Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:00

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3400
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3e6con1a.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF047.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF3EA2B24CC44513A13DBF12CF9DE6A3.TMP"
          4⤵
            PID:2084
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_jo8tda.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13680B8D7A1545D4A993F454596494BD.TMP"
            4⤵
              PID:3364
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhmyuwsh.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF18F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76CD296F562948538945B710A638A5D9.TMP"
              4⤵
                PID:6008
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sdyv-hkg.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5140
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF20C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58F5C2A9CF2240DDABB0602BEB609BE7.TMP"
                4⤵
                  PID:3316
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7aojnllk.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:880
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF289.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc157A68DF9A8C42A4BCCF65C4C8152C6.TMP"
                  4⤵
                    PID:4072
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_yfxz5f.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2016
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1459E881CDE4B768FAE16478A83E549.TMP"
                    4⤵
                      PID:1672
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tusrh1jl.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3984
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF354.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7894D3AC7C7042549B8FB02C58DB3C81.TMP"
                      4⤵
                        PID:2596
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ahkjqzr.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4944
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14421EE710294F46AEC230AC527FCFD1.TMP"
                        4⤵
                          PID:3324
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\czob87h2.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5200
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF41F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45F1D02539664E75ADECEE91E3B81B51.TMP"
                          4⤵
                            PID:2232

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\3ahkjqzr.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\3ahkjqzr.cmdline

                            Filesize

                            171B

                            MD5

                            37cde26fbe8f5e9f40162dd82a99ae4d

                            SHA1

                            3f3eca218e89d1307be1181f3d7239e79314da65

                            SHA256

                            8260160da8510b3f87ecbc9b98587d92e43f06e89d823b60f2b9375d10186024

                            SHA512

                            9978cd069e3afded5a72f82f33d25076b83a74acf5d0b9310c493b3df1c852750751a58328ca7e19b366f3d92b07b422693c999b5f22456bd9a49f3023f3610d

                          • C:\Users\Admin\AppData\Local\Temp\3e6con1a.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\3e6con1a.cmdline

                            Filesize

                            156B

                            MD5

                            f0ef75cf3151088fcef5c395b200d388

                            SHA1

                            366e9609a81952f193d0d83cf732bfaa0ba42b61

                            SHA256

                            0f2bf0d1dd3958b8d9b2007ef7e166e53c35a4882d17cb3ee5095d958310c921

                            SHA512

                            2bab724033c986d9627db74b891f5b88519130c3555249809237cf7cfd1753c6f884c278472b1b2ef14b81dee05ad035baf5d0e84a7e0265164a1595d96b342e

                          • C:\Users\Admin\AppData\Local\Temp\7aojnllk.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\7aojnllk.cmdline

                            Filesize

                            174B

                            MD5

                            d4ad256af4cfcc735abe429898cdc3d0

                            SHA1

                            7c568f1258b0307bf760f590ef9737502ecff2ef

                            SHA256

                            9cadb949b798ebf5d9627b6af1897153ccaecdb5736b79ea2cddf36f7ad9b413

                            SHA512

                            b7d9e505e07de491cd38c8c896afad8dde26340a83ea32bb20ac9dabf8078f0037e5387af64ba0ed1331d0e8a7a1ff0e79c154eb97e7a6445808ded5fa991137

                          • C:\Users\Admin\AppData\Local\Temp\RESF047.tmp

                            Filesize

                            1KB

                            MD5

                            e7018317d1532acd1fe97bbbcc4f5521

                            SHA1

                            2166ea682b9d5cc3984eb9e7660e9c243a9a2f2a

                            SHA256

                            01add037479bf7afce7bee502ba0a1f7550fda65558ec1b5dcf56a4bb8507436

                            SHA512

                            7124602dda7e13f9057e32d691156f645d7ccbc5c69997dc0884127a78b3d5a57671c4e2d0d05d1a476d5d11e014ea1bc64aac69d0292944fbb61b1ca83adb8f

                          • C:\Users\Admin\AppData\Local\Temp\RESF0F3.tmp

                            Filesize

                            1KB

                            MD5

                            c49742ec0df40a0efbc8c9e916a30f4b

                            SHA1

                            72e907c7560ba6ac47a6d66410f1a43a33264bb6

                            SHA256

                            144f3af8e68b2eaab08145c1c6979baaa871350d8f4eb22246c487ddf4d34258

                            SHA512

                            7ec92a384d9d2496a0351118d287c92d330ddc10825107b9ebbe86f35890043c21e74df8b994807d74b634a6200aaf99dfc3e7423e86a27ed83807269de8cdd5

