Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 20:22

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v83in2kh.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc715C525E635E46A09FC5818C2658C296.TMP"
          4⤵
            PID:2876
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8hixg9ba.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11C1558D96344E50A062404AFCA78A38.TMP"
            4⤵
              PID:4524
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f_csagjx.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD02C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2BE138ECF424D6DA3FF6C3C23D1C741.TMP"
              4⤵
                PID:5252
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smtivzbu.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5588
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE229B2AA6D744CD4BC6F4BDDFACE2033.TMP"
                4⤵
                  PID:860
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myi1pa3t.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:5304
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2DF9E5C7816456A9C4C4ABC3CF5FB17.TMP"
                  4⤵
                    PID:4444
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ta9ke5bw.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3556
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD155.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5ABD3041C9194A95B65A61814614A3D.TMP"
                    4⤵
                      PID:1460
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpqbxuyj.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4388
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2BED3429F6F499A8182F486E1689968.TMP"
                      4⤵
                        PID:1628
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocgtfkpg.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5696
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD210.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3C41C1CEAC547C3BA862DBA449516C.TMP"
                        4⤵
                          PID:4840
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a8zzfp8b.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5352
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD26E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC520076EF99649BCB2B54352B188F978.TMP"
                          4⤵
                            PID:4720

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\8hixg9ba.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\8hixg9ba.cmdline

                            Filesize

                            162B

                            MD5

                            e7f8604cb6cc8c9d440f88eb0655d4b4

                            SHA1

                            752451283fec405081c6b7cc4ab4a610bc82294b

                            SHA256

                            3b1d9a4fef54c3715ea73cef95242916076be8115e366c6d85248e27f5fd3ab2

                            SHA512

                            ab8178d24dee122fa71b7fab28f637e673410b402af223e8114eb81ff5df7b0000afc674339d728dc3a18605853e4a33f405ad5f25134b5f912c48be818a1876

                          • C:\Users\Admin\AppData\Local\Temp\RESCEA5.tmp

                            Filesize

                            1KB

                            MD5

                            ead5ab68d69b499ccf6505211d8c401e

                            SHA1

                            05fa5d8ca1983f33b00dd7aaa92081a8c44c8038

                            SHA256

                            d5d34aa68c80d51d4d009d366f7c8e16a7b9e27d893c362e3bd6230f6b5ddb3e

                            SHA512

                            25798309de46fe553415fe9cab28dffbdd3ff169c9afef558097059a8255c96f923e988b366ec8d963b94d7846c952cf5c71b98a1d294753bc3a3f6a76fa0da4

                          • C:\Users\Admin\AppData\Local\Temp\RESCF70.tmp

                            Filesize

                            1KB

                            MD5

                            ff645cf4a8719fc97d6845b1d1526176

                            SHA1

                            8827ed13d839b99d7447d6a5fb25dbe25265e087

                            SHA256

                            ffeedfc402a147319686e0352c7ed352224277faf7b6c2a0263d01f593751eaa

                            SHA512

                            60420d36cb85b5dde9271c8c3e0eda8f14ecbb372c0c1ef7748ffd7543e275dcb0747db499f34c1ce95f0041b6ab01fc1bdfc3254db2cea3cb0587198dde0fc8

                          • C:\Users\Admin\AppData\Local\Temp\RESD02C.tmp

                            Filesize

                            1KB

                            MD5

                            bb9ece38ac0bfc4510e84c3056c63f8d

                            SHA1

                            ac10a3ea633078e8efbf6ce38d5ba9f155cef5d5

                            SHA256

                            914c8e191c1978dc96a0c00b7ad7e2dd392aab6e25531c7d4b4622a275eb7e82

                            SHA512

                            77cbb6dcb2f9c9e95abd0360e1bc442d6aa450f4876cd72bf41f5b36dea9d5ed87ac122e8d014d7ed48e8ded57ab79478c8a10a43ee9e4aadf68df1d47a83c30

