Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:28

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9-mwph6h.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc672978B5F62841BCB418395FBAC7DA5.TMP"
          4⤵
            PID:1548
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7a8kcx3s.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBED128A3CE494F86B9A6D6D487F758C3.TMP"
            4⤵
              PID:1780
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6zqyuwr.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD452.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8108A70AE78A46A5BC1C46126C6A722.TMP"
              4⤵
                PID:4212
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\76psppsg.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD50E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDEF099D2E4BF42239F2065DE5F8AD61F.TMP"
                4⤵
                  PID:1576
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xlglw6f.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4000
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AB0BEEF7E34283ABDF6A955B8D283.TMP"
                  4⤵
                    PID:3520
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uzk_lz5k.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2744
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD685.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C2705ED8F9942D58B25CC468D5A3E2.TMP"
                    4⤵
                      PID:4652
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rga4rewu.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4336
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD702.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56F6DE3653544F79B481B79E7B397AF9.TMP"
                      4⤵
                        PID:3136
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c5jumcxg.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3384
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD76F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16ECAE9B34C94F9287145FDE276D3B5.TMP"
                        4⤵
                          PID:4488
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxwmha7y.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1956
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC57E8D9967CE4855A8DFE378F4275B78.TMP"
                          4⤵
                            PID:1828

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0xlglw6f.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\0xlglw6f.cmdline

                            Filesize

                            171B

                            MD5

                            ba797279d5a71b82704c7f402b1a82b3

                            SHA1

                            c68aa42c0979f66a4b969e44a10706c57cfec032

                            SHA256

                            22083f396c14ad4a8fcee5b35ab6de0f3392f3cf0eaeb6a5019c64895ff790a6

                            SHA512

                            07e40ea5bf4e727a3e0ae07ad4ffc0f7f0c01b17f6ee6dc3e9463429e652a8013b58a9ba597cda6e6fde06dd71590229dcd4c9b1066b87e5a322d171a3ffdcf4

                          • C:\Users\Admin\AppData\Local\Temp\76psppsg.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\76psppsg.cmdline

                            Filesize

                            172B

                            MD5

                            5ddd4322ab1cdce68c5b9bebe4f737a8

                            SHA1

                            ee82205e2fd0669b79b4192786e4f515f7477077

                            SHA256

                            318507f8c9e872246ec9bf3062680c44f617d59d64ab68221ca94c65c732a9d2

                            SHA512

                            09a08d32ff8a2433ac03dbdf2ddb8e9f40dd96689d8732f3c03ecea049c62ad63f446989502fbc5bba23657e890bd8925d34fd934631c5e6852043ae37720a5e

                          • C:\Users\Admin\AppData\Local\Temp\7a8kcx3s.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\7a8kcx3s.cmdline

                            Filesize

                            162B

                            MD5

                            9b01423bbadd7fe5f73ff330f9e49338

                            SHA1

                            87e32c4016c64f99cf3b8fb12f558d804762ba1a

                            SHA256

                            06fb1e359468d160e6abb9d1a24900364249c1509dae54088a391cce411bfc6d

                            SHA512

                            2cfcf51f8e637298c2774615c7d18db086cb3cd4bf5dc6a1d21cde6468326725016aed394a2be3e20c7c496befe04af5a3f867407aeb11163ea6be20d0d37eff

                          • C:\Users\Admin\AppData\Local\Temp\9-mwph6h.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\9-mwph6h.cmdline

                            Filesize

                            156B

                            MD5

                            219d713d9843d7fd9c7dc9ea1f6a281a

                            SHA1

                            a48632561cf927c3c51dc699b7f446fa95ecfece

                            SHA256

                            723bda971d5a16d4a08edc94f82bf548a64b7202daea899251ca82030b7d06a7

                            SHA512

                            1ac7deabba5438cbba1eef54595e9234516d525f590830de626599f87638c0777120cc90b5c8234485e4e06b9d29b64af6b66a82407bd0c02eec58bd75915290

                          • C:\Users\Admin\AppData\Local\Temp\RESD2EB.tmp

                            Filesize

                            1KB

                            MD5

                            c15902cab2314f23329d8fdf358c85a0

                            SHA1

                            cc05a81c10079645bb380e54996e9aa38b858797

                            SHA256

                            f8a926355eedc3924427e1735269bbf798388e1ed6621edfcabd1189ac3a1820

                            SHA512

                            d207e67043980e1c8c2ce5f90fe75a6efa277d268a91610443c9a2ea4ce5ec3f035e457d282048fcf050ea5b641ec18f1c3c8d8e29a4941b454b3d046205c408

