262443e9bb

                            SHA512

                            3e87b50036840c8ca5671420cc23fa1b81f1f8d94dd6db1231c972b4cd80cd0911283d918092f77567a1e5ec32e73c08e3c52fffb15d78d7b265d5d7fefb2058

                          • C:\Users\Admin\AppData\Local\Temp\RESE104.tmp

                            Filesize

                            1KB

                            MD5

                            846177949620c1234e47e4556d22ebcb

                            SHA1

                            a466474aa9d2af9331b5985b3947d8d87c22593c

                            SHA256

                            8d39dd1c62ca38d252f147f0a2183a781307b5c8910493a189fa01df5722cd70

                            SHA512

                            2724fead6716984d7ea9c4a312e4591541801d2b956142ae97dbdf3721c1d0487e101e46f5b949c86b0605d4c6ba14d32e5e2b40e30ccfa06ebe6d1621e8f67a

                          • C:\Users\Admin\AppData\Local\Temp\RESE172.tmp

                            Filesize

                            1KB

                            MD5

                            34158ce76d7a48eb42a25cc47977f4ba

                            SHA1

                            ef182dc887f0a7035019faff3be8c9f3f15ba373

                            SHA256

                            87a1fa822a7c7a37c0b9d797d75b0f3b16ed43a9c6ccdaf14ae7cc3ce208b7ff

                            SHA512

                            0ad579d4f0f53c64be5f0bf435d50364cae65b70515a3db2a2472f44efb7460268f93425b2a48dfb1f3ef171a00042b71b4652e8d568b9327b5756fd8f6865c6

                          • C:\Users\Admin\AppData\Local\Temp\RESE1DF.tmp

                            Filesize

                            1KB

                            MD5

                            81ff6c30c34665f84fd6382bb5cea02f

                            SHA1

                            201ae9f13f50ad49ad53339e03e642dbb940871a

                            SHA256

                            04bf26e6d77ad85855beb59d45d7eb7fe44aff7e1ede8f064126735c2fb5c5d7

                            SHA512

                            f2ed8e274dc698e1d082b55f2486a8ab18e88e62a406035525462c9ec001ea6e11c7fd5305f7c926c71e4538102882b870df50c82cff838eb22e7a829e49191e

                          • C:\Users\Admin\AppData\Local\Temp\RESE25C.tmp

                            Filesize

                            1KB

                            MD5

                            0409133a043c039751d3482df0974c30

                            SHA1

                            3959affdb2b3e271c4d7a0191917c124c6a40924

                            SHA256

                            e682124c6d78f7b67bf06b39ce2f3396a88b5acb3fb500311c23750eff24cb18

                            SHA512

                            fadff4808ac4c9fc46ced3f74b9c99e58e58169945290cbba595b57e2ccf4cfe4717d08badaeae404b02efec56fbea8d07335bfc3870eb66f7bd1adc755856e8

                          • C:\Users\Admin\AppData\Local\Temp\RESE2D9.tmp

                            Filesize

                            1KB

                            MD5

                            e691ae3d3a3cd78593438bfbcbe2e312

                            SHA1

                            c0ee7402d1b7870f343b0770f090969868920218

                            SHA256

                            4c2255897582214711fd6f2d573871ac1c6d165b6a8e29b259f424bc6a891682

                            SHA512

                            7a57d8fc2a00e30f95081d36444b33df782b5326b9aff06b6608902349a96223b82d7f9f3e466e1b4cc2054b146b3958797a95703f058c2d26ac880c17027bb3

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxilvbdw.0bb.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\aanaguei.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\aanaguei.cmdline

                            Filesize

                            162B

                            MD5

                            f55afbf6429a69215d10e5dd1a255f9d

                            SHA1

                            6c9e73f3d329bf4f9dc230bc1b364dfa18864562

                            SHA256

                            6f67ebd8cea8bd8a2583a5048c897eec37f37aa18c36c11e65073e42297aa685

                            SHA512

                            da808af6f72d9f074457952c966afa6c59d11c807e56877584eb85f34caec4b6d2c2ed4f9eeda9503e2af1810098780604ed193b515a19e4c86e513c69b28b12

                          • C:\Users\Admin\AppData\Local\Temp\eijp8am9.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\eijp8am9.cmdline

