Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:07

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6024
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5864
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3vbq2ace.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE441.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBC77582DCCC4AB2A635A8853E824AFC.TMP"
          4⤵
            PID:4628
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3fln8ua.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31BF47F7E756474AB8EB22AB63EF947A.TMP"
            4⤵
              PID:1104
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgvswrre.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3540
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB51B4A37667408898608FE1C283C7A.TMP"
              4⤵
                PID:2572
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdf_5rgi.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2228
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB52C5D2BF3542AA97E25AF0636FAB4E.TMP"
                4⤵
                  PID:3928
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eguxzwbt.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:6120
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB918735E2CDC4B4880DA94F796957CB1.TMP"
                  4⤵
                    PID:5248
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yrfghilc.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1080
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18BD533ACF2A4AE2A5CD96112EADB8A0.TMP"
                    4⤵
                      PID:4048
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gp1z42uw.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1188
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE72F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64337EDC8DFB47AA8196DCFE9A32BB38.TMP"
                      4⤵
                        PID:1308
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0w7x9bkr.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3212
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE78C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C05117797CE49B0B431C4808135E962.TMP"
                        4⤵
                          PID:2364
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qzms3rxd.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:436
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41E0B6F59E6D4A2E92A4A26F5B48D277.TMP"
                          4⤵
                            PID:5092

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0w7x9bkr.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\0w7x9bkr.cmdline

                            Filesize

                            171B

                            MD5

                            c54f4ca889cbf54feb54a22d76c0f003

                            SHA1

                            614488ec9931579fe5c3128e9306a69fa0fc39a7

                            SHA256

                            f98b1276bc265c05ea716f1d1a7704bee9d995a137c0c852883f8e3596d4bb08

                            SHA512

                            8ac497ee7d425321f86510b4da422c8167ddb33d0c4dd60c0cb87b9e1ceea10a5bbc47721a0ea4f028b76287900735e9f365edcfbddb63089645d5459583f502

                          • C:\Users\Admin\AppData\Local\Temp\3vbq2ace.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\3vbq2ace.cmdline

                            Filesize

                            156B

                            MD5

                            e56679b1e00c6147e388a751a489fbaf

                            SHA1

                            c3b3bc73b7390078c8946f1258b5d7e385dc841d

                            SHA256

                            84185532ac37e04b214d7143319b467f67ab422cb864bc451afb14d68cf7b0fa

                            SHA512

                            8815319cff85c9b0a8fd9c511f7db7d3be7d46281e50c2bc482b123e0be2ccb076d2f173825863ba9883d029616f30d683267003fc60d91aea586cc8dd5c60c8

                          • C:\Users\Admin\AppData\Local\Temp\RESE441.tmp

                            Filesize

                            1KB

                            MD5

                            8b397e776c7e5a661f1a9b614be6514c

                            SHA1

                            e4aabe2ee81515bf9ef2d086c38fc0bd69c163cb

                            SHA256

                            4d894d22484f7abc5d984ddbb9dc6dd695bf2e77116793d6b6e92a2b2c16a5d6

                            SHA512

                            b25e81f42f71fb4704e04c2efbf4f4f815f0495215acb5b0021cdea3ee3812b2c0ff64a552a73c096c8c38342d5c696c4d063ef2eaca068750712e4c37797345

                          • C:\Users\Admin\AppData\Local\Temp\RESE4BE.tmp

                            Filesize

                            1KB

                            MD5

                            5934eeb65c19dc186c69820dfdbf371c

                            SHA1

                            e5ef32fa743931e6c819724b5a22578f86311aa6

                            SHA256

                            51945b0a9f2ba57346333ba1f8495501149f9f811a74f8c2f1cf22a84720c677

                            SHA512

                            1f966be8f082cc070811967ef410c391b5889410e0dd97154d858bbe0fc62288f39ac01f25488b7f80454021b337359d71a889e20fbc4b804cdf5fa59c9d6359

                          • C:\Users\Admin\AppData\Local\Temp\RESE55A.tmp

                            Filesize

                            1KB

                            MD5

                            3dbc48673a2725ad2445da552932da5e

                            SHA1

                            26586cf4876bedb4e53f0836e7adb11247734b14

                            SHA256

                            27b9620e6f3586c5295b47cdcd96195f8e7a3da0483d13ec04cf64e7363e9d0f

                            SHA512

                            794f178d46fa1cb0ad368af78c723c456f0645c52af70edc6b8ec53d3a2e47eda3e0b41f57a9e948d85a8cde7263f529adfc89c7ff63ba89e5cb26d4534daad4