                          • C:\Users\Admin\AppData\Local\Temp\RESD3C6.tmp

                            Filesize

                            1KB

                            MD5

                            595348c76e61339ee04ffd5d2924c970

                            SHA1

                            b879f8edf6821b521e907266f55bc1edfaf75542

                            SHA256

                            97ded8c2200eeee693da4c9232ef5bb5e8abfb632a078e97812185581d2bbdd0

                            SHA512

                            9b6eb435ca6fcdbb7596ca9435a0d3f553be43dada559bf09028033a177b9c92e3abeb9079fe24fc8ebd44c8291db2b13dd20783f4b658221550f4fdab16f261

                          • C:\Users\Admin\AppData\Local\Temp\RESD452.tmp

                            Filesize

                            1KB

                            MD5

                            ba6d32a8bf3358af6f333266398424db

                            SHA1

                            72dce69604c9d30d569f49bc27479f052409592e

                            SHA256

                            f0ffb9f1a255b042f6151e149be4b97993699586058ccf0e570ee63345f0520b

                            SHA512

                            26cc26f9b936e8e1cb96f1aab4dd848fa9f7ee6a2628bb3149250ddd1ae079ae513a5ab909b80e891ccd0390815eb62bebaf61dbbc06f2782ec60d1fad258dd3

                          • C:\Users\Admin\AppData\Local\Temp\RESD50E.tmp

                            Filesize

                            1KB

                            MD5

                            e692c4219f5bc60cd77a7a153b71304c

                            SHA1

                            1e25c72e9fab946e1c6a0bb0d147b6e2df1d0866

                            SHA256

                            b094e6c4569642347578d663681e16fe598c3ad1e2da8539e106eb3580474b02

                            SHA512

                            11f37a22e3a2a9d2213abce4673c1d82c8705dcd8f6bd609e826c6082910529ae885203afdaa745e9bc431f69531f8a0c87e8cca462d25c9040164d4ed529912

                          • C:\Users\Admin\AppData\Local\Temp\RESD5F8.tmp

                            Filesize

                            1KB

                            MD5

                            4e8a530a10176646a0da7a9a683e4938

                            SHA1

                            dc80bbd50e29edda110328b97b973127a3c00123

                            SHA256

                            c9043ffa314f8f70bbe6c28482952b685aad5be94729ff9943909ae5b2206cf2

                            SHA512

                            38919f3f9682950e458616eda92ddf248f08525d8bbbd113d89c5fb8ab4827b7ded27ab3847031e9f2c3d97eb011f85437af82567e93aa7650840824f95b2fab

                          • C:\Users\Admin\AppData\Local\Temp\RESD685.tmp

                            Filesize

                            1KB

                            MD5

                            6b555acd4799119d79ca31272b9aab3c

                            SHA1

                            92f3edb4bb9ea826dde3f596aa297456c889336c

                            SHA256

                            397f6637ecfdcbb81940d1e85a8e3887f6e06dcb9899f52b7eb3eb92b53e777a

                            SHA512

                            4f310dc4ce215041ad2405a1379464f2e0c7c80ffc8cd124fe029b6f47fc49ec77d714372f446a7882abe26c6d21400becf13c275a0bba15b6ea2d74cebff2c9

                          • C:\Users\Admin\AppData\Local\Temp\RESD702.tmp

                            Filesize

                            1KB

                            MD5

                            23b86265fbc04a37fc44b7e460dc29c1

                            SHA1

                            87f5cc8af88aed3e92bcf9f69aff3b62c14c456f

                            SHA256

                            ac9d66f575bf66ac52a0afeffbbd7dd80faca6916f20fc43f528b60d3f4de39b

                            SHA512

                            9db1a86db23927ba3a32dcac6bab7ecd841c351a6df8f47e570784d0c369d29a54611b10f72501f94a59c41d13cda8e9d5b5ac22ee8ac5775e21bf288c12d9ff

                          • C:\Users\Admin\AppData\Local\Temp\RESD76F.tmp

                            Filesize

                            1KB

                            MD5

                            9606acf52c0a4767b07b989c3878db0a

                            SHA1

                            b223d6b7ec37166e5d60978d3fda5f78feeb34c1

                            SHA256

                            bc81fc509d263ecf3ae8ed7f386c79f02e9b1b08922d2d99cc1ffb6cda21b4f2

                            SHA512

                            e7d67763bbab7e51533600de9935866a34ea4330ebb2f5b6e035dbb43b5ce881a12c621110114583b21a1efcb6818f81ed858a885ddec00e82ac160ae6ab924d

                          • C:\Users\Admin\AppData\Local\Temp\RESD7DD.tmp

                            Filesize

                            1KB

                            MD5

                            b7fed87539cf3aff98dad1ed5b1e70ea

                            SHA1

                            35d9f8704d14fc9a3cdeae074563c22285b276af

                            SHA256

                            4a01dbecd0de1a7952ce451b9eada345a35e0bd02ef2692a2266870c08a03a31

                            SHA512

                            cb91276450952e482275c1a8013ff309a7def95c5eee573cf6a81e7347e0a4d0d39bc8a9a1d275ec70c30527a36b06cbb6b46434a4ec159dcba971f2d8b68f74