                            Filesize

                            164B

                            MD5

                            0b5921e0c6f8579a07dfadcb1f8e47e8

                            SHA1

                            e6c68b2d68a11437a2cfdc3ec9271d6056691806

                            SHA256

                            433dc49d867bc9ced449ae5fd6e3d29f8bed26d93c9c751fb60bd4b5370e042a

                            SHA512

                            d101de521adbdb93b6309190f5afb470664404aaba934e75385633bda64da89eb53eb1f17b8a444de0a53cb87cc1fc4a233ac46d3d88d7fc194d31b2ef6c6894

                          • C:\Users\Admin\AppData\Local\Temp\mw5ekqce.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\mw5ekqce.cmdline

                            Filesize

                            156B

                            MD5

                            41b01d31f293a04ce959330d2f881182

                            SHA1

                            f0f82ffa326634d72e0f31486933f967dde02088

                            SHA256

                            00396edd905c06723d1ac6cdc17c8f87f2fb64c66694d05e12f9f5f9e9f77d7c

                            SHA512

                            e9a71a8870f2f80bf16819d81ae962c6b5cd981e9723e9122c48ef0e47d2bc2f37beeac913cc8445f06c06e1d3a378afc89a3f7a349ee079c0370ce433b57635

                          • C:\Users\Admin\AppData\Local\Temp\nsyu4rru.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\nsyu4rru.cmdline

                            Filesize

                            170B

                            MD5

                            0ec629ea2873648d6c9a3b5eef3a0a97

                            SHA1

                            6a59a276b78dd2fcc1cb4a2c901c7bdbd3581420

                            SHA256

                            f660d9bc3babf00e7474728e4bb024853b66a281f2ad1f41cc41e2a4ef947d98

                            SHA512

                            70281ceb4e2538fea0e7666bf2f19bcb88709dc58bb02cfef98750f94bd7e97f62771f1d71057d7fab5dd652c127129a816603230ebe58f7368fef1b8b142b02

                          • C:\Users\Admin\AppData\Local\Temp\ssb4-5d7.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\ssb4-5d7.cmdline

                            Filesize

                            171B

                            MD5

                            f638d652e155fe2b566be4d414cdf6a7

                            SHA1

                            79b0b8ecc183a09aacc71436fd76e6a2d989740a

                            SHA256

                            e5d01f354af08bd549c1dd2e589342583f0f5a9c2bc277f7e7e6a84d93d91b7b

                            SHA512

                            b89416d3ebdd319f37a4f33784c84e486af9ee19256e885d444c9c78a222837d082e5194eb52f41ecf9c06338a865064b8a7770ba265fcb6b482f93a90bbab77

                          • C:\Users\Admin\AppData\Local\Temp\v5cgks63.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\v5cgks63.cmdline

                            Filesize

                            171B

                            MD5

                            15439ac42a585ccfc3a661506b11bb34

                            SHA1

                            60485ba10458d5bbb4ab1f68ca65876228f426cb

                            SHA256

                            6c4765cbc0957118f119522906037a1ea2e5b3c93a74cab43d948cc64ed232a4

                            SHA512

                            2d7e276285c9464bdc3239cee3a7ea232751dcf5aff685e9d68a1c9578ca2ddd6f9c2200409fdff7b7ae4733ccf7a945270cb3cc140d501eb5b0b3a62bc9bfac

                          • C:\Users\Admin\AppData\Local\Temp\vbc144CF8075C94C0AB094E21AEAF4E27.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbc195D5474EFDF4945A66B69F058568751.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcB6B13FBE7696485692119E5F092AD17.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcC7E182699CA141FA81F6A745E55592A.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcCB34AF5538C442C39A8F6DB195FD6A84.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1084-9-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1084-4-0x000000001C870000-0x000000001C8D2000-memory.dmp

                            Filesize

                            392KB

                          • memory/1084-8-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1084-7-0x00007FFF86A45000-0x00007FFF86A46000-memory.dmp

                            Filesize

                            4KB

                          • memory/1084-22-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1084-6-0x000000001D100000-0x000000001D19C000-memory.dmp

                            Filesize

                            624KB

                          • memory/1084-1-0x000000001C2F0000-0x000000001C7BE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1084-0-0x00007FFF86A45000-0x00007FFF86A46000-memory.dmp

                            Filesize

                            4KB

                          • memory/1084-5-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1084-2-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1084-3-0x000000001C7C0000-0x000000001C866000-memory.dmp

                            Filesize

                            664KB

                          • memory/1976-19-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1976-20-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1976-23-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1976-18-0x00007FFF86790000-0x00007FFF87131000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3756-29-0x0000020DF14D0000-0x0000020DF14F2000-memory.dmp

                            Filesize

                            136KB