                          • C:\Users\Admin\AppData\Local\Temp\RESF18F.tmp

                            Filesize

                            1KB

                            MD5

                            d44156aae161dcf949314a14654e42e6

                            SHA1

                            1a7b2c2204f3f1e39c945c84c9a870d01de598af

                            SHA256

                            8427541758230afa9d808914a7be134fe87c751dbe082569c32b31303cf0eb71

                            SHA512

                            2de2a79d1055ea1203141b519f44a43f36c8399979f6e8767d1897759d329bdce1456442728cfa1d7f115356e1af625374a0010b24ddb4491c33ca1b336c101b

                          • C:\Users\Admin\AppData\Local\Temp\RESF20C.tmp

                            Filesize

                            1KB

                            MD5

                            dc25a2fd81bf473f07f8fe13dad039b8

                            SHA1

                            ca81e6f753fc3885d73b0950462ecbe5fe617008

                            SHA256

                            b053263bf7a3f2c3e1831df6b2be38c8cfffbfffabe57eee53f7451a641eaa4e

                            SHA512

                            28c5e31f0703f1276b61da44f02ab00b79b384b6206e9856cb4f2648d3270d552963e1c3e81ce7d9d84a0cfaea3c4e70603cb0daec641d7d8abf2b3ae38355a5

                          • C:\Users\Admin\AppData\Local\Temp\RESF289.tmp

                            Filesize

                            1KB

                            MD5

                            797c00357c94cd0d2c200ea7dde800ef

                            SHA1

                            7ede9c634c46dd665f5ad113d78ad0d26393bcaf

                            SHA256

                            d56178426e60e24b8c655b25d06aa91d9b75709103d9164aaad2d6f8742df1ad

                            SHA512

                            d048eabdb57de9de8e507d57dd8446da754d008df39ce183f4793be8c0b9e27c6c16d38f885f0639f585639eded51bb5bc6a5b4bb21df154ddf0ccc6aef8f99a

                          • C:\Users\Admin\AppData\Local\Temp\RESF2E7.tmp

                            Filesize

                            1KB

                            MD5

                            872460df77e544cedea762bb745ba4ef

                            SHA1

                            91493fd0551a9ed765288ea7e114bb76925b08eb

                            SHA256

                            dbd9d40e72ed29cd15d514e14557c7822474c69234852a4b5500cfaa5929731c

                            SHA512

                            d7d2d68bb886d5a2d12b5d9a107ea51bfff4a228abba761173d9143e77df6ff127a3fbf531d0f1d72c9f14df8a6ea69980e095ff6aa1f285246b0f1ad922a956

                          • C:\Users\Admin\AppData\Local\Temp\RESF354.tmp

                            Filesize

                            1KB

                            MD5

                            641c3be9c7147c59fbc23032701c9a08

                            SHA1

                            a44b333954d3db7796191912ddb9e972d5ccd619

                            SHA256

                            375c513e6c120fc113f40594e59f4b465528098c128d44befda667a27ee4f1db

                            SHA512

                            272edbda1c54c30582cf5712041e9d22e042a0fecb6559e6de63add6af2880f0717c13a70f1279e280d72cbfe60176a8f0b72d8bf284039b6e114a52e2547a1c

                          • C:\Users\Admin\AppData\Local\Temp\RESF3C1.tmp

                            Filesize

                            1KB

                            MD5

                            6a678739e60cc8e987857f9e0b428fe4

                            SHA1

                            d568b04034ed8031f33253ba75e2b2fb68e6bebd

                            SHA256

                            22cc44072081813155cbc237861c7e6f8534f87ade3aa7efc0168a867cfc477e

                            SHA512

                            daf914af9f1d502b61d477f26117f597330b32ad52020a0895744b9e83645c2ff3429d64670c20c30cc27880a63894e340e7cbfc872040e89e97744eee5d49a3

                          • C:\Users\Admin\AppData\Local\Temp\RESF41F.tmp

                            Filesize

                            1KB

                            MD5

                            8d4fe0807c7f6073fd8be448fb2df5b7

                            SHA1

                            2582bbbe015567007f6b9f1d4925b36dd704a276

                            SHA256

                            0f44155713bc8414e4732520373359eedbf838a75bb275ef1f956d6672b0d814

                            SHA512

                            873f4600ea008ebae4784747026292fd9603106143bfb01a084a95936cb442a0e940b16c964ad646b4f32188f241a95f0a2cf23c703cc2593afdb1b7d517fb8a

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_534jow12.vv1.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\czob87h2.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\czob87h2.cmdline

                            Filesize

                            173B

                            MD5

                            b70cdc7d6a6b93db5e55ad3d31fea3d4

                            SHA1

                            23c9e6aa984dbec3b3f529f43fe41b7a743eeda5

                            SHA256

                            a73949353fd5167d76f513c3765df504c4f314c8349c4befc888eb5486655e4e

                            SHA512

                            960b3cabe8e6ab0e1fe900557a05221a686109cdac50671a51093b5af997021daf47ce534c92b03290a2533e289e8f265ac0051370ef313aed1222307b2f8b14

