Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:04

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3096
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\napg1qdv.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc475A696E7C5B4D9297BE1EE775EC41C.TMP"
          4⤵
            PID:1860
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekmnfdva.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc642A3F333897419CBD76C77A55B2DEF6.TMP"
            4⤵
              PID:1908
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sw5v8xhx.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc303AB2B045BA46D7BAEACB48AE0CFDC.TMP"
              4⤵
                PID:1656
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdqc5dxy.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5492
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBE9E209C9CD452CBED2F781DD3658C1.TMP"
                4⤵
                  PID:4532
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ly7u_fon.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:932
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FB07291B28940089492623B7439AF6.TMP"
                  4⤵
                    PID:3824
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myelffsp.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:396
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B96A6071B8C4AD5ADEC4ABFC77F3EF1.TMP"
                    4⤵
                      PID:3964
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvuc6pqu.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1108
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA89DD029A6964C898BBEA9351FA9EF.TMP"
                      4⤵
                        PID:924
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\unkzqub8.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1564
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE80A5DE22424825973CB5BA2D952485.TMP"
                        4⤵
                          PID:3244
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctg3z08o.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5840
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12712F13952D469C9B4849B81E58D25A.TMP"
                          4⤵
                            PID:5628

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\RESDB48.tmp

                            Filesize

                            1KB

                            MD5

                            390f39dfe20df011d3812fb08229cca7

                            SHA1

                            01c433fede22f6dc39519ccedc0ee3434815fcd5

                            SHA256

                            76de6862a364b344cd827a9405a994b91f68293d590611f4537e26101be09afc

                            SHA512

                            0b6c151307048aeb1e27fab266b432f74ef4602436b422be07dd0ec1f6caf4a52c1968105c78012eba7315c7e9cb7988628043c2ea5d9de4a84f2fdfff8e7db7

                          • C:\Users\Admin\AppData\Local\Temp\RESDC22.tmp

                            Filesize

                            1KB

                            MD5

                            f6c13957f5098ecbdc76c00810f7632f

                            SHA1

                            3e7e1a2c2a6066df47e3dc6a92dd4e68a58afe27

                            SHA256

                            08cf9de4ae930f28acf7125df2d1b815a6d8b4a5c02fa6df39b39aa3336ce4fa

                            SHA512

                            c59ca0a48eb351f4a17edf2c060271ccbbb99488b0c142bdc2144466dd56193e6eec3ab22a50f0f1306e97d85a53de8536bf5c173d7dba08b545afeb458b8a97

                          • C:\Users\Admin\AppData\Local\Temp\RESDCCE.tmp

                            Filesize

                            1KB

                            MD5

                            50ca5cd83cacfee627f210a2feb71f40

                            SHA1

                            749849cf613fb9b701861cf654ba14d89d7030a0

                            SHA256

                            36da48570a4dba2dc6c02e29cc8d6e2675dd1ce11b2decb43257aee1dd0faeaa

                            SHA512

                            40dec775484aae2daea293d1c86e7e0d7931a4871f3f95e426d17ec4a79362fff0fbafe35cd7d47b5e346849cd9a415019e966d5712c00d10aabc78c7025b116

                          • C:\Users\Admin\AppData\Local\Temp\RESDD3C.tmp

                            Filesize

                            1KB

                            MD5

                            d287d45e4f5681025caa2fd3ed9496da

                            SHA1

                            32928c5fcda405e28bfb483df40834a4458f9ac9

                            SHA256

                            f01b2230c8155586fff9ebb14e7d503dddb1363172c0d1dd5c1d8b4e875a588c

                            SHA512

                            c066067e0ff58289cb11044939411b45ced23e669a447352864598bafa06a52601465bd4c88dcfc2153d834acc23d12e618593b7fcd6cbf677931ee5fa0c6bb4

                          • C:\Users\Admin\AppData\Local\Temp\RESDDB9.tmp

                            Filesize

                            1KB

                            MD5

                            363f9de5d731269a92f664633658ca60

                            SHA1

                            255fd854952781872105fab686c07505d08e4f49

                            SHA256

                            46ef0f147b3370b624d70949aa2cc41d0b236e563f90426cc8549a52a419cff3

                            SHA512

                            df3cc5bffb0824f4a784b3963e24bed83ac15cf6918de014a4c22c92b2057aa9a64344afc6a7931bb0de5c3ba99e260e0228555c93bf96313b495394a5240d23

                          • C:\Users\Admin\AppData\Local\Temp\RESDE26.tmp

                            Filesize

                            1KB

                            MD5

                            9ddede28449b003e83edde64744e9aea

                            SHA1

                            f3e8490daffad4ae338822d9fa23abe3af9ff5aa

                            SHA256

                            abfa2c82b6c0985bbc118fcf7aa81d9a82f2ddd36dc2089f23a898f72a240874

                            SHA512

                            7e31c0d8f40b7e506c05955632edd9cc444c7f97a86cfccd485197ed313cb449888b6343865c2d88c26e7e6ea53e541d6188a54554c6d9c573e7a2c0acc7a9ac