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmizy2g3.wnn.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\b6zqyuwr.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\b6zqyuwr.cmdline

                            Filesize

                            171B

                            MD5

                            75f7c0508eb1c5569c3c1532fb5bca42

                            SHA1

                            0cc1a092367482ba20aed253d730585d8e668094

                            SHA256

                            7dc650d46b8b04577044da41fe5a80d67fec7a684017ccc2b9f163ac25153c03

                            SHA512

                            eccfa4c3219783b4db42955b80a864786a0413dcd63de9a1a5e75f13c7ece17656dd4fe1a49fbd459e341aa9e3d9d6ebf11254817d3031cbd21d1a3a572e7b08

                          • C:\Users\Admin\AppData\Local\Temp\c5jumcxg.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\c5jumcxg.cmdline

                            Filesize

                            170B

                            MD5

                            b4c12ffecc83a98a0e2b79c912ce5d55

                            SHA1

                            cb0f15011524871857eed9a9458facb59ee9e75f

                            SHA256

                            5430c0d25bcd02e13989e3869344734602545bf337f248fbd19d8761ccbd5500

                            SHA512

                            f90eabd1243cb7f050de43cc6d4e945c1a2240196f73a8589c21e643c9e7ef8f7b49deea3887ba6b3f5770ad2788d60dc7e5f3a357f23a7e22c9491638900b2b

                          • C:\Users\Admin\AppData\Local\Temp\rga4rewu.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\rga4rewu.cmdline

                            Filesize

                            164B

                            MD5

                            f1a3aae8b5c2b9d9127ecfbc276499b8

                            SHA1

                            860d3b5a20c2d6cac28ae77169857c871e827b18

                            SHA256

                            4f4d77f659d322bad55314e125283cc5a0d22739647c64697e76c90935879db4

                            SHA512

                            debd849e8f582dbe5c5012774e1abc50b71b784eb89e5e0843d61e1813f321a25cbbed361f79d195cc7e9438ea0a8e954b8ee2d36c2cab88253f2435dfd05fd3

                          • C:\Users\Admin\AppData\Local\Temp\uzk_lz5k.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\uzk_lz5k.cmdline

                            Filesize

                            174B

                            MD5

                            0852115699bb5b9f0bc39259ed20c0b5

                            SHA1

                            6d5bc836157abd000a8879d160e518b3d91176e3

                            SHA256

                            2c79bb2992775a83e052086d7a06768012e836c7c15a6eac4d444d75a7ff1be1

                            SHA512

                            76e7f12683d00dbd26fbbe753c3447a98a39634dac48ae2a6672fdb28c0ac542b3a7a1a9274bdf23e0ec17061a4395c5fd25980e6067b4d76c558a203c23f296

                          • C:\Users\Admin\AppData\Local\Temp\vbc672978B5F62841BCB418395FBAC7DA5.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc7C2705ED8F9942D58B25CC468D5A3E2.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcBED128A3CE494F86B9A6D6D487F758C3.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcC57E8D9967CE4855A8DFE378F4275B78.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcDEF099D2E4BF42239F2065DE5F8AD61F.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\xxwmha7y.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\xxwmha7y.cmdline

                            Filesize

                            173B

                            MD5

                            abfffca0dba5c911094ef387b163d123

                            SHA1

                            a132b17e17f7e9d1d0b4b078f1c667041dcbe206

                            SHA256

                            e082f3243cd09c2587d7a4cbfdf59b829e46cf52ed08619aea8c5fbdde277ba9

                            SHA512

                            74b78f84e9e4cd8231d911c86c9f62f10616131fed48e3d289497bbddca37175a744a00e76d82b526ba27c9565aa6936731f8cc1ee8be5b5f3c25ed121112eac

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1276-0-0x00007FFF7D3A5000-0x00007FFF7D3A6000-memory.dmp

                            Filesize

                            4KB

                          • memory/1276-3-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1276-2-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/1276-22-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1276-1-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1276-8-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1276-7-0x00007FFF7D3A5000-0x00007FFF7D3A6000-memory.dmp

                            Filesize

                            4KB

                          • memory/1276-6-0x000000001C4F0000-0x000000001C58C000-memory.dmp

                            Filesize

                            624KB

                          • memory/1276-5-0x000000001BC30000-0x000000001BC92000-memory.dmp

                            Filesize

                            392KB

                          • memory/1276-4-0x000000001B0F0000-0x000000001B196000-memory.dmp

                            Filesize

                            664KB

                          • memory/1276-9-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3424-21-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3424-20-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3424-23-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3424-18-0x00007FFF7D0F0000-0x00007FFF7DA91000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3532-30-0x000001AFC8580000-0x000001AFC85A2000-memory.dmp

                            Filesize

                            136KB