Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 05:14

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n7driscl.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA3B4E61ACC54EA6A8215239FDCCAD24.TMP"
          4⤵
            PID:5316
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hcx1jc0e.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB011.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9686B7B9237D497792C3B37ADE433A3.TMP"
            4⤵
              PID:5704
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mda14yq9.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB09E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1A634AAEE64733A7D2616ADCEA42DB.TMP"
              4⤵
                PID:5036
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewdez6oe.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4540
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C06ABF1823047A89F81295B73CEEF90.TMP"
                4⤵
                  PID:4440
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pnctuzrf.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3364
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DDF9FD731094C4580C9F0F8DA6E2EE.TMP"
                  4⤵
                    PID:5144
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1a5gq1nb.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5872
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB215.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF952F44CD777405DA39E1AAF27D9F31.TMP"
                    4⤵
                      PID:5772
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zy2vx0do.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3344
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB282.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D402BCCC12446DCA4A5695C606DBCEE.TMP"
                      4⤵
                        PID:6084
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvwl7-gh.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2384
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC56488704E0546279D3F5E551F909C.TMP"
                        4⤵
                          PID:5748
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\isrtin9t.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2956
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB35D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1C6A3B7BFD140EF8328704245861437.TMP"
                          4⤵
                            PID:3124

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\1a5gq1nb.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\1a5gq1nb.cmdline

                            Filesize

                            164B

                            MD5

                            21a3b7b5da6d01122a66c2437540ef6c

                            SHA1

                            2dfabd7e772d5f6be0ecfbac0677236b873951ca

                            SHA256

                            5827d428638129d82440b3ee3a2eacf8df0751b5022b55948ad72dd79167a622

                            SHA512

                            1275ce770dd2ed7dd86b336d845e23ad222bcec3d078f0467aba04699961de33829c72cfb0d842d8cfc6b58375160044e396ecc2237e201b19705b4c9dfeb617

                          • C:\Users\Admin\AppData\Local\Temp\RESAF85.tmp

                            Filesize

                            1KB

                            MD5

                            93e74d0f7772b7f8f4467a6b1b38c85a

                            SHA1

                            69af84cab9028497a250058ef0fe1afd48f26f97

                            SHA256

                            2eff9d194571bafeca41c721ac53c55e458f69009a95b4ea955afe0e885d6ed8

                            SHA512

                            009541a3cbf817061e02c2e0fe08723655a085f717ab792a7b2609c84ad2bc8c996b6a0a756f37552bee9e2177dd1823148018d8a2ca65bb5f1e1261c490b881

                          • C:\Users\Admin\AppData\Local\Temp\RESB011.tmp

                            Filesize

                            1KB

                            MD5

                            aa503dee491e3ba9132789a336793172

                            SHA1

                            b73aa23d0d6b056a286d3e3949396bf77ffcad7b

                            SHA256

                            cc9ac0622454cc3e230c4759cb8f83b17903cd45a7a52a9f7833f85cfc6aa6f1

                            SHA512

                            8c0ba0f3177a034b6ddaa1ab484d6d9935ecd71f282e933eccde116af0562513faa1d6c608b643fb91228d8d8d21840efbae9eececf03e101b1cedb69bdc43e6

                          • C:\Users\Admin\AppData\Local\Temp\RESB09E.tmp

                            Filesize

                            1KB

                            MD5

                            90614d26e7a1ebc2a2e3a8d88fd43917

                            SHA1

                            fb94073753a476fc5ed245b97804c58c05fea329

                            SHA256

                            f7b6bd45a4625c71379672dcadcf54150b00d015f7cae02c3b420efe44a02c7d

                            SHA512

                            ec38e185a2b0fa72af12f3bc1e6b9439205b36cb66c24cc34d4bbe3a81bfe6881af8126e6abadbf3d3ef9100e1dea3424ab5226c2695d31f71be773961fe4c10

                          • C:\Users\Admin\AppData\Local\Temp\RESB12A.tmp

                            Filesize

                            1KB

                            MD5

                            824e2583a7104e1cfd10685f145810bd

                            SHA1

                            a4573edb43f39ba762ab7377196efa2167503068

                            SHA256

                            61aa8fee0761a098a7f74678897e8cd1783ec236d7e29ea3f5ddfd2079588bd9

                            SHA512

                            e9f9aea80f130a9cedeed0819c35c62c025d6ebc348555ad4346bb17e190e22008370726d3ceaa86b6900d21d486c6124dbe39aa6f240431eb4fdcc40006ff93

                          • C:\Users\Admin\AppData\Local\Temp\RESB1B7.tmp

                            Filesize

                            1KB

                            MD5

                            b7b3c892c83cb7e4a9b7b28ace55a18b

                            SHA1

                            6361450217d665fe5c28d18b4a09b8135e95d6b3

                            SHA256

                            88597ae99cb91f5a3198323c92759ff4def542655cb4dbcb91d78d2fcd7bfc56

                            SHA512

                            e869437bbac7efdf60c0796ec0a5c0212ae6fde7d6ba93691d3305e563c945c0194e3c625127ba459562aaaa7c015dce6f27a90348c5092a807fd372ce15ae72

