Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:21

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uva5wcej.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC80E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DAA13CDE56242D08E5D1921717AE52.TMP"
          4⤵
            PID:3348
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3cs1dmw.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1099F95AA4A4BABB4B893BB319F258F.TMP"
            4⤵
              PID:4980
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfixd7xr.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC956.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD2235FEB4604F8394465F53F945618E.TMP"
              4⤵
                PID:444
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-jqsddbt.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1200
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc805B7635192D473BBFB05F8D85C9F3A1.TMP"
                4⤵
                  PID:1456
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slxufsu3.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4364
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CCBF4AC1E444F54AF158A32E5BBEA27.TMP"
                  4⤵
                    PID:3800
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hgo9vv4.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4908
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD360C3C11F94439DB11A1ECBC06780B4.TMP"
                    4⤵
                      PID:4168
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w8eipuiw.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:596
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95C26424A414C66978959638FB5C94.TMP"
                      4⤵
                        PID:3904
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xosutzi.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1228
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9CCCE43BF6AD40CF83F7B999B4B32E9.TMP"
                        4⤵
                          PID:2052
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fjx9-im0.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4180
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AD7065F4490F90556C26D1FB1529.TMP"
                          4⤵
                            PID:3092

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\-jqsddbt.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\-jqsddbt.cmdline

                            Filesize

                            172B

                            MD5

                            79d2859fdb03236d4045b89832a1947e

                            SHA1

                            1c40989ddf08ea91ff9fa9edfe5072c34cd023dd

                            SHA256

                            788f9aad93ec31bb677024acb306c496b2e65af11003929ebbc5420d5fbd756e

                            SHA512

                            251801678e25c7342439d191b2d612a45ccc2755bc2829a0d0a7ff0b247e10da57779f8eb6abd2b38691a0609923bdb1b8588bf0ec9e20a349d232bc0b8e00e0

                          • C:\Users\Admin\AppData\Local\Temp\3xosutzi.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\3xosutzi.cmdline

                            Filesize

                            170B

                            MD5

                            a2ec908c530d6f9954002d9fb2ee2af4

                            SHA1

                            c417d3426b0d3e235b090950b22aaa49399d2e2b

                            SHA256

                            16ac88b8678cc7eaf1e6e98eac03b94d8a550eb57116b7c0cacd61f685ed9412

                            SHA512

                            637643f7b62349e1d4206f2c94fbf7eec665a546b0c185c59ff59748cbed98b05135968b5f07ba9577fa6405796f2a43ae813d593b40536b4af6da50bfc2f02e

                          • C:\Users\Admin\AppData\Local\Temp\4hgo9vv4.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\4hgo9vv4.cmdline

                            Filesize

                            174B

                            MD5

                            b94474c8ed4e880d026677a198ce9cc9

                            SHA1

                            449da8318284833182701110b0f34dd8247dd31e

                            SHA256

                            ef5e54eaf2027efe0d030078189cadd56bb1ff5673ae37554da0c6f3a34d8182

                            SHA512

                            52d304a2be4b85083ec435e006078d7150e6f19581cc304adca12bb33cebc9f2dffced8e9f9902ca5bc0acb92dbc4efd78b1b20d1cadb888e4c9cfa05c92f13d

                          • C:\Users\Admin\AppData\Local\Temp\RESC80E.tmp

                            Filesize

                            1KB

                            MD5

                            dab4449f21773f8b447f06f315c6798a

                            SHA1

                            310d6d386d22d4660c720da7a5835c7bb884f58d

                            SHA256

                            e7a5de69b5e5e602014be7757542448921da7dd1c28ca39c9b52fa57e86d65ef

                            SHA512

                            d0401a7dc483a900428c07a3738c8efec18cb8629389537c9eb04cc04a4e069cd32fda950eb74033e1e1b771e1b942580388c04cc7ac6b75e0addcd285bd7612

                          • C:\Users\Admin\AppData\Local\Temp\RESC8BA.tmp

                            Filesize

                            1KB

                            MD5

                            fab6e7706bc3bc0da95c85552a1b663d

                            SHA1

                            f648ce3084d536400ac9663ba3c7084b303a34b9

                            SHA256

                            0b6b3d257e5e912a68d94d6f1ca3f58ec569ca7cb73bb407d11c0bd5f6d637f3

                            SHA512

                            6c85459ca64f7db0543475c79f9c1e52444841f143cebdea8331419377d9547dcb6072e1ded7dcbe2869b6ebdbdcb17acbd052d44bfa85dc45b0c9d96413e6d6