                          • C:\Users\Admin\AppData\Local\Temp\RESDE84.tmp

                            Filesize

                            1KB

                            MD5

                            0fe8e50a69ae8f5dad21b2eef8c26279

                            SHA1

                            3e54983a7ab162774f795a51adba57db360aec65

                            SHA256

                            63d3a5e251372865e6011302cd89c49869b8f87e4253579db49fa267793c9ed8

                            SHA512

                            0ddf4c9fa8d754d24357f85ff284362a508770f36a0112cd06cd1c86b7be38102f4ed290404f7ffe245b7619156afd186bacb46d767674015f17cf94923c716b

                          • C:\Users\Admin\AppData\Local\Temp\RESDEE2.tmp

                            Filesize

                            1KB

                            MD5

                            426c475fb974bfbccf7805fa507b1f4e

                            SHA1

                            fa4c8a8e607f2d48b604969c802e0dab987e2bec

                            SHA256

                            b9d4c2069d8fe65d8f6139e596ef1fecf597a6fdc2cdee7a98d6fd31415cfe38

                            SHA512

                            2a6e1ad06a01b0c76bd0383355631bc14294584f6f90eafa8bf56fc135e333f768638b60560fdded64147d47c6f90c28fb810353264882189c0014e70115ecd3

                          • C:\Users\Admin\AppData\Local\Temp\RESDF3F.tmp

                            Filesize

                            1KB

                            MD5

                            1683b931ba4869c03b84ffd53ff495e4

                            SHA1

                            af629f7c2c85b972621d63c1408928f126823337

                            SHA256

                            8209803f004042ad79b7100be27d98bd12e987ca51034acbb0f0a34fa1cda3c3

                            SHA512

                            8b6dcd4f9de50a618ee53cb93f15870ffd779e55e5a7c066e67cf4c68208fe6a00d00436843fac5a718b368e4c4d361782f3cff6c169e7fe83087e23ed9af83c

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udp1zc2r.flz.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\ctg3z08o.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\ctg3z08o.cmdline

                            Filesize

                            173B

                            MD5

                            57f41422c223059ab6a20a0fe1649c73

                            SHA1

                            7b93ca81e326794b792ca5bc8a759cf69e9b6f4f

                            SHA256

                            e4cec7905a5f1b8ba4c866558498362c5f6703802f3130052360c68d297012b7

                            SHA512

                            fda048331d10071d575529dc07888982232d8ddd43811f0f535b214de44146eb600b4aa9b31bde9636b3038dd592db848e5cbbe067d02a953c5a6ec0ae267ee4

                          • C:\Users\Admin\AppData\Local\Temp\cvuc6pqu.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\cvuc6pqu.cmdline

                            Filesize

                            170B

                            MD5

                            15b5d537f337f25db830625bd52aaf52

                            SHA1

                            3f8f7054e8473202d6fe61f49824e1a98dc6624a

                            SHA256

                            e08d461799429428e43f2363b90e1f506e02e0f2c5b38445f93ad277d004ab59

                            SHA512

                            e7bb79d34963184ec752d783f142cf06b74dc3ea243cc7434ddca1f04bee672893f8e75eb03378cfc1fa310bbc81802051cc453b4b66d7b14d8358b0dbc1f907

                          • C:\Users\Admin\AppData\Local\Temp\ekmnfdva.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\ekmnfdva.cmdline

                            Filesize

                            162B

                            MD5

                            583462c48ad0d809d4418b6c37071508

                            SHA1

                            6c37d79140786980835c94bea87b9e8fc290e7fd

                            SHA256

                            569e428c43aff5514e82eb903b113e7f05e8fab126d7441aa3aaccc630331b9b

                            SHA512

                            0f3708013fa53fe3b781bdfdc4b13aff0f22f1085220dd09f3e8e4b1f5ae655c5bdb4825e75581cc96c23ce037a75609ead18fe84bb63ee64cf3ddf779017fec

                          • C:\Users\Admin\AppData\Local\Temp\fdqc5dxy.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\fdqc5dxy.cmdline

                            Filesize

                            172B

                            MD5

                            aff1699669aadb00afa686fdf262004a

                            SHA1

                            8ce0b55a184b53a5d2e0cba8caf61770de5e0aef

                            SHA256

                            3870606905f5d7d302fae08a04359c032452155959d7e82a7b459074d6e9946e

                            SHA512

                            5fec7a069eee39c2e532e14d9d9e9d9aff6a51ce947c2f7e51d7f10d556362f8830bc08f9c48ce805c300b584089af0236b6b15ad7e56828d7230f81db05ca52

