Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 22:42

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:628
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cy2pdnqr.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9853.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA42873CE4F234774B16B7156E730B546.TMP"
          4⤵
            PID:4100
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2hklv5of.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B462247F4474E4D965D7C91E8386588.TMP"
            4⤵
              PID:2800
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hukm13d-.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3268
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES995D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79B5F362222247388F7ECB5405654B9.TMP"
              4⤵
                PID:1912
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f91tlt3q.cmdline"
              3⤵
                PID:4364
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B83F68E53B649458DABF7FFB4804B5B.TMP"
                  4⤵
                    PID:1060
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psgopgfy.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4692
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4122CD8CDF4345B2B4BC72D7B3CF4497.TMP"
                    4⤵
                      PID:3932
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6uqr6xio.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4968
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB097FCA5E4B0F958FF5B772F64C6.TMP"
                      4⤵
                        PID:3188
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kifvuvya.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4080
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D59ED3D9B444AAB9459A290B55707F.TMP"
                        4⤵
                          PID:4696
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5cocje7p.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4284
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc938FF55ADEBC4883A9D93478F3E9249F.TMP"
                          4⤵
                            PID:4432
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwdyjhae.cmdline"
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:5224
                          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35A490673ECF43B284D6D8436254D828.TMP"
                            4⤵
                              PID:2896

                      Network

                            MITRE ATT&CK Enterprise v16

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\2hklv5of.0.vb

                              Filesize

                              262B

                              MD5

                              88cc385da858aaa7057b54eaeb0df718

                              SHA1

                              b108224d4686b5ca3faaeb1c728dfba8740a6eca

                              SHA256

                              08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                              SHA512

                              4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                            • C:\Users\Admin\AppData\Local\Temp\2hklv5of.cmdline

                              Filesize

                              162B

                              MD5

                              80a195110d75773ebb483cbe3dd22492

                              SHA1

                              14c02ea338a970e37947b4884b176ed681ff3907

                              SHA256

                              82168837f3081e35e0615393dde44bbb7c486af6538236938e8a6b6adcff9cea

                              SHA512

                              f1667e348be5bfcd1e8e47d42e00067c4fda416e078d872e8a9f1761712120c0cd63458191773b96b83c9f9e0091f32fcfa935b53c78219c4212a7a1583477e6

                            • C:\Users\Admin\AppData\Local\Temp\5cocje7p.0.vb

                              Filesize

                              270B

                              MD5

                              658573fde2bebc77c740da7ddaa4634b

                              SHA1

                              073da76c50b4033fcfdfb37ba6176afd77b0ea55

                              SHA256

                              c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                              SHA512

                              f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                            • C:\Users\Admin\AppData\Local\Temp\5cocje7p.cmdline

                              Filesize

                              170B

                              MD5

                              d33e1501769b1dcac13f9d3641442ccc

                              SHA1

                              0857c9f0f0996bd93e28a3d579965937803ac7fa

                              SHA256

                              c417d9eb6d6b0fd89684202dcfefa310f4dfaea7c106c702e86dce86f4eb7668

                              SHA512

                              f69460425645601c8aec67608d8d24f24eea7a30264dc0cb96539cee345db536d7992c7e2c74ca650dd741a0267c76fd8ab38ba0855a47559f3feb80d9d8a333

                            • C:\Users\Admin\AppData\Local\Temp\6uqr6xio.0.vb

                              Filesize

                              274B

                              MD5

                              539683c4ca4ee4dc46b412c5651f20f5

                              SHA1

                              564f25837ce382f1534b088cf2ca1b8c4b078aed

                              SHA256

                              ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                              SHA512

                              df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                            • C:\Users\Admin\AppData\Local\Temp\6uqr6xio.cmdline

                              Filesize

                              174B

                              MD5

                              7808f1ab14b36c3ec509632a8f7ec64d

                              SHA1

                              2f8a4ada16322ef6a4265c0844f37954606cecd6

                              SHA256

                              3a99c352f75ba52df59bd85ffe308eed2c77de9b7f5eb68a232bd357e83fd393

                              SHA512

                              de2726b3aec1414a9fd1808f78bcc9958f5899431e11fb69a5db32558caff599cb2b2588ab9f478ec608d95c648a47b1048b1f1ed93a14c1b5ded421c0171a74