                          • C:\Users\Admin\AppData\Local\Temp\RESC956.tmp

                            Filesize

                            1KB

                            MD5

                            e03fe7100718edcf2ad3ec1af7c0e5bb

                            SHA1

                            27f9a7247b29f50c89f140f1bb94cc76cfcb333a

                            SHA256

                            9474b512f1c09b3a34a719273570da1fcad6fb12749cea62bcb435b7937f8126

                            SHA512

                            c80dd3de09a40e1f78ee04b093181bc94439a5d87e62bfc06f6ccda7415a657e2f32a3fdf74a9208b8a8842de21f0aaf2bd4f8efe5efece4cb47ad99806725a9

                          • C:\Users\Admin\AppData\Local\Temp\RESC9C3.tmp

                            Filesize

                            1KB

                            MD5

                            e497572f92354ce4439d2a53a2f38d4b

                            SHA1

                            9054d7afc9db83558ec80255ec9e8af03fee78fc

                            SHA256

                            dc4dbf6e422bf419ea95a11440268618afd29dd2e5900cbb6e20f672bfe73370

                            SHA512

                            6cf32cf38cbcbb7ac95a72c4b3fd833cc7b1643f4fa081d4eea4c47bd010fc58c271ba34bda2b15b9da7a961a4434b3e20272884a11b25a709c5d8a7cc1cc7d1

                          • C:\Users\Admin\AppData\Local\Temp\RESCA40.tmp

                            Filesize

                            1KB

                            MD5

                            998d6bf47bc7595c9567e2b0afe3b19d

                            SHA1

                            8b751cc36d549e30c93e1552208a469b5f140e7f

                            SHA256

                            5c01b3bae9ea312d28b4185ea8f67264a569bd0362361a98ff9a06291cae225c

                            SHA512

                            1ec6518e5cac5130628d26a06195a7a3715c8c7f58997b2c91042386a2d2fc8dae7ffb724f64a2de55b1684224268ced44d4b6a48aff827d4f5e6e35df080e36

                          • C:\Users\Admin\AppData\Local\Temp\RESCAAE.tmp

                            Filesize

                            1KB

                            MD5

                            b9300ba081a5d515da9f1373ffbfb1b4

                            SHA1

                            bff82e393b8705bba170b8b06f27e9a03c62a83a

                            SHA256

                            c8920549a02b95e7a165f855f4291a75a38738dc762b0dd47ebfbc44679a0c28

                            SHA512

                            df7fc338ad8bcdb74c6ea1567ccd5fce6ade1f8f2911ab205eaf6bed031fe457dcc17e60a18a5aad2431a990a9c903bd68bfa79b84146ef20b37225d2d36078c

                          • C:\Users\Admin\AppData\Local\Temp\RESCB1B.tmp

                            Filesize

                            1KB

                            MD5

                            98c17a0e60618342d16f42731aed5d09

                            SHA1

                            8290ff201cc473cd1aed1f857a4df84315d357ba

                            SHA256

                            c2e21d75a5881ceecf70f4c6cec32babdc120b3006fbc4c07bf13edc4d5f7c44

                            SHA512

                            caa8d9e41b4358bbc2cc9bf705dbf1f9c34d3eb555077c4dc24a1a2d83590d30e05b6acde0cf96234a203085320795ed2bf18b222070a6c89f10ce1f02c49f2a

                          • C:\Users\Admin\AppData\Local\Temp\RESCB88.tmp

                            Filesize

                            1KB

                            MD5

                            994c6cb274a87a3d1d2753792fe2f10e

                            SHA1

                            ebf6b41ef21d01bb85b7fd03df492b6bdf001af2

                            SHA256

                            abdeab5685edc9f04365a898dc34e81156b158b9b472b4666a29194a83b308d1

                            SHA512

                            1af2ac48fa9801ead254867687c2d8f0cd20a952890330a515a486fd38dc19269db43f62367d3061f31a73060973b263e8cb6bdc28684fec7c0c95c3f613086b

                          • C:\Users\Admin\AppData\Local\Temp\RESCBF6.tmp

                            Filesize

                            1KB

                            MD5

                            d7f8422f1a4cab9f8d0b92ab901c70ac

                            SHA1

                            1e2f1ce811e4bbc8238bfb11b3c053db5cf09231

                            SHA256

                            70356594c9ea2f500447de51a2e77147618414b1bc9c9a80107b12f2752ca60b

                            SHA512

                            571f4867c25bb3b7763b6ae2a0c92d20a358e171f6243ae6659d9a9bf275b3adbba88953f72a487169228c9802b4a62bfdde55627f77bce340f16d233fb66ffc

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x11fr1gi.anl.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\fjx9-im0.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\fjx9-im0.cmdline

                            Filesize

                            173B

                            MD5

                            8b3aba1feb3dce1fc34547c1306e9783

                            SHA1

                            0e9826fd6305debd4ca7e97dd5dcf72f83641e48

                            SHA256

                            ca236f4550bbb6a8bef849c3d96954db25602f229fcd5e962eb064164041acd3

                            SHA512

                            7544795008ca2b04e28d75ee60275077a7b4e839e3e81c9fbbb8b292dcc4972f80a0dac88332d76ff601438616ea2aef1f4686ea82bf90aad1f4cdf1947b6ec6