                          • C:\Users\Admin\AppData\Local\Temp\ly7u_fon.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\ly7u_fon.cmdline

                            Filesize

                            174B

                            MD5

                            f40b955384864a00d18bad398696ccdc

                            SHA1

                            2dc4a8f6ab6353818e63d5282fdd39eceb0cb309

                            SHA256

                            eeaf891561708266ce8420a785809f315d62d24f253b6223fd78eacb038f811e

                            SHA512

                            ec8161fc78f5fbabd154432f2b1189b5e84079483979330ca5327a112f139a27cdc49025bdd9f6bbf4677aa91dd41cc6bba26ed1ba546b476fc06d558190ce68

                          • C:\Users\Admin\AppData\Local\Temp\myelffsp.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\myelffsp.cmdline

                            Filesize

                            164B

                            MD5

                            f247b1d3641574e7835273c9926094a1

                            SHA1

                            d9896e49009f1dff1313df2ea85a73e55481f09b

                            SHA256

                            d83a9b0277c31f5212976353911d9195e46c7754e75f29acd79c6e0244a73707

                            SHA512

                            d119138bf34c7e948fe525254b9730f1b61085baaa3527694a90f247f4e819250083102670a820927674d52e528ce38e30e7c02eb76111af3f905fe3b142210b

                          • C:\Users\Admin\AppData\Local\Temp\napg1qdv.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\napg1qdv.cmdline

                            Filesize

                            156B

                            MD5

                            52e20fc7983a578462e97534a3cb9b7f

                            SHA1

                            13d654308718eca4c234083744443b7d641db89e

                            SHA256

                            64eeea12fac04bef29d5d2318b459bcf34c904d785bb9803f2e668e37297d46b

                            SHA512

                            1a6252899a17e96a1a1a7fa9f08ddbc95ce51ebf408f7520251712214e8d9c29937a4b9a04d9a0254e740e8a10c128c76dde8201ca71e5efffeef04aee7f818e

                          • C:\Users\Admin\AppData\Local\Temp\sw5v8xhx.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\sw5v8xhx.cmdline

                            Filesize

                            171B

                            MD5

                            ddc8c89759a239fdde89012c39d202f8

                            SHA1

                            24a62eebfb40075827aa8fe68c46fc6c35ba1672

                            SHA256

                            6b84f5c86538b3bd8a871797f3b74ad60c34c36e67592cd89de9c2bc3fb43450

                            SHA512

                            005e83f79786bbd08d54dd553ab1b7ac6b949d1c6d171b24611e6ccb419cdd56a19f068d71b3a57a1ffd491c623442ce8ec7603a9d939cc62045d36e59343305

                          • C:\Users\Admin\AppData\Local\Temp\unkzqub8.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\unkzqub8.cmdline

                            Filesize

                            171B

                            MD5

                            60e75f6d4702856f3e65695e2a79dd2b

                            SHA1

                            147e019c6824ed23961e1f0debd92b5a44c0a45b

                            SHA256

                            1afd649b318336e8ee1bf5cd45a9454a6cdd4b88459c4ea364f64e4f34604618

                            SHA512

                            c4014d2315d7d5f2fb6463c8be7fe61d751d02a4baf3473cee1d9f2bcc26f0500ac50200f2af5a8208d52e0aa3730890894c22df2842818b5df0b1f87e93a9c0

                          • C:\Users\Admin\AppData\Local\Temp\vbc12712F13952D469C9B4849B81E58D25A.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc475A696E7C5B4D9297BE1EE775EC41C.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc642A3F333897419CBD76C77A55B2DEF6.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc6FB07291B28940089492623B7439AF6.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcDBE9E209C9CD452CBED2F781DD3658C1.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/2148-19-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2148-18-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2148-21-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2408-5-0x000000001CC10000-0x000000001CCAC000-memory.dmp

                            Filesize

                            624KB

                          • memory/2408-7-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2408-6-0x00007FF8209A5000-0x00007FF8209A6000-memory.dmp

                            Filesize

                            4KB

                          • memory/2408-8-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2408-20-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2408-0-0x00007FF8209A5000-0x00007FF8209A6000-memory.dmp

                            Filesize

                            4KB

                          • memory/2408-4-0x000000001C300000-0x000000001C362000-memory.dmp

                            Filesize

                            392KB

                          • memory/2408-3-0x000000001C180000-0x000000001C226000-memory.dmp

                            Filesize

                            664KB

                          • memory/2408-2-0x000000001BC00000-0x000000001C0CE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/2408-1-0x00007FF8206F0000-0x00007FF821091000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3096-31-0x0000019DD7980000-0x0000019DD79A2000-memory.dmp

                            Filesize

                            136KB