Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:10

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4evrteeg.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc732A545F924041B38D38D7A828C9D8C.TMP"
          4⤵
            PID:4288
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4E7C281185448C8A43147CFBB28F3A5.TMP"
            4⤵
              PID:2808
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axigtgvo.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2944
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC167.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9089C0FBDB5A48B0B2E9E33C5C1EAE99.TMP"
              4⤵
                PID:4400
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\liy_xgy4.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2208
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDF6394837BA4324A37AD2AAE76AEDC1.TMP"
                4⤵
                  PID:4344
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rju4dzrb.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC251.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67486D9BF9294623B4AD83C36D1E1D.TMP"
                  4⤵
                    PID:1632
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3576
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD329D59D2F6D42AFAD8535CFB2EC5ACD.TMP"
                    4⤵
                      PID:2436
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu5pvkll.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3796
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc565B70BBEBD84010845AE8A2151BC092.TMP"
                      4⤵
                        PID:1448
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cenbx5ag.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3504
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc559B5FCBF6CC4B9999B01A341FBA5215.TMP"
                        4⤵
                          PID:2380
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qh0h2jip.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4468
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93BAD35C841C4E63B4E3EDF5D06D1FD7.TMP"
                          4⤵
                            PID:4028

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.cmdline

                            Filesize

                            162B

                            MD5

                            5d5003c90ff46620a67823a0c079a0fe

                            SHA1

                            df74b88c1224ae8bb9ff77a34e990bd0a80404b0

                            SHA256

                            059c5765bda1a233f792918bdb5ed7f188c2a316bc50563d06621e1d2cdd9a64

                            SHA512

                            e6088d2b7b1055ce77f177be2def6d91e35c165901cd221cbafce72ba76540f19a891d050614318b2ced18777d5a3629872315410994153d5dc76fffd0153b6b

                          • C:\Users\Admin\AppData\Local\Temp\4evrteeg.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\4evrteeg.cmdline

                            Filesize

                            156B

                            MD5

                            178590190de696ef08e2d14cb2c2eb91

                            SHA1

                            dd0fa8ddb746a92969d5f4b136b15153f33f92c0

                            SHA256

                            e402c58e44c9aa4ab12603c2039fb53944f77044c2a5bcf5196e7b579cee2aec

                            SHA512

                            bc7eeb662778f2c84b5ad125c222c85839d0f6f49e52468654a1380f7f4fbc1980dd6527648a54aad4ffbd1ef9b370d6239d0a88e0cf28a2fa6c6f4f59bbc5db

                          • C:\Users\Admin\AppData\Local\Temp\RESBFE0.tmp

                            Filesize

                            1KB

                            MD5

                            01a1757c3f09178ea151597395d2515d

                            SHA1

                            eebe5311e19045252d1c59a94fbe0d337d762e3a

                            SHA256

                            9dbae67ff74a4fac8aa55c152b0a85fefb36f07b37e3c5c350478eedcece867e

                            SHA512

                            d03ca6f31f9adcc7cc5cc12530a8627c3e998f8023f93b55e83725f903b0c3a373c599655da2ce79854998a33977cc0e1d04829a0cd0053c93f8df7eda33d525

                          • C:\Users\Admin\AppData\Local\Temp\RESC0BB.tmp

                            Filesize

                            1KB

                            MD5

                            bdb44d2ed3a921221457fc3fa8386f94

                            SHA1

                            8196388e2dee5676dd1541bd81fca6a4cbd60eaa

                            SHA256

                            8b0f06228f7d15dfb461cf05ad9852712add49823ea4bc0f5075d9fbc040e618

                            SHA512

                            19af0af03d204d22221216ffc67dc424d1298f310da98e02d4d65a38405cf88f9735d2769d930da0c0b92e41996e159a0ed459bf630f25faf851468c9fcd486e

                          • C:\Users\Admin\AppData\Local\Temp\RESC167.tmp

                            Filesize

                            1KB

                            MD5

                            08466d64ad0e59af8b96a7fa57b5105c

                            SHA1

                            7269e8d4d50840fd370621c5738479bcaff65a90

                            SHA256

                            0f86bdaf64028bbd7794404245db5bcf18ad9f343a652202e70ed14ff6608c2c

                            SHA512

                            727ce06d2394ddf3f4411f1ee2f929b9c3423115e85cca2c10e451edf76d8374f8016ba383f3b3f13e4184dd91f7f63ca8434149615377903b563496e0c0e81d