                          • C:\Users\Admin\AppData\Local\Temp\RESE5D7.tmp

                            Filesize

                            1KB

                            MD5

                            ccfeeb6e40a4f5414b05572ee3a11d9f

                            SHA1

                            e1fa0ca7f31f34e0de08e1c5286c74eaaea38173

                            SHA256

                            1f900de9ed6b4148f525e65a4bc35a753ef504cb878965db0a3afe8de31a3584

                            SHA512

                            f4763dbab3d5d3c3a50a6ac894e11cb5815078639abaa499234ac03bce319587369d53491544cf2f45ac97d5f5f419741b9fd2c0d05adbc6fc51c94e0db84801

                          • C:\Users\Admin\AppData\Local\Temp\RESE654.tmp

                            Filesize

                            1KB

                            MD5

                            7ee9f17469b31c9129a6f37a693fd905

                            SHA1

                            ea318b6a6bd357533192191beabb4357b3d68daf

                            SHA256

                            3d4a0737e373761611f4149b8540300cb40977dee4a35d66ac87ef4799f30e4e

                            SHA512

                            120d98907039971c68421265d31468c903df10b0b355e7d35cfe1d2d0adf5a1287fe45bf3bf4933a5a2d94995a7874e46a4e84c400de1b721283e4dd69ff4db9

                          • C:\Users\Admin\AppData\Local\Temp\RESE6C1.tmp

                            Filesize

                            1KB

                            MD5

                            b47abf249b66fa58ea1f0313ae2bb066

                            SHA1

                            58a21259e8966a5caba3eb5a355fada115901d96

                            SHA256

                            0cd3fc2a98b5a02c0a904af2e6b7ac35ca8e4ba16ecfbcdf7b0b5de9a12f2145

                            SHA512

                            218620ee48941fad53a4ce68ad9619ec5ba5c62f85ba26275451835295a6c62f73e6f99502ec4905acde570f141e414abade774de5e234ccc0ac4ff339dd800b

                          • C:\Users\Admin\AppData\Local\Temp\RESE72F.tmp

                            Filesize

                            1KB

                            MD5

                            ff9ba005bad27cce1da0430bc72bc16f

                            SHA1

                            2c0bcabc319e388b62824c3805f6339f26424e02

                            SHA256

                            0531693c222d3fe3b3641f399d3930628fe2099f6d906970dc383cc6eae7d9e1

                            SHA512

                            8d3cc50bf17d941c8370ebfb6b00c1f2aae7071a989625cd8bcbd332d28021f3a0f9e44692d4c9b5b22616b7e50e6c2fa79e6e2fbc7a0531689bbc7f914f0dc0

                          • C:\Users\Admin\AppData\Local\Temp\RESE78C.tmp

                            Filesize

                            1KB

                            MD5

                            dfb4d2271ee33a9810eca647944f9646

                            SHA1

                            bc6df23d10151a240dcfdb1ace6f4e2868011f92

                            SHA256

                            063c071d61bebff680ecb4041e0ae3e55942ed76c437dc18521819985eacd090

                            SHA512

                            1c8c66b18993f26c402d76668931007120d7829206d02008e4f3efd062a2ee52a31a0f79e61267d754a3ea8d0c8fa7037cc8f9cc095a63e0401cd16055c7e2ad

                          • C:\Users\Admin\AppData\Local\Temp\RESE7FA.tmp

                            Filesize

                            1KB

                            MD5

                            c00db300b8886cae9939412817890139

                            SHA1

                            fc0e89b8601c77cf4c20fc0839385bf5f08971b2

                            SHA256

                            2814db89c2362284af45cd016c357a4d16ac88686f4c37ad9ee5664414c71588

                            SHA512

                            75404fbe05d08612dbf39dab261aa9444bbc2f1840134c815825f53c7158b211dd0a5170fd1b5ffc7420b43d9cb670dda42a3bc9ffd549bbf71d69a0c4b910e2

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nj3xnesj.o4v.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\eguxzwbt.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\eguxzwbt.cmdline

                            Filesize

                            174B

                            MD5

                            a8b60a30f3fe1572aee5dc68df9e9b4a

                            SHA1

                            f4fee811af0e2ad2f70785e6c8e71438138dc2d8

                            SHA256

                            20452d9b3428b1ba0bc2c676df7d177680bf3482f376a947b4a13b9144ba364e

                            SHA512

                            23e076b1f5c7870d1ce7a5dc038b01f55c9cf073bc7213e2e1bc21dbaa7300bc2439da0499f8efa027e16543634241d33e0b5f9c1c9a0f5f10825f38bd07c809

                          • C:\Users\Admin\AppData\Local\Temp\fgvswrre.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\fgvswrre.cmdline

                            Filesize

                            171B

                            MD5

                            d3c49364f39bd2775f7cc0890f21be03

                            SHA1

                            098a5aa6d244ecf81da3fb8e03f9049a1510d2b2

                            SHA256

                            7952613acb86c2110a0cb5e9abb1463f369a0eb22e99b613776be5aefc466cf1

                            SHA512

                            ce69cbea8d3cbab84c6649ceeddb4e7c6aefc71cbd3f511bc6af1f0a33c78a5d50293cd19467c11e88c86e2663fd945a5adfe429b96a88988e292fc3ac19f2ce