                            • C:\Users\Admin\AppData\Local\Temp\RES9853.tmp

                              Filesize

                              1KB

                              MD5

                              d3c1e77950e04b27c93c9fbb91d12823

                              SHA1

                              a7675bebeac75466e0ed8d65380fb43f15b327e7

                              SHA256

                              bc59c9c0b95c86f3489813e29cfb3128f6b52105198f9a30f3f761626e1c78fd

                              SHA512

                              4f173bffa668f765f670b2cde76e479b8ef5da80e2d55e58ab16b49a2eb7fbc532a5c9bd828309296b70271ed7632dd818650b66b0b3e29f0a2123bbca087886

                            • C:\Users\Admin\AppData\Local\Temp\RES98D0.tmp

                              Filesize

                              1KB

                              MD5

                              a3dbaf32fc72bb6a1f6ccb350158325a

                              SHA1

                              e7db1b8e79338f0f035e54eae6a27af1f055d6bc

                              SHA256

                              7b1d2b483fbe74ac5b6151a7bd1ec8a049667a59cda9a58a877dd070e0472683

                              SHA512

                              e0b42fc2204d60e7c983ac2a7298377b0831c52975c6128ec7923ff62ac8ef89d26bc94fd71134cb79dff83c405d7701eadc75d1358e753cdad0cde4f98807d5

                            • C:\Users\Admin\AppData\Local\Temp\RES995D.tmp

                              Filesize

                              1KB

                              MD5

                              f7dce2d0fa4489354058c3cb4733aa32

                              SHA1

                              4f6a99f88ed7863694dfce51fb15ab5bd6eed188

                              SHA256

                              6fc66eb37a7800653485be3c43218297250301086ec19a5f47187d3be7398405

                              SHA512

                              cac7fd44f43a6a0a6e1f067816709ed1eec1243cb34830331a322820b4bacfac4c67294c6c742211e758625604563f852fc0dda55d7b755dc6d8c1e49e4d516f

                            • C:\Users\Admin\AppData\Local\Temp\RES9A66.tmp

                              Filesize

                              1KB

                              MD5

                              a4423e744abdc05c395b7809d4342135

                              SHA1

                              60d6db5899f27abe4f06952408696450e3581df5

                              SHA256

                              866c5bb57403b4e17a13243dc73c1c4df83d195fa1e5267a84cb3a92cdbe6778

                              SHA512

                              a08d9c5f4322540d3a1c44ce8649e5ae794dd2aaa7c49561166e4aee565a6fabb92f1101297c4ab8b04d77d99a371249b1edf0101b5da174f38fd4f9fd8b2b37

                            • C:\Users\Admin\AppData\Local\Temp\RES9AC4.tmp

                              Filesize

                              1KB

                              MD5

                              8fe2ab2373968ab57daba3d7ac8d2fcd

                              SHA1

                              3df5106265ecbdaffe8f0f8cd9ccdb746dd40437

                              SHA256

                              37cd03425dfaf7df562359539b2a6ce3d78f8b3fb3293e525035c0ca6708166f

                              SHA512

                              d3abb94cf53de118d74b34439777bcec18cc6b8aae496e2cde32eb4d4cc46d0eab002633d3f5c722856baef19c6fded87739a2a40e1b5234c368ee0243917835

                            • C:\Users\Admin\AppData\Local\Temp\RES9B31.tmp

                              Filesize

                              1KB

                              MD5

                              315e481f17ef18eb389fcc333ec1669b

                              SHA1

                              917789440a39d399fc86a08cde0c95a0718caafd

                              SHA256

                              edb796bdacd2decc86324d144d76be003a2dc00750570b85d85068a978688181

                              SHA512

                              d1cc978bcc341f9cce7b0105121f5afac09a01cfaf0ca0e8091109f5b209bf579e17b23bf4af711a2a5a059287fd7498b7442523bdc7f1af38284c4d3e177a58

                            • C:\Users\Admin\AppData\Local\Temp\RES9B9F.tmp

                              Filesize

                              1KB

                              MD5

                              b7a82e315e0048060ad4cd3fda1a4563

                              SHA1

                              54911b16c7205760cb52a743a458d2edb3262b00

                              SHA256

                              397d7d1bc7ab2e09136bf40308ab108916bc980f0b6bbfc19972e1fab15b332a

                              SHA512

                              b876889d1a96209d29f5e5f1818e4b17a634eb6e409f7b52634dfa5fba0b4f75e384a2a75039e83dcab9f3d9032cba8bc4c83054ffde58823ca99d7872040580