                          • C:\Users\Admin\AppData\Local\Temp\RESC1E4.tmp

                            Filesize

                            1KB

                            MD5

                            15d4533ec04e030b5f84611da2f54a5c

                            SHA1

                            4269cae17956c94717af6cd900a73ef13439c780

                            SHA256

                            e8ca2fd51c0767ae8f007cde49ad6308765634c56dfec97d493b95ee09e7b016

                            SHA512

                            56d31a0e149141db3d325c658917afc692608b7956a0adafa2b0830033ee00d4c12efa449745cac0627b13122fdbaa6e5cc27efa3b35b6fb61b21196b713ceb5

                          • C:\Users\Admin\AppData\Local\Temp\RESC251.tmp

                            Filesize

                            1KB

                            MD5

                            7d9a89c0be91fd9ea535182ba06bdcbf

                            SHA1

                            846b8a54b26064bedc2c673d98a8dd92bc1fb437

                            SHA256

                            2e976e7721f53568c89b0cbfa49b147d750a918d34f0d300b85adfa3045253f3

                            SHA512

                            ca6e9ce9612fa96669652b4fcb9c06cabc9c3b523be645f145f9b530d9017e9b9ec0e1dfe7be8e85569da8691ed7b6e8211e6fb21d98929e0c85555bdf194f91

                          • C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp

                            Filesize

                            1KB

                            MD5

                            03078f9ae7273690ac46e24f88a8b7f1

                            SHA1

                            0c8f0d275e62a9eacae5ba7309cd771ffdc00126

                            SHA256

                            196875acc3af69d520ed1c65c289536ab77962cebd4068191b9080375390c72e

                            SHA512

                            b8ca8144637b565ada64a56433803f054a30682076f2cd756703800c13fcfbe4a5797f8eb848f3986e5464dcee628d6b3c30ab6e448ab92d1b10a8e79071bac7

                          • C:\Users\Admin\AppData\Local\Temp\RESC32C.tmp

                            Filesize

                            1KB

                            MD5

                            38ff3bc6309b7a51e804a1db7fb75e2d

                            SHA1

                            987584e89c31442462c25d8cfd953f6c09725d6c

                            SHA256

                            5806fda650e773bdc9fd975bb4f6ebebb4652f966211bb16510f1b25899e2532

                            SHA512

                            ec6c6d3afa2bc0e47b835a69bbbddd5cc738169dd0e0ecb1c1461e2c4c038a20ab0f5990f539d7250ebf0b25beeb75520017453fa017ad19a0560c40e2fac8be

                          • C:\Users\Admin\AppData\Local\Temp\RESC38A.tmp

                            Filesize

                            1KB

                            MD5

                            813e72884b1035d5e6c923bb2876b5cb

                            SHA1

                            26b727de59e397490dbb0b78ab398a7ae9b02c05

                            SHA256

                            b4540895e85196f5c99e3390921fa3e025d66be12f25667b976a021c91bd1bf3

                            SHA512

                            2c93d930063722df5c60235d2d29b4c8d31ac1d3687271e35988894d68e1ddddb943acc21d5bad72fcfa47085e560fc8f8df3df1ea52b9b13fd34a7f9b1a3a0b

                          • C:\Users\Admin\AppData\Local\Temp\RESC3E7.tmp

                            Filesize

                            1KB

                            MD5

                            720e7d77e411f140f0f6abbd3d07e15e

                            SHA1

                            c7b2d971079fd2551b45a2f1d2deb88eb4c2cd80

                            SHA256

                            1142c19166e0384d0a314f2ce302707d2b9f4ee117f7128380be3729ceed21f3

                            SHA512

                            c236cdb81776411c1bb8d065b37821ee966643da0df78b2b43b7676da4ba5586a11665c4a9a5eedf69ac2555effd6d1c51686c0552c2e0beb1fe802522b6f651

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmlidntb.qq4.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.cmdline

                            Filesize

                            174B

                            MD5

                            f61283eb4317449dc9357cd06058186b

                            SHA1

                            2290f6253815ff227d1419694d93ab7f197c4ef6

                            SHA256

                            f198b99c8300c1dc3ff7c08c451499c8efb0410a074134eec6a3a31ed93d5b1f

                            SHA512

                            8638624e53de4bef54a350dfa8381e29c3f7b4b596946817e91c53373ab20a966456aa98bd7dfd1367201420869061e5b85b5a7194a0c830127120d94b85b881

                          • C:\Users\Admin\AppData\Local\Temp\axigtgvo.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\axigtgvo.cmdline

                            Filesize

                            171B

                            MD5

                            d04581fbb8370acd3a3b7fe191143755

                            SHA1

                            c7eeeb0189fe99ea0ea6c5cb7a1b7b1a4799af6f

                            SHA256

                            fddd6c3571aea652a1711dd2b4e058f3ed11e035f64d241c980aa2ad854e58a6

                            SHA512

                            34d3550acf6a8343165ac2c0fa1584a4c9e6e2d557aa1b977826db81d3596c847e6d85e78d55ee3a6ead4aa798092c4c3d8b1b4dcf55a253207d6125361f14c4

