Resubmissions

09/05/2025, 14:24

250509-rqz93svyhv 10

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:42

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5488
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajxphwip.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1841.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CF6CC96E2474445B35148A75D753F27.TMP"
          4⤵
            PID:5332
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1uruakb2.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D4E79645734B24B5A2FCF0A5B3B66E.TMP"
            4⤵
              PID:3092
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ixpz-4i1.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1989.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33D7727EDC0441AEA096F147A159BBD3.TMP"
              4⤵
                PID:2312
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\szoscdqw.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3388
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE967636FCF4B48E2A9EFCC127921C57F.TMP"
                4⤵
                  PID:4464
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyz8qkm1.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1796
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17F8440283264901BF488FE8BDCCA3FA.TMP"
                  4⤵
                    PID:5680
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aok07ttk.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3372
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68B21D154B1247C897334FDDD197C1BC.TMP"
                    4⤵
                      PID:848
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqlb6z89.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4384
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44B492DF37C946CEB97AABED32229E.TMP"
                      4⤵
                        PID:1584
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqh5cfwi.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5400
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67478A68884149D0B9D52E7D8C952E6.TMP"
                        4⤵
                          PID:752
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqzm9hqp.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5152
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85F704ED14F546CEBA369682583598DE.TMP"
                          4⤵
                            PID:4256

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\1uruakb2.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\1uruakb2.cmdline

                            Filesize

                            162B

                            MD5

                            39295a2bd7b773ac454c6d188c1c2bfa

                            SHA1

                            69811fc467f5335426d1408c9933ec249e3c5fb1

                            SHA256

                            18dd877fa834419801ea84916b4b79f9fdf184159f41f4895b6beccae9885f82

                            SHA512

                            4f6de044a80bd57c0b6605a12a969359d98ede7ee84083ffb95158f5435fd8a57149fa844360d74efe549fcf12f4b3ab7811da133eb8043fe18b4d9827706f5a

                          • C:\Users\Admin\AppData\Local\Temp\RES1841.tmp

                            Filesize

                            1KB

                            MD5

                            39866f3a67d250c1acf7029fc53f7671

                            SHA1

                            7fc427a4a22c8049edd218b361fc129a15014144

                            SHA256

                            04124969032facf19ad9ffdecb0f263b23761b2f72c85e3afe618d617c5f2a33

                            SHA512

                            66e95d00a2ee03f2f1a46db9c5e0a3cacea32ad837b065ebaa5bc8007f97f9d24dd033a26824a09f9e1e50cd92f1e7327e7c948b7b6da1dbc65cf3234261bf65

                          • C:\Users\Admin\AppData\Local\Temp\RES18ED.tmp

                            Filesize

                            1KB

                            MD5

                            ea6190ec89e5cc0a3f7a40111f0265bf

                            SHA1

                            38a07dbd3f0204d657240312489a1bef230a4954

                            SHA256

                            9b60bdde5928b799df7edbc1c44a7f66d410508f9ecf8224001a3c035dd7c00b

                            SHA512

                            6c6c47bd68a8cb614eac7671df90fdb66b48c10990a0cc39000ff3cef8137b9a623ba7caa3af01be1f46fbdd922481173c22ab93405691045e260cb228b9243b

                          • C:\Users\Admin\AppData\Local\Temp\RES1989.tmp

                            Filesize

                            1KB

                            MD5

                            b253af8bd5c581c61e13f3948e20d862

                            SHA1

                            1e5a51c331a08e5fd040a0f4e08d18e1d507946c

                            SHA256

                            deb31013c3701475c3c59c6c0d3eeec2f27cb6483daf59ad24f476f758ec0023

                            SHA512

                            d63f6bbd67248f9a63a3f9b5c6ca09cf9cd7c28ebd37a9f8af53fad85922576b50aa0d931d71a9f0d4216a68fe05ae6829cb3086d76a9d8b4f0a81fc4d36bbd0

                          • C:\Users\Admin\AppData\Local\Temp\RES1A16.tmp

                            Filesize

                            1KB

                            MD5

                            8cc5c94e36eee71e1487fc621395e622

                            SHA1

                            8bc9e14deae9669937bdd5b462cb10efb6a02838

                            SHA256

                            69909089826795c5f616e1a4c413ea5b1005b76836b9150dba6eb6e3d5ffe29a

                            SHA512

                            dceb59e225f2a68fbeea30175d233586ec63413e7671fafa20c346de17cdfc5ec30887c11ec314f8d20c8dafe23be68e399c98b9893601d5a907eeb796e6677d

                          • C:\Users\Admin\AppData\Local\Temp\RES1AA2.tmp

                            Filesize

                            1KB

                            MD5

                            9078e40f42f6de621149131563127f38

                            SHA1

                            42577c36491ded03fee98d136538b4a630d9bb8a

                            SHA256

                            d914c8d4f5adc9caf33513de0f8606ca7af8ca2c727beb52c230bd58bcbe603f

                            SHA512

                            e798713d4b4e02f3f481fa61676017003438e534b3fa79b6312d2dd8d2f7caf1d00d2c76240e5448e3349e970001614895fc68611d1fc0944953a03ba319cafd