                            • C:\Users\Admin\AppData\Local\Temp\RES9BFD.tmp

                              Filesize

                              1KB

                              MD5

                              3440ee061f4c3d6454d5a8a6412de5f5

                              SHA1

                              e799e0d947713d8cdd4477edc6812114bf6f9678

                              SHA256

                              5c23ba77b79c0c4547cda8f21f8db8c141fda6d8941bcf86e22324648fb51dd4

                              SHA512

                              5c54a2f8793891fad883150bcbe25ecf7983ad8701359bd64d83397f990a34ae1279e68db4b4c493b56c7c37595a6c5117e25ea4c064bbb6989195bdc8386d0d

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3p3d4v5.ouv.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\cy2pdnqr.0.vb

                              Filesize

                              256B

                              MD5

                              076803692ac8c38d8ee02672a9d49778

                              SHA1

                              45d2287f33f3358661c3d6a884d2a526fc6a0a46

                              SHA256

                              5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                              SHA512

                              cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                            • C:\Users\Admin\AppData\Local\Temp\cy2pdnqr.cmdline

                              Filesize

                              156B

                              MD5

                              5a95b5ddb8eef4964de6b35bce82ed07

                              SHA1

                              e870fa66050dd9ed0b73299d74b5b5eda0ef27f5

                              SHA256

                              e8b02cf3bc33b703561f7d8978a5facd9358b988aeeb1197f2b872a476eff853

                              SHA512

                              c4be6ed5eac02ae8c07d3ef976d3999b44314449aee482907d61ec561d977e6496e124e559233a2643859c32d3f79c03c6c7aab2760976017150e55a323f4c4f

                            • C:\Users\Admin\AppData\Local\Temp\hukm13d-.0.vb

                              Filesize

                              271B

                              MD5

                              ac972015bef75b540eb33503d6e28cc2

                              SHA1

                              5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                              SHA256

                              fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                              SHA512

                              36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                            • C:\Users\Admin\AppData\Local\Temp\hukm13d-.cmdline

                              Filesize

                              171B

                              MD5

                              e2737fd47079e75f85cd6bf1b6e0e1b3

                              SHA1

                              4fccb5b4fa4b423b87aeea40e33c37a10395ab56

                              SHA256

                              8ff44983dc8850097cc246abb558cebc79de5a5ad16459517d541ba26f7a4e50

                              SHA512

                              beb8d6c5dd6d7fed36bc3ee529537cb3df47379c0f6eb75f39ced8e4e67f092b52ca960c31cdcedf889c215fb3430356f6fd42d8c15a30fd6797655e6f48cf52

                            • C:\Users\Admin\AppData\Local\Temp\kifvuvya.0.vb

                              Filesize

                              264B

                              MD5

                              5ce3977a153152978fa71f8aa96909e9

                              SHA1

                              52af143c553c92afc257f0e0d556908eaa8919cb

                              SHA256

                              e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                              SHA512

                              eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                            • C:\Users\Admin\AppData\Local\Temp\kifvuvya.cmdline

                              Filesize

                              164B

                              MD5

                              b6382bf68dc14ede0f892135bbf1a140

                              SHA1

                              c08f596853a4971dafc4cd3b840c13683feba35f

                              SHA256

                              20701d8131306beb5afe8d5f9f771e9ad422898ea1ef87335bb568777e66cb67

                              SHA512

                              e026c85eebc2fea361d941d53701d95e6fe2cc9d40d459e6f095fc1f5ae44675797f098147e840c9cb8c42707309220a94e75e222002079dff377422c3a771b0

                            • C:\Users\Admin\AppData\Local\Temp\psgopgfy.0.vb

                              Filesize

                              271B

                              MD5

                              325f27ef75bebe8b3f80680add1943d3

                              SHA1

                              1c48e211258f8887946afb063e9315b7609b4ee3

                              SHA256

                              034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                              SHA512

                              e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                            • C:\Users\Admin\AppData\Local\Temp\psgopgfy.cmdline

                              Filesize

                              171B

                              MD5

                              13ce2b7bee8fd2339fb8818035d2f483

                              SHA1

                              a5f7b2453e9dfad3e20b827da747294babcac35e

                              SHA256

                              f31d036005a4f8313d0880b9d2958ed4db8ca7544ed7275dad32fce946051865

                              SHA512

                              df01a18b06d3a9b2791f14d7e5c28afc90bc8964eab0bf81a12ba21ce1da5977ae56de1d7d973385a0b88830583af9578b7251fd0f137fcfcc3c9c3a3bab6e24

