Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:14

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5052
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mibtxptw.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2DAFB0FB2E9431E8C938CA19A2DF3A.TMP"
          4⤵
            PID:5224
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v8kxxh6x.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5408
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES998C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc899F4E1BE6D144D5B92C834F5BFB9C6.TMP"
            4⤵
              PID:2276
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkluugty.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5369EECE5CAA4E87A04272D24BC1E38.TMP"
              4⤵
                PID:3788
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmgjdftn.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3808
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71E9308D8280485BAE6CA052BA1C925C.TMP"
                4⤵
                  PID:2448
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tb7n2e44.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:5592
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6696A7EA72894847895A8CAB2F6CE6D.TMP"
                  4⤵
                    PID:752
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jfx685zd.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1392
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5F3DC1D935D4B3DAD3DFCE73743D89F.TMP"
                    4⤵
                      PID:5516
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xz7ujic6.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5968
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4D574FA1FA64E92B9E12D7272D385BB.TMP"
                      4⤵
                        PID:4264
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8pfmjha.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3336
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37902A07AC3A4EA5B7A4D4ADE322C7.TMP"
                        4⤵
                          PID:316
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tc3i5vdp.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2672
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc540E0AEE1B774701BEE527A6AFDC4F5E.TMP"
                          4⤵
                            PID:5600

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\RES98A1.tmp

                            Filesize

                            1KB

                            MD5

                            d7ce60a71d7f27c48d727b29001922e1

                            SHA1

                            32501c078e001c6d465801f6d199155773eec80d

                            SHA256

                            767350897021e64d3a8feee70ecd897f7f3b173bd3d484c477d8c92b06a6b7ba

                            SHA512

                            86a87e6fc2b48dbf2a7a1460e2b87c2ff84337b522724fe1a4b21c98858d31f799501a593c7c572466db2fe80d935294ebeb420eb84015a386ed04ca5631f2df

                          • C:\Users\Admin\AppData\Local\Temp\RES998C.tmp

                            Filesize

                            1KB

                            MD5

                            4976711768de7f04317c6ec0f11f746d

                            SHA1

                            d6e65ed8ad388017dccc13695a95a9989fb65a01

                            SHA256

                            b6a7a7549c6403b2837262bcce8c8685e5f8bbb2b98388c100c87f7e8d7cef10

                            SHA512

                            c20ed127d7300cfba2c4a9a8e89dfa55ca3e8c4fe5c6d752b83e7b1d7d9709a9c68974dc5adb7b2d3f2cc6fc4f80755c0b7c90eb2ede31c68a2c67a403e3256e

                          • C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp

                            Filesize

                            1KB

                            MD5

                            eee5d523a56986121df671ebb574d293

                            SHA1

                            0ab80e30f2585453b2b96ccfac5e15c2eb2fa330

                            SHA256

                            cf8a56b60b5ab2f44f728f9e2b622049103ecb2773e1bebbad170b24d49c233b

                            SHA512

                            675d284dd688cb21ad11bde069988324cb41957427ce7b11661c0afe0510f6956d5168b4c44ae86f256c7bf808258e705f943a474a074c4b66170b3a142983f0

                          • C:\Users\Admin\AppData\Local\Temp\RES9A76.tmp

                            Filesize

                            1KB

                            MD5

                            0a34f358c67425cb8829185cea465c8a

                            SHA1

                            0ff7695f16743875fda3a5e1ae8efc6911f65f8f

                            SHA256

                            110122b969c795fde601ec6b0198a985bb523d3914ee4edc57a311546a6ea835

                            SHA512

                            5a4de46f12e676e0f4556db022d2f8ec28163540522b54f01ebff4cfa8f1d97644e77e8aff166b1b39ee6ddad40605b1789aed801ddb6358e55c051c14134d9b

                          • C:\Users\Admin\AppData\Local\Temp\RES9AD4.tmp

                            Filesize

                            1KB

                            MD5

                            22ab31001997c90a09a55adbb80b66f3

                            SHA1

                            c06e6e9f34be25baeed0c73a183c8668d38e0395

                            SHA256

                            e1583417d4297b7dd07a72a46969b55b89c1f93a701dd051af18813b398557d5

                            SHA512

                            85d6f8a31b9c70fb0006300202c5fa755237ae0d531c6d6eca902fb3d2bb64700ef48246f85f320c2d6ea66718aedf8101dd0d7857cedfdd3292908c485c11d0

                          • C:\Users\Admin\AppData\Local\Temp\RES9B31.tmp

                            Filesize

                            1KB

                            MD5

                            f0d729bba8d4757313b9d8aa573a4713

                            SHA1

                            691a1cd77e30e48035beac73b467022123585c80

                            SHA256

                            1a43bee1867d2059be276bff0099ce2f01886d89000657d0a0146758783956d5

                            SHA512

                            2dd877295e5d2842f63ef6fa06314123f44b36ce22f283d15f56464f344d5c7dfeb651d7a0d60e11e9fa8e07b17e14de8e14f822aea9d8a439f7e52918527888