                          • C:\Users\Admin\AppData\Local\Temp\RESB215.tmp

                            Filesize

                            1KB

                            MD5

                            88d3aa354d573f5f7b2d3e59c75a6e37

                            SHA1

                            15a4b23dce600b627898059dbd271629a33411c7

                            SHA256

                            b4c2fe91592eb35ef27ee50e396f0e0cfc8a9463b8a767f493768bfb4d8e5e1c

                            SHA512

                            4310bc6bf9d12be7498fb04819f55f0fcce1b11a35f64761214aff634a753bcb8f7997a2ecd60fac3747319925a8d1b7cf1f7ecc4c39e8e87364c057d161dc8e

                          • C:\Users\Admin\AppData\Local\Temp\RESB282.tmp

                            Filesize

                            1KB

                            MD5

                            23587f0771bc601ef8cf5a28cab2db6f

                            SHA1

                            3a7300cd7f227e03248127593fbad779cb4410a5

                            SHA256

                            ae8217588eee37814d7d4e10aa3702154183c0829b2f23bc1ad665e0ed48e443

                            SHA512

                            56254775d8ed5544419862d5e03f866efc76bfb51ed5652600db12908008e6b42fe061946c859288ae6bde95e42d5ee38a2d1581bd33eea353737bb948db02a1

                          • C:\Users\Admin\AppData\Local\Temp\RESB2E0.tmp

                            Filesize

                            1KB

                            MD5

                            07ce909360d7fde018509b68ddda2a22

                            SHA1

                            e51ec638121373582166d2e27a1358fda711f111

                            SHA256

                            08ea782190b25f939e30a27951d5d6807b92f53374cdd7769e204cb4198dd912

                            SHA512

                            f0b72da6b120cb5ca4b933067f84cbf10c4b41e5d836ef2f27bad7f6adbc7642bb24412e0780a96048072c05e07557dc21f5f00f49b7bf5c2b62f4b1e944e378

                          • C:\Users\Admin\AppData\Local\Temp\RESB35D.tmp

                            Filesize

                            1KB

                            MD5

                            7abc998d8c753793743517a9dfe20b06

                            SHA1

                            03563ba3f79e537351dd5db2ed56bf2295d0b1f3

                            SHA256

                            34fa5cbb300056ceffc221396cc4172f3e56b8141233c541bf7afcb5a74f1c58

                            SHA512

                            304025c21272cd9417c8fa1f17aa58b9cff93538ccc0cb6cc75cf4a110b4cdbdd778625ada8edd59005b43b9ea0431d25467a77c61df62928d31292728aac2e7

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pca51eja.bzf.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\ewdez6oe.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\ewdez6oe.cmdline

                            Filesize

                            172B

                            MD5

                            fea7a70c07ddb1c7d0021df07454802d

                            SHA1

                            6f85057f541fd104156951d68c0fe7951674a9f7

                            SHA256

                            7476ef577724a5453920c69da2e857b6380d73b60ef75dae7a89b4637ff38914

                            SHA512

                            05d96f8bbcb42364192f6f3178c5b0e17dfeeff9b8c674cfa432bd75c0c1b1411dbd861a12c31eaf620f0c7a19d2cbc425244a48104c8dbcb2ef3fe40cf47f38

                          • C:\Users\Admin\AppData\Local\Temp\hcx1jc0e.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\hcx1jc0e.cmdline

                            Filesize

                            162B

                            MD5

                            9b3369ba5e852996c73e9ceaba1804c6

                            SHA1

                            72168b38de78909a9eca5b0cccd5cb6206c7fe6e

                            SHA256

                            55d1320a0b537eea817791a70784b610f8397fd4aa07c81672b57ef84d0d8403

                            SHA512

                            845073524d7e3bb975161efaecbf0d13fd05141d42340432af5e5b86abe34a493fcae98857ca7eb285d508ce81017364b4d9893974d8b1ae69e54ea4c0229ee5

                          • C:\Users\Admin\AppData\Local\Temp\isrtin9t.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\isrtin9t.cmdline

                            Filesize

                            173B

                            MD5

                            f1bd43394cad10a286530c99c5370007

                            SHA1

                            22bfdccfa66285a59b3f227f2dbe08b7203d8dce

                            SHA256

                            bdaf21ebb947c9be2657e6c80a418477449d202cabef9db11030d3ba5b8b4577

                            SHA512

                            eafe05261f34375304ab1fee85d54eec7a94d1ac289ceca0c4aa635ee333a739d9877d0e53ac49f7c7a5412b4ac765a45adaded3a5ea0bf8c01cb7f03f7cb725