                          • C:\Users\Admin\AppData\Local\Temp\RES1B00.tmp

                            Filesize

                            1KB

                            MD5

                            ed74bc00861aa45f8e685378e6697ce1

                            SHA1

                            4fe45161571b6aec252d9f3be008e688585e44f6

                            SHA256

                            4ccd9ffc72a80fec9f5b3e2365209ed87bfbf2b51427d5a3b085f368e5463de6

                            SHA512

                            547a0c43cf8af8652370277c1db2ee8a3afc3faf8a9aee19b2794b121de3a6f9f02cc085bb62769358bf53dec15f33e7ac03a74ae671a3b0c16c2ec97d1f6216

                          • C:\Users\Admin\AppData\Local\Temp\RES1B5E.tmp

                            Filesize

                            1KB

                            MD5

                            50d039a8cc86065417a7018f1c49b56c

                            SHA1

                            ca9b0cdd5c15888d5fb821da8c013d20dde79c6b

                            SHA256

                            29f0f66e06c38ec3b48c84227c1900cbe1cf1621570044325f94fa63732ac0a2

                            SHA512

                            aa2c06930d5d625856ac5b18a452ba4dd6b2f0b8f37ab0f46a9af9423de2d2a3289068a643d5780693ed928351db043d80bf2d1753b184850b3440388f371f5e

                          • C:\Users\Admin\AppData\Local\Temp\RES1BBC.tmp

                            Filesize

                            1KB

                            MD5

                            1a25782b51adf7d36a9950a74712bacc

                            SHA1

                            82420ac0c95a843bc728f2c5b5b8513f74c0ef27

                            SHA256

                            a8fb6009e5749b925cf0f1a3917138bdcb7aa074022af8961b2cf4a14dde6c7c

                            SHA512

                            8cd19c1337753a856facbe58102e425ca94067213eea5fff05864fe7ae6ccc8f4660f2377243e155f123d6cfe5a0eba127eaadb6c47a4fa7de200c5deb8c0189

                          • C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp

                            Filesize

                            1KB

                            MD5

                            8a8bdd54f730b57dd1e86f6493ce57c7

                            SHA1

                            998b4aa79a53237ee6c396c4af15f1583e98cdd0

                            SHA256

                            3c66613b9a15faf7fe24b9b01c60f12ce476f61d04d71d751c684ecbc08a5f24

                            SHA512

                            c7de1bb96b5ffc6da130bcd1512a993f1f4b2574849295cbc47543c4d68b708f7928f0c542217ebc0bde1722846bf15d7a44f603fba10745a215bbc30b140c8f

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfnz2zgk.uh1.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\ajxphwip.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\ajxphwip.cmdline

                            Filesize

                            156B

                            MD5

                            49d47c35ab6b453509a91ec4268e0689

                            SHA1

                            cd7da389330d23e6c066f32c591eb353ba050256

                            SHA256

                            f263aff67846fff98d5240f795094f46b61da2186f5aa621624ab27241e3297c

                            SHA512

                            00cdcdb3a5117f8cb875844eaaafd905d0940475d10966898b0284d1d3fb991b20eae390893769e6fd8d5e903f7ac43d9a9af53618d6192afaa4ceba4dd9ccfd

                          • C:\Users\Admin\AppData\Local\Temp\aok07ttk.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\aok07ttk.cmdline

                            Filesize

                            174B

                            MD5

                            7cc8e350fa9a5ebad36aa419d1e62bc1

                            SHA1

                            2500652e59a0626f28df828b375881b5ad66c08e

                            SHA256

                            51fb503e009c1accdb8ba82bb40e55d25de5bfac31c6a338e6beed400edfb0bd

                            SHA512

                            7a7ad8516e6551ec6ea3338d1d47f1feb525fedf5902f9fab6b30055dfae2f75fc60914fda7d654b08c496cb7d4979a5d96fa19e28cb3c091af3de23fdc8cdc4

                          • C:\Users\Admin\AppData\Local\Temp\cyz8qkm1.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\cyz8qkm1.cmdline

                            Filesize

                            171B

                            MD5

                            3cc471ac7cb349d684ca6e6e52318641

                            SHA1

                            323c14e769d282128d700f5256e4579baf3fb32f

                            SHA256

                            1d34286f32ffc0d6400ffe07377e18d0db2fc55a3df43baa47550260e99bd90b

                            SHA512

                            68cb5e14435e4303b5cc20dfbb54259b5ca033a6a287d6d66455a7f04f4a0f017ecfd027f080e4e111b28c88fe8e1e616d7516f0979972907430de8c868b2164