                          • C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp

                            Filesize

                            1KB

                            MD5

                            98c6a94be54639bddd9f0c51fe62b2aa

                            SHA1

                            11df3cde81d72b098268726ad4f3fb2df432344c

                            SHA256

                            aa2988c9dc21dd672cbed0b69cf92419c907c575291f39d394879b229a83b59d

                            SHA512

                            a3f0766cc2eaeb0389fbdc2b4a2b4e2abad1c38ee0eb3466778cbcbde15c43a1c90621067a8f8f7c548cfe73e0747eb4b906f397bf8255de0403bc521087d0da

                          • C:\Users\Admin\AppData\Local\Temp\RES9BFD.tmp

                            Filesize

                            1KB

                            MD5

                            b78423caf7065196b54022725780a74f

                            SHA1

                            ab71eb8a24fd4db6d84da0dd2dabfa6c6d595246

                            SHA256

                            564041697b88089182b7e8f8ca866209ec320064852683d7565f9c1d33cecd55

                            SHA512

                            0cc6d7a541083a0dd0313f787d92325922040479da0926e490c0632eb80c9ca4e6db6804ab922611c41e9ec508dfc488c40899daa4552e0d9272d66fcc16d9a2

                          • C:\Users\Admin\AppData\Local\Temp\RES9C5A.tmp

                            Filesize

                            1KB

                            MD5

                            ce01744ca663032bcd691cc996a171c0

                            SHA1

                            80a0fe361b2395f295f1120efad68548e02b3723

                            SHA256

                            acd16cf5aeb8c3efb2586b267660f52bb5abcd29429452ba305a60f49b4ee360

                            SHA512

                            e3f2726e125c11ff6d767c0224093d3e5b4ef72ffec32c187fb8146c78858ae73e0683e69f5d1126073b5eec78530666854a9cf9fedcf7b02ca681563dd54c97

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axgn3p03.rjp.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\d8pfmjha.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\d8pfmjha.cmdline

                            Filesize

                            170B

                            MD5

                            46e326d1ebc8be5093f1003cfed79e9f

                            SHA1

                            89ee3ebb3c8265c0e077d504c67f209e8dfe956e

                            SHA256

                            281bf8b8ccd61c7f9721816e2ce6c1b6b05fdfbd81845d5448b2954267b3920f

                            SHA512

                            7193bbccad957f7bc51a534a39bb8d182bff23c17bcfb20b3d576477832dc5a13b8c66031178410a2fb317430e209c9c602c820c79b73f67b5c0cc6672a438e0

                          • C:\Users\Admin\AppData\Local\Temp\hmgjdftn.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\hmgjdftn.cmdline

                            Filesize

                            172B

                            MD5

                            9d38bcaf10017d71a6c728f8f123d401

                            SHA1

                            824ba3e17ad5dd8e23346d76d953a2f362585053

                            SHA256

                            3fe1a548e87c6b4c8bbdd9423e65855d2585103a1a1cee418ce1c129c0cae716

                            SHA512

                            2a96c81963f93c7f7aa8fb34ce704ea96941e3d3d3544364e454b3ca904252219e0a2576559566ba9c5905829db0198c559c6a36470d97a13854ed0a1251225b

                          • C:\Users\Admin\AppData\Local\Temp\jfx685zd.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\jfx685zd.cmdline

                            Filesize

                            174B

                            MD5

                            71ddd79880f70f4e7c693efe09f0eafe

                            SHA1

                            324ece48ba4537eeb7371943c68d36eacaedc2fc

                            SHA256

                            56c94568b9569a3704773937cf29d01a57263ecec6c3a2d7b99265d193d83b47

                            SHA512

                            ee9fca166f2e5466ec37abe2860eda22d23c1853d34b07b774a23e9117d2d0bb9b436fa450d5ff654bdac8433e8d7299ed51054bd0c6c9a3274e45d9c8e6e1a0

                          • C:\Users\Admin\AppData\Local\Temp\mibtxptw.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\mibtxptw.cmdline

                            Filesize

                            156B

                            MD5

                            cfb52667c6546780b7513ec09daa18e4

                            SHA1

                            0e1dee3440fd68aabd155a41cf954f6774880da2

                            SHA256

                            6f5fadc0bb046af57849dc79dc02a9a62372b46af8316b2293da867e0e934117

                            SHA512

                            7cd0f080b3a4ae67a04f9cc7cbd26ccb9738b254d2c738eb3fba7f38ef207688eeb11a1485e5613d9d54f809757512d3a4946554f98e3937fe6bbe526197630b