                          • C:\Users\Admin\AppData\Local\Temp\lhmyuwsh.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\lhmyuwsh.cmdline

                            Filesize

                            171B

                            MD5

                            ed87ed2c493011b815f4780d2142efb9

                            SHA1

                            f6d07b282fbf813ac5e5ae4604434dff82b46c3b

                            SHA256

                            f6a3ab272112dc3d9d83e6641f3dd6ba7b8bea991910bb89e7b19301aefdb007

                            SHA512

                            004141d5d4d7a7158dc5937862000ea7132ea9af413b98da5b048abcc49ca5d7bc1075f551a0b41005ea9d2cf83fd95afdadfb07a9d8b678f22501ad4166e3d5

                          • C:\Users\Admin\AppData\Local\Temp\n_yfxz5f.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\n_yfxz5f.cmdline

                            Filesize

                            164B

                            MD5

                            bd884b9ec2d90564e27d1a43730939ca

                            SHA1

                            c5952cdf11c8eec07953b3fe8dc02685d3ccc4fb

                            SHA256

                            e4a5383844cb4b9357a53efbcf73ee026409edc9885abb7a3abf965fdeb11d8f

                            SHA512

                            fc92e035aea471b5869263e3de7323d34091410ce99e1f2db1a2f1c53f76da454760365ba0cd9575542448dbc42e329b3a22c535c730ce8e93137196a2d39236

                          • C:\Users\Admin\AppData\Local\Temp\sdyv-hkg.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\sdyv-hkg.cmdline

                            Filesize

                            172B

                            MD5

                            6d84748979b43162d26b4bd4d2b6cd09

                            SHA1

                            d1074e1b34767be312b3857ee8cb64640187f929

                            SHA256

                            dbb4adbf8bda8556d3ffa72d71d44452a41b40178c4f4d31ed39417f584a036d

                            SHA512

                            f85d388b3189223579c901d98d57a54def5489cbe01d48d5be6eb5879dce8d8557930d44a6c29523a5bb37d330b0707dff50bb4fae2830ae9bdefe92a2c3f9cf

                          • C:\Users\Admin\AppData\Local\Temp\tusrh1jl.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\tusrh1jl.cmdline

                            Filesize

                            170B

                            MD5

                            add01f0480b6dce9c1c9ca6f816b2097

                            SHA1

                            013db082abf7b37496e82e60ef870591e63fb04f

                            SHA256

                            ddbb5d46847fa605e67cefd25eb068e4cb8baff8680b929b40ad7fa9b38efb2c

                            SHA512

                            10c2f3a89718241fe3f5e9da4007164615398e5aa62d5dee0aecac51e414591d3eaf802200b126e443b4e8904fe13ce9a67288c1b6c5087af3111431c19ff17f

                          • C:\Users\Admin\AppData\Local\Temp\u_jo8tda.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\u_jo8tda.cmdline

                            Filesize

                            162B

                            MD5

                            2539616af918077b59e39f0e358d97c8

                            SHA1

                            eb66c01ced3155eba32bd5743afcb38f1f62bb4b

                            SHA256

                            da46388f5c7aa0dba76b34c25fe3f9760b3814fa57869fb8ea4dbceb4ffc2b40

                            SHA512

                            2213c1fcc07ba3ae88094555b29438532804b7a0bb15f078dae081c27db3a1e2fd6caa21bd0e0f6ac16e7f4b3607c780d4c2549a91ac026611bd37be6f823062

                          • C:\Users\Admin\AppData\Local\Temp\vbc13680B8D7A1545D4A993F454596494BD.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc157A68DF9A8C42A4BCCF65C4C8152C6.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbc45F1D02539664E75ADECEE91E3B81B51.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc58F5C2A9CF2240DDABB0602BEB609BE7.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbcBF3EA2B24CC44513A13DBF12CF9DE6A3.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/3400-37-0x0000025C6EF10000-0x0000025C6EF32000-memory.dmp

                            Filesize

                            136KB

                          • memory/3444-20-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3444-4-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3444-1-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3444-0-0x00007FFA604D5000-0x00007FFA604D6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3444-2-0x000000001C330000-0x000000001C7FE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/3444-9-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3444-8-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3444-7-0x00007FFA604D5000-0x00007FFA604D6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3444-6-0x000000001D0E0000-0x000000001D17C000-memory.dmp

                            Filesize

                            624KB

                          • memory/3444-5-0x000000001C870000-0x000000001C8D2000-memory.dmp

                            Filesize

                            392KB

                          • memory/3444-3-0x000000001BD20000-0x000000001BDC6000-memory.dmp

                            Filesize

                            664KB

                          • memory/4496-21-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4496-23-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4496-19-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4496-22-0x00007FFA60220000-0x00007FFA60BC1000-memory.dmp

                            Filesize

                            9.6MB