                            • C:\Users\Admin\AppData\Local\Temp\pwdyjhae.0.vb

                              Filesize

                              273B

                              MD5

                              3c3d3136aa9f1b87290839a1d26ad07a

                              SHA1

                              005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                              SHA256

                              5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                              SHA512

                              fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                            • C:\Users\Admin\AppData\Local\Temp\pwdyjhae.cmdline

                              Filesize

                              173B

                              MD5

                              a094a5d22b1a965fa0d8aeed3980cfea

                              SHA1

                              399a042cde1cb9ad0bbc2eb9d91b6cf70c76aba5

                              SHA256

                              bfdfb403f7c1f30ff091f047041cd5718fde5d97ab4d9450aeac88801b6dacab

                              SHA512

                              8cc380a1809c634bd4d93f44ca61c501aa61a25d96f4016af556d9ed95c5092914caf37d2802c12bda13e435d3b2ca4fc219a6b522573771a9bf58b7ef665848

                            • C:\Users\Admin\AppData\Local\Temp\vbc35A490673ECF43B284D6D8436254D828.TMP

                              Filesize

                              684B

                              MD5

                              7a707b422baa7ca0bc8883cbe68961e7

                              SHA1

                              addf3158670a318c3e8e6fdd6d560244b9e8860e

                              SHA256

                              453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                              SHA512

                              81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                            • C:\Users\Admin\AppData\Local\Temp\vbc4122CD8CDF4345B2B4BC72D7B3CF4497.TMP

                              Filesize

                              676B

                              MD5

                              85c61c03055878407f9433e0cc278eb7

                              SHA1

                              15a60f1519aefb81cb63c5993400dd7d31b1202f

                              SHA256

                              f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                              SHA512

                              7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                            • C:\Users\Admin\AppData\Local\Temp\vbc7B462247F4474E4D965D7C91E8386588.TMP

                              Filesize

                              668B

                              MD5

                              3906bddee0286f09007add3cffcaa5d5

                              SHA1

                              0e7ec4da19db060ab3c90b19070d39699561aae2

                              SHA256

                              0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                              SHA512

                              0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                            • C:\Users\Admin\AppData\Local\Temp\vbcA42873CE4F234774B16B7156E730B546.TMP

                              Filesize

                              644B

                              MD5

                              dac60af34e6b37e2ce48ac2551aee4e7

                              SHA1

                              968c21d77c1f80b3e962d928c35893dbc8f12c09

                              SHA256

                              2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                              SHA512

                              1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                            • C:\Users\Admin\AppData\Local\Temp\vbcEB097FCA5E4B0F958FF5B772F64C6.TMP

                              Filesize

                              684B

                              MD5

                              8135713eeb0cf1521c80ad8f3e7aad22

                              SHA1

                              1628969dc6256816b2ab9b1c0163fcff0971c154

                              SHA256

                              e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                              SHA512

                              a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                            • C:\Windows\System32\MSSCS.exe

                              Filesize

                              21KB

                              MD5

                              6fe3fb85216045fdf8186429c27458a7

                              SHA1

                              ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                              SHA256

                              905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                              SHA512

                              d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                            • memory/628-35-0x000002C53C280000-0x000002C53C2A2000-memory.dmp

                              Filesize

                              136KB

                            • memory/1088-8-0x00007FFB07125000-0x00007FFB07126000-memory.dmp

                              Filesize

                              4KB

                            • memory/1088-2-0x000000001BD90000-0x000000001C25E000-memory.dmp

                              Filesize

                              4.8MB

                            • memory/1088-3-0x000000001B790000-0x000000001B836000-memory.dmp

                              Filesize

                              664KB

                            • memory/1088-9-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1088-21-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1088-5-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1088-4-0x000000001C320000-0x000000001C382000-memory.dmp

                              Filesize

                              392KB

                            • memory/1088-0-0x00007FFB07125000-0x00007FFB07126000-memory.dmp

                              Filesize

                              4KB

                            • memory/1088-1-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1088-7-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1088-6-0x000000001CBD0000-0x000000001CC6C000-memory.dmp

                              Filesize

                              624KB

                            • memory/1956-22-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1956-20-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/1956-18-0x00007FFB06E70000-0x00007FFB07811000-memory.dmp

                              Filesize

                              9.6MB