                          • C:\Users\Admin\AppData\Local\Temp\tb7n2e44.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\tb7n2e44.cmdline

                            Filesize

                            171B

                            MD5

                            db502450799246ba223ca488d81f5d29

                            SHA1

                            d6a354072ad69689b02dcf95087ced4dfd786843

                            SHA256

                            606349947a50bb2f7daa16317cdf37ee6673fc3001be6d7ee35bf2582fa8532c

                            SHA512

                            49d29d9df273e8e5a89d691f8b169473b82ea1830a7e180bf37b9c5da78bfc823f467f15e5bb58d31e80b0999009b598497e68a7d0f285df115eecfe9f60b128

                          • C:\Users\Admin\AppData\Local\Temp\tc3i5vdp.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\tc3i5vdp.cmdline

                            Filesize

                            173B

                            MD5

                            57c6cd8e4f5d8570fb12ee3225beda63

                            SHA1

                            95c9a397a74694139e4074688e480f111ea5507d

                            SHA256

                            6a883f3004eef36c65e1d5337c815544b64b4193f8ca7011fe1ee955d51bc883

                            SHA512

                            cb66a7bfac6adf57ad2f60ec462f41848cb0444db2a8fbd7364fd1384a98f70efa197e24736f501ae2c7a5606d086b2fc5995770a7b80267c828c37b81746bb6

                          • C:\Users\Admin\AppData\Local\Temp\tkluugty.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\tkluugty.cmdline

                            Filesize

                            171B

                            MD5

                            84b730ebd112dcf991ce958d105e4b58

                            SHA1

                            0e969759c196a1899c2011a7cbe4ee106b9503d5

                            SHA256

                            13d5a5b28c6882f167285705c6ce9df10822ee69dfde92262fa27e7d6ffb291d

                            SHA512

                            2454efb7bfe5144315181e2cb9fb2734e745a81b96a6edb13b57981364593c6850b12c06d27f4e17e5210e2f71bcba1b10062cc63a66e1fd146a39fed1429416

                          • C:\Users\Admin\AppData\Local\Temp\v8kxxh6x.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\v8kxxh6x.cmdline

                            Filesize

                            162B

                            MD5

                            60e2dedbd8f22cfed1ae6244f0d1d902

                            SHA1

                            b339d637a092f639407d0c639743e6e1233f1137

                            SHA256

                            3c9a19b581f483a4bbb1d3d43363d3ef52fec7966e11997acaedbe8bc7f98fff

                            SHA512

                            11d90c55e4cbc9f55c344215cbdcf2c746cd08355fd05eee652dc2ef393e3ccebc680176899fa77a34cc591c59a02ac6b0d3c86d41ff3fc4c8227edcffb091de

                          • C:\Users\Admin\AppData\Local\Temp\vbc540E0AEE1B774701BEE527A6AFDC4F5E.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc71E9308D8280485BAE6CA052BA1C925C.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbc899F4E1BE6D144D5B92C834F5BFB9C6.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcC2DAFB0FB2E9431E8C938CA19A2DF3A.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcE5F3DC1D935D4B3DAD3DFCE73743D89F.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\xz7ujic6.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\xz7ujic6.cmdline

                            Filesize

                            164B

                            MD5

                            1eb0572447cb5dfcee9a0377ef79445d

                            SHA1

                            fc01049d1649151c4e77814ed788dc4630ed0c77

                            SHA256

                            0bcb84c0e426830df7de194a81b9b48fd7cbb2e179dabaad50a695971ced9785

                            SHA512

                            4771fc3679b1a7a08e2214dc9de05e7497104ba9a8e2a9a15a8d31b2eeee24f002b96fb6ce9b0e95508537ae33119c5434b75ab7a60ea1d563106fc06fc112c5

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/3348-9-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3348-4-0x000000001C640000-0x000000001C6A2000-memory.dmp

                            Filesize

                            392KB

                          • memory/3348-1-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3348-22-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3348-0-0x00007FFB06F85000-0x00007FFB06F86000-memory.dmp

                            Filesize

                            4KB

                          • memory/3348-8-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3348-2-0x000000001BF00000-0x000000001C3CE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/3348-3-0x000000001C480000-0x000000001C526000-memory.dmp

                            Filesize

                            664KB

                          • memory/3348-7-0x00007FFB06F85000-0x00007FFB06F86000-memory.dmp

                            Filesize

                            4KB

                          • memory/3348-6-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3348-5-0x000000001CEC0000-0x000000001CF5C000-memory.dmp

                            Filesize

                            624KB

                          • memory/5052-31-0x0000019006E60000-0x0000019006E82000-memory.dmp

                            Filesize

                            136KB

                          • memory/5872-18-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5872-23-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5872-21-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5872-20-0x00007FFB06CD0000-0x00007FFB07671000-memory.dmp

                            Filesize

                            9.6MB