                          • C:\Users\Admin\AppData\Local\Temp\hqlb6z89.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\hqlb6z89.cmdline

                            Filesize

                            164B

                            MD5

                            bb2c4fc02f2424d7b9dc564f7431f452

                            SHA1

                            c15619b0c6f0b0c3c482ea4a3d3fe981037db065

                            SHA256

                            b45a927deb93bd6e631b1f9ec0c2595c873c1fdaf3b6cacf9f39c73dbbe71666

                            SHA512

                            acc2dba42f22412320782a5cca8abc9630744ee84a5e88150ac6bd77af637b116d2ec92ff4ef45d7c49f1779fb6e1d8aad7924948f9b9548bcb655ca9a786d88

                          • C:\Users\Admin\AppData\Local\Temp\ixpz-4i1.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\ixpz-4i1.cmdline

                            Filesize

                            171B

                            MD5

                            f2b44206c34df189432371168d18c08e

                            SHA1

                            f136435428f8a1092ac78aa9fb1ebc59801630a1

                            SHA256

                            ffb942ea1574ea593592a128bc71aa041379cd9844f3bd3cc11a32ac240d83ce

                            SHA512

                            0d00c275d3151a7d0291d6b32a0e4962e30356dfcade146897fcfa0c85e64386d7624025eed191dff75e25b9e2ea2e18bf6486652cb02b2ee0f7a570f9c33dd9

                          • C:\Users\Admin\AppData\Local\Temp\szoscdqw.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\szoscdqw.cmdline

                            Filesize

                            172B

                            MD5

                            40d573d8b4b35c2943307ce3f59726f9

                            SHA1

                            08548ba965fd61b2737f1a711a67410a18fc05f9

                            SHA256

                            f5f927269dbe787e9f5d3d137337edea101683412c870dcb3e36349324c5d7bb

                            SHA512

                            b79d48a3189ffc80a3184dd8c2c2ce04c62290a6aab3ec6097c3f9eab0c8018d8bcab074c18e9be6c9ba147b75e4db1ba36ea1c5ebf572bfae72f36bdf1c9c61

                          • C:\Users\Admin\AppData\Local\Temp\tqh5cfwi.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\tqh5cfwi.cmdline

                            Filesize

                            170B

                            MD5

                            c00fafd7213b533b041809de91e31d6b

                            SHA1

                            8d9e7ebcaa65c8d3ac36023f0e9f080296d6507e

                            SHA256

                            6253165eca2f2502d0cd062cb603ca4b1eb06af8b23431a0bc8b998fdc8076e7

                            SHA512

                            217c462e6072876faf510e4e7b786d5d2a2d2726899f92f50a5426344446b574fff3e5e55954239ea79a1703d4c5be40bbbacaabc6762492cd5493712be78f43

                          • C:\Users\Admin\AppData\Local\Temp\vbc1CF6CC96E2474445B35148A75D753F27.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc1D4E79645734B24B5A2FCF0A5B3B66E.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc68B21D154B1247C897334FDDD197C1BC.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbc85F704ED14F546CEBA369682583598DE.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcE967636FCF4B48E2A9EFCC127921C57F.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\zqzm9hqp.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\zqzm9hqp.cmdline

                            Filesize

                            173B

                            MD5

                            c61eafc87c13c9b9b959938d1cdb1743

                            SHA1

                            f83dcc477c0ad95cc82dbc5e3f16af1740a76627

                            SHA256

                            7b74e17a4c48f9096a898b5f98100ffb618be421bc18f4d5b81474ecb9314c3c

                            SHA512

                            4b88379c2a71add4ad62c935b6ec37d109527d32671b20e12e19735c3034a590a8823d0351310312cd1a16b1adf065a5684b6b7ba82297f7387bb892a855b091

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/4980-36-0x0000023306DC0000-0x0000023306DE2000-memory.dmp

                            Filesize

                            136KB

                          • memory/5488-9-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5488-3-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5488-0-0x00007FFD1D065000-0x00007FFD1D066000-memory.dmp

                            Filesize

                            4KB

                          • memory/5488-6-0x000000001CD40000-0x000000001CDDC000-memory.dmp

                            Filesize

                            624KB

                          • memory/5488-4-0x000000001B970000-0x000000001BA16000-memory.dmp

                            Filesize

                            664KB

                          • memory/5488-7-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5488-8-0x00007FFD1D065000-0x00007FFD1D066000-memory.dmp

                            Filesize

                            4KB

                          • memory/5488-5-0x000000001C460000-0x000000001C4C2000-memory.dmp

                            Filesize

                            392KB

                          • memory/5488-1-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5488-22-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5488-2-0x000000001BF90000-0x000000001C45E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/5772-19-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5772-20-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5772-18-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5772-23-0x00007FFD1CDB0000-0x00007FFD1D751000-memory.dmp

                            Filesize

                            9.6MB