                          • C:\Users\Admin\AppData\Local\Temp\mda14yq9.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\mda14yq9.cmdline

                            Filesize

                            171B

                            MD5

                            94de37332893a1a5e5fcc7b24291a7a5

                            SHA1

                            4eb80d8239777302dcbf8ed03503e5a49ccf92d3

                            SHA256

                            b129c1381c1059a95e08cf547733c741c3db92e1bfb9a4c3c723c0cf79f54d1e

                            SHA512

                            393d50d262fbb417f05c260ed47c6c95c3f37866fd985ed2bfb7ed01a0d6352d4de54fcfe11124b1e0bbbe28562fb9f8c4d96977167440b5ac08f7598c074f96

                          • C:\Users\Admin\AppData\Local\Temp\n7driscl.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\n7driscl.cmdline

                            Filesize

                            156B

                            MD5

                            222b7b682e6a8f911372995718bde697

                            SHA1

                            76842f7dc6a7c6ad6c782d57c4eda99e961f1827

                            SHA256

                            afc9ab90347e8d5c1c39fe04ab5e13c8b6185fe6f14f60ea226f299fb4923073

                            SHA512

                            696f9271878929f2a40a491920c93ee334ced89c680763ffe99daed2cab44ede581067183673372e39329f18d8a03a0a617a5942b7db4a6c85edef39c7e0a078

                          • C:\Users\Admin\AppData\Local\Temp\pnctuzrf.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\pnctuzrf.cmdline

                            Filesize

                            174B

                            MD5

                            bd90736ec0c130685cc9bf91ab8d2de0

                            SHA1

                            357f72b16863c48403e130caeb88bf2038e30d71

                            SHA256

                            a54cca7e9930187a1f9a58b551fe50c1634f80c83591b554238f5592304df289

                            SHA512

                            b5144cfa9d367ca8dac5d591029f6a750144dcd18bf3654c7b3ccec094ffdee5139f37f27b82bd40636f43868d5210e28e4f6f04bca4fa11f18b17f1c96a136a

                          • C:\Users\Admin\AppData\Local\Temp\pvwl7-gh.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\pvwl7-gh.cmdline

                            Filesize

                            171B

                            MD5

                            1b53054c12644fb72ce7e8a294c3503e

                            SHA1

                            e12b1447598a5cbfede64980c505ae45232711dd

                            SHA256

                            435014cb9a2a3646701d7b76438535af478fa76933e32df8a80ac22a06e2dfc5

                            SHA512

                            bd094c17be50358e07b2a2090c5bb523a1797a245e3674338fc2043c9a591b14d5cd7e90e882816a874d3918563f36d2fea40d1d0820ccfc1025850113dee19a

                          • C:\Users\Admin\AppData\Local\Temp\vbc1C06ABF1823047A89F81295B73CEEF90.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbc3DDF9FD731094C4580C9F0F8DA6E2EE.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbc9686B7B9237D497792C3B37ADE433A3.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcAA3B4E61ACC54EA6A8215239FDCCAD24.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcE1C6A3B7BFD140EF8328704245861437.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\zy2vx0do.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\zy2vx0do.cmdline

                            Filesize

                            170B

                            MD5

                            225c433c3028f115f7396f5bf2106b19

                            SHA1

                            6a873da20fc166724e5d90edbc01a9984fe91b53

                            SHA256

                            5126a52feabd75a9789969338d6890fa08f43fc54931b2d4ef64491215130ff6

                            SHA512

                            c7a58030c40aa062d62db0f99961abbcbf32a654f27dbfae20793218e429afbe21a2365704ff5254578c9286c5e6d02ab96cc22a9c47e53a79e2eb2b60656683

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/216-0-0x00007FF8D6085000-0x00007FF8D6086000-memory.dmp

                            Filesize

                            4KB

                          • memory/216-7-0x00007FF8D6085000-0x00007FF8D6086000-memory.dmp

                            Filesize

                            4KB

                          • memory/216-6-0x000000001D290000-0x000000001D32C000-memory.dmp

                            Filesize

                            624KB

                          • memory/216-5-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/216-4-0x000000001CA10000-0x000000001CA72000-memory.dmp

                            Filesize

                            392KB

                          • memory/216-9-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/216-8-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/216-3-0x000000001C8A0000-0x000000001C946000-memory.dmp

                            Filesize

                            664KB

                          • memory/216-1-0x000000001C3D0000-0x000000001C89E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/216-22-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/216-2-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5008-33-0x0000016475750000-0x0000016475772000-memory.dmp

                            Filesize

                            136KB

                          • memory/5880-19-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5880-21-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5880-23-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5880-20-0x00007FF8D5DD0000-0x00007FF8D6771000-memory.dmp

                            Filesize

                            9.6MB