                          • C:\Users\Admin\AppData\Local\Temp\rfixd7xr.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\rfixd7xr.cmdline

                            Filesize

                            171B

                            MD5

                            ad0b5e5e8fa06110ca8fb436651f8916

                            SHA1

                            08193c3ba9d6f677b023b330a0acc71f3dea2caa

                            SHA256

                            3091037fc7754e59ba0154853a1fd37934a27b048e33ad9560af311020df99f5

                            SHA512

                            c95caffaa161f8f983dc7793c3b161e5f05433b45af6e5fa8ac1c164624858e8c7643e0c14996600f5a9e6c7b6123e7daeaa4a7045611d00ae010136768bb903

                          • C:\Users\Admin\AppData\Local\Temp\slxufsu3.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\slxufsu3.cmdline

                            Filesize

                            171B

                            MD5

                            93cbe3e5f0b1a8ef6d5324ec6a935473

                            SHA1

                            826dabc340a28cac448d3b34770b29805c2fb850

                            SHA256

                            8615d274b221163a71fe9dc022164c6b778e7668386f698e817114d244c63202

                            SHA512

                            93580936ee5855095e5254d20bd736d6bbf105ac97a07b67c6880352e02900b30f5c3a1bb42a9dcefb7bce0daffa8856a7c1fb8beafe3ea19a7455c6bb572df3

                          • C:\Users\Admin\AppData\Local\Temp\uva5wcej.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\uva5wcej.cmdline

                            Filesize

                            156B

                            MD5

                            fe09c5fc663c1215b1903f812b6e576f

                            SHA1

                            144d123dcd0345fef8fcca1fcf802ce0d02e804a

                            SHA256

                            c96f35aedaddf19a0f467e66af40e5eb55c206dafc55ee6789cde3bf904a5bb2

                            SHA512

                            0e947e1ba672cee652782159f03690deb766f0076e824a577b0239bb34c0d7ff3e07ed419f3180bfa8907c2228880f933c5c07e447badff0b6e062eb68f704a0

                          • C:\Users\Admin\AppData\Local\Temp\vbc5AD7065F4490F90556C26D1FB1529.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc5DAA13CDE56242D08E5D1921717AE52.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc805B7635192D473BBFB05F8D85C9F3A1.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbcD360C3C11F94439DB11A1ECBC06780B4.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcF1099F95AA4A4BABB4B893BB319F258F.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\w8eipuiw.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\w8eipuiw.cmdline

                            Filesize

                            164B

                            MD5

                            9a3b545369f290142c1af4975dc56d88

                            SHA1

                            e11597466bfb7972aa80e593c4fd987fa567be54

                            SHA256

                            ccc24a62c60cf33132a32b3d3cca5299d895ebd7cde8df91968e0bf61142c299

                            SHA512

                            d141dff71b52445a6a1e70b384dc32fb3b8841303eaef428a88e6d16bbe415edaed4a1a5aa1b2e6eb2782c67c5bec663f4d29d37b071911af9c1605bc49538ab

                          • C:\Users\Admin\AppData\Local\Temp\z3cs1dmw.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\z3cs1dmw.cmdline

                            Filesize

                            162B

                            MD5

                            974675ddfc119c3c17ae646f8ce4c5b8

                            SHA1

                            3d8d76831ebd48da26759b89a15d0dccd547add0

                            SHA256

                            354b0cf281c7a517d6c8cc54439d5478e1861f1fc3d49d2ec4d419e7ecbd3c9e

                            SHA512

                            816e4a1cc2c02681d9fb2911426919222e8671a0c38e5b4b892666accfcb64a21701e3d9645fbddc793408acbe53033327a5b533ea789c269206450501cd6fbe

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1380-4-0x000000001BB70000-0x000000001BBD2000-memory.dmp

                            Filesize

                            392KB

                          • memory/1380-7-0x00007FFE73FF5000-0x00007FFE73FF6000-memory.dmp

                            Filesize

                            4KB

                          • memory/1380-3-0x0000000000B10000-0x0000000000BB6000-memory.dmp

                            Filesize

                            664KB

                          • memory/1380-8-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1380-9-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1380-5-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1380-6-0x000000001C310000-0x000000001C3AC000-memory.dmp

                            Filesize

                            624KB

                          • memory/1380-21-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1380-2-0x000000001B6A0000-0x000000001BB6E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1380-1-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1380-0-0x00007FFE73FF5000-0x00007FFE73FF6000-memory.dmp

                            Filesize

                            4KB

                          • memory/2512-22-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2512-18-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2512-20-0x00007FFE73D40000-0x00007FFE746E1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5064-38-0x00000172CB690000-0x00000172CB6B2000-memory.dmp

                            Filesize

                            136KB