                          • C:\Users\Admin\AppData\Local\Temp\cenbx5ag.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\cenbx5ag.cmdline

                            Filesize

                            170B

                            MD5

                            d9f84541678ea137d2cc8b8f59364ff7

                            SHA1

                            524c8aa39a9c71ef93d8c0bebfc2da5e679dbbde

                            SHA256

                            775bc48d9f3a5b71c1595e09e43ac5f12baec62480f0af5cc7e5015bc45aa8a2

                            SHA512

                            554ca5797e3b2396a0a59e2c5d4e298bb9cbd48a742e2b25dbda113045f1483147f0ae412c0cf5ad831b310fb83afc69ebe4d77953d69a0a6c8491f7adfffe81

                          • C:\Users\Admin\AppData\Local\Temp\liy_xgy4.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\liy_xgy4.cmdline

                            Filesize

                            172B

                            MD5

                            9ac443749eb7b5be4c18391a35d6a5c9

                            SHA1

                            385164dcf8bdea1266e470c4afd4cca6faf9f732

                            SHA256

                            832d1ae363f2fd38a429bbea7f3e5ba4d51c8809d634b01f77e1399b5c27c767

                            SHA512

                            6c5b80a38ea767357cec1989b6f94436ea85547b0c9135cfe04ca019d476203207d615e2d1d5918bf4f9ab267c1fcb1135e166604fda931aae6c74ba19ea7405

                          • C:\Users\Admin\AppData\Local\Temp\qh0h2jip.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\qh0h2jip.cmdline

                            Filesize

                            173B

                            MD5

                            9f950890fe2b4ad7c169ffd3182a2a33

                            SHA1

                            205929d232a087760566f331e8d1784cbcf94811

                            SHA256

                            bab9142da6a9d87b129b470a78ecb950cac5ba6c90d3dc2db4a3d8a461891483

                            SHA512

                            6f87b42ca4311c0b6f675fdbd8a23cbf548496cbdc817550c8e890b1173b4966eb34572f3d224b42b6710d152e80a90b2af425af0a0f8f0967ab9a43c01492bb

                          • C:\Users\Admin\AppData\Local\Temp\rju4dzrb.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\rju4dzrb.cmdline

                            Filesize

                            171B

                            MD5

                            d9bc14af5b5228b5f8828ab36446ff77

                            SHA1

                            f03d0b6637f66c161383f0e13ed5176a916a22ba

                            SHA256

                            93d28aa0db80fd457f1db22f15c499af4608754a2dbbb87bc8a93c034b4bb05b

                            SHA512

                            1e84656bdcf708adb3894af0c0443f70a406acbe29634898ec69c3b9b7dc39c59bf80c1b8a384c1fd1828a262febcde8b6e2ba62709f86c9662859ec6b06f0c9

                          • C:\Users\Admin\AppData\Local\Temp\vbc732A545F924041B38D38D7A828C9D8C.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc93BAD35C841C4E63B4E3EDF5D06D1FD7.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcD329D59D2F6D42AFAD8535CFB2EC5ACD.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcE4E7C281185448C8A43147CFBB28F3A5.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcEDF6394837BA4324A37AD2AAE76AEDC1.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\xu5pvkll.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\xu5pvkll.cmdline

                            Filesize

                            164B

                            MD5

                            7282e010f83ff48a31bfab8e0f8c5ffb

                            SHA1

                            7e980279b38687d96f142d3e0117baeb3019eb3a

                            SHA256

                            80ccfd5ba4d1043425565f501cd7b5fab0f327c2ab31d826e7c65ab890da0e0a

                            SHA512

                            4dd6cf0e856166021db7a7fb91e8f1082c04ff1bf2b0a805b72c693b7464c82fbd5ed0087175787fc22ac558e57b1ac75fabe22d2909ddca50c88bbad1a990c7

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/2940-37-0x0000018D74450000-0x0000018D74472000-memory.dmp

                            Filesize

                            136KB

                          • memory/3408-9-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3408-3-0x000000001C5C0000-0x000000001C666000-memory.dmp

                            Filesize

                            664KB

                          • memory/3408-0-0x00007FFEC9AA5000-0x00007FFEC9AA6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3408-6-0x000000001CFC0000-0x000000001D05C000-memory.dmp

                            Filesize

                            624KB

                          • memory/3408-4-0x000000001C740000-0x000000001C7A2000-memory.dmp

                            Filesize

                            392KB

                          • memory/3408-7-0x00007FFEC9AA5000-0x00007FFEC9AA6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3408-8-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3408-5-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3408-1-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3408-22-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3408-2-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/4212-20-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4212-18-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4212-21-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4212-23-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

                            Filesize

                            9.6MB