                          • C:\Users\Admin\AppData\Local\Temp\gp1z42uw.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\gp1z42uw.cmdline

                            Filesize

                            170B

                            MD5

                            ff9b2e648a183d9a247a28640d579904

                            SHA1

                            4c8e08a568affc9f9e8ee893db035d719af7143c

                            SHA256

                            22f8b1888781448e0d332540690d0ef9e1ee04a8fe2d7f0efae82164f94d6ad1

                            SHA512

                            0be764b9519928c420e3d994b9100a8a6024d5afff455171f78145f3c3817003628eeeb9065605ef8a06df3734438e6d84a1fe07737fedccb5fb51b515744d5c

                          • C:\Users\Admin\AppData\Local\Temp\qzms3rxd.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\qzms3rxd.cmdline

                            Filesize

                            173B

                            MD5

                            605022b37d6c5c529c78b0ae4af0abf2

                            SHA1

                            b0917f05f02555d6be23a271481582e91b34efd3

                            SHA256

                            2533a1404f605a829715c80b6c635d7636c0a76cd3f4c4a589991ab85b668358

                            SHA512

                            61d7781e242c27aa73e2aaba608f7e41a35a0e17aea63be81cab40e2db6e80f603f6e00ca1334d0eac9f1d017e6c517a567a89e080182873bf76f2c45ff72616

                          • C:\Users\Admin\AppData\Local\Temp\vbc31BF47F7E756474AB8EB22AB63EF947A.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc41E0B6F59E6D4A2E92A4A26F5B48D277.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcB918735E2CDC4B4880DA94F796957CB1.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcBB52C5D2BF3542AA97E25AF0636FAB4E.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbcBBC77582DCCC4AB2A635A8853E824AFC.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vdf_5rgi.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\vdf_5rgi.cmdline

                            Filesize

                            172B

                            MD5

                            83f53bc162bedec514ba6bbac7e01682

                            SHA1

                            0ef6ae8667429696b62fb9b365c14c70471fc5ee

                            SHA256

                            5b7651995f2725c82fc5152811834821c708a89609821e3c99aa5e0815a6e07f

                            SHA512

                            4051550572cf2aa9e4df5fe13df26e5e196d9af0320db7511339eb3b31e14d9e51412403f06c91ad352e01752e7a25351339ffdc282d53d203a8df80a930c3f7

                          • C:\Users\Admin\AppData\Local\Temp\yrfghilc.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\yrfghilc.cmdline

                            Filesize

                            164B

                            MD5

                            fdad5639d2707dea655a9ef1cb3d13e8

                            SHA1

                            763edd4dd70846c15ab876bfb1d93e3c31fd618f

                            SHA256

                            652b42c29aefcee0e36ab8eb415f6b4caeab6311c5083765792d135c190a3850

                            SHA512

                            07bac002756a03e021088d508014756a88f2ab10c33c7b0e4bdfe9d6c1ff0b58867d508206ae57aee094ec52e3dc537337b7bb4341a18a2a8ddfdea3306947a7

                          • C:\Users\Admin\AppData\Local\Temp\z3fln8ua.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\z3fln8ua.cmdline

                            Filesize

                            162B

                            MD5

                            6b5368e62ea3be1133637f7cd2c56aa6

                            SHA1

                            bc511c432a4a7362bdaa2b7fc87f7c0a9b7446d1

                            SHA256

                            68ebb464ccff3143c208616751e82c522b53feb8b385ae9826dfa02c1a903f46

                            SHA512

                            19a4ebca8ce0cb947286d475a261d71d63201034a4f88fd4695ea4deb5b2e77d6379c2877142693c47a71dfe9ab5e86e8269214148454d297f09e910cfd570c4

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/4468-18-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4468-23-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4468-20-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4468-19-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5864-37-0x0000017BA5200000-0x0000017BA5222000-memory.dmp

                            Filesize

                            136KB

                          • memory/6024-0-0x00007FFC4D6C5000-0x00007FFC4D6C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/6024-22-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6024-9-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6024-8-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6024-7-0x00007FFC4D6C5000-0x00007FFC4D6C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/6024-6-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/6024-5-0x000000001CC20000-0x000000001CCBC000-memory.dmp

                            Filesize

                            624KB

                          • memory/6024-4-0x000000001C570000-0x000000001C5D2000-memory.dmp

                            Filesize

                            392KB

                          • memory/6024-3-0x000000001C3D0000-0x000000001C476000-memory.dmp

                            Filesize

                            664KB

                          • memory/6024-2-0x000000001BF00000-0x000000001C3CE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/6024-1-0x00007FFC4D410000-0x00007FFC4DDB1000-memory.dmp

                            Filesize

                            9.6MB