                          • C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp

                            Filesize

                            1KB

                            MD5

                            c3dead95db859c5e4dab580ae67b4df0

                            SHA1

                            0a67dd3ce2242bd7b09f60c66bf8b23e2fae0da8

                            SHA256

                            2493f3f2493aecff1e1f55efcb8ec843a07e057559dbd47cd109709e4b3c301d

                            SHA512

                            31ed22de37827245e0fc16fc90416782d5ca567760430132fb7f89d0bcf4e41c49f93d7ba7dcc21f055b9f84295bbb2c6426ec18e4bc8b9630540ea612649aba

                          • C:\Users\Admin\AppData\Local\Temp\RESD0F7.tmp

                            Filesize

                            1KB

                            MD5

                            9f2d035671f3169bc5b05c218fc53612

                            SHA1

                            ce79ce54535eef640b763a79e8e6d7ce6bdbbd77

                            SHA256

                            9596cde585f8d5da11c7f6c346c5f195e321506e064c335caea62646e22d9e9f

                            SHA512

                            77864883e1692d5e823af27ae500df4f9159cd4bd4b90153df315fce7aabd43bd3e9a5e7e8b47d1742e35582366e22584855a17e30c9ffc895c3a73f50f9e4c8

                          • C:\Users\Admin\AppData\Local\Temp\RESD155.tmp

                            Filesize

                            1KB

                            MD5

                            0768176bd9ef90eea4171ca935feb0a9

                            SHA1

                            c45be668f924e2dc1262c786ed4ace5ddaa40d99

                            SHA256

                            cf275d30f20d71f59be816f7c3c28f64d3e0bfbb480826d9d26abd6b4eaf9fee

                            SHA512

                            0fbfd676b628f1347d581a946738453c8551147cd7673206ac22f1bdab1e1d0655fa427cb0899751b633e02f091de3cb4f2a794ec9d736d7bc1e56ea2a509f72

                          • C:\Users\Admin\AppData\Local\Temp\RESD1B3.tmp

                            Filesize

                            1KB

                            MD5

                            7880057f2f3d9ee23fedde5412328323

                            SHA1

                            690fad2bd358ac420a229a6ecb707cd1f720cac6

                            SHA256

                            e3e631b606006cbb8f67fe6aa1c88165736616e33cd0da45a2f0303653679ac5

                            SHA512

                            803bfb02eaebedd623ac5fa5c608f57caa0aba890ad9a4486b703ae8bcaea90411465efff01c53524a1d71300053ea17192c4f231471cb984a9b2fd5a00de436

                          • C:\Users\Admin\AppData\Local\Temp\RESD210.tmp

                            Filesize

                            1KB

                            MD5

                            510c8f652c126c59d7fa0a9714340c38

                            SHA1

                            30041ee315b6f4ceea5f7ef8c4f519fce0a41464

                            SHA256

                            21dbbee3299e3a1f8fc4fb0146e426a14400163e6b53b758f54f33a5d7e32a38

                            SHA512

                            8e8c7cf48471143e770f37f0c9c918484933557f7c2e214667e0ef1e9eb5fc38aacf7586a516a377005ff1eb255dd5070db6dc076b6a5aeb9ccd969f1a9fb79b

                          • C:\Users\Admin\AppData\Local\Temp\RESD26E.tmp

                            Filesize

                            1KB

                            MD5

                            7ad8adb41986b463a1dfd296e332d2b2

                            SHA1

                            911fa1ba7fb494053f40b08e5861f7318ec4030f

                            SHA256

                            3c2268ebdfb4087b07ed694d6605a48a6c4b510ab274f2eb20f1d2efdb7e770b

                            SHA512

                            71ea30a1fc4a26dd5da2d9543316bb9772bdbaad833c6ab1623891871a72b6cc0e6b9fe43f38f2df1fd66b80650efb1de2e4a45158eb39f79ae9ab808dc3f520

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esf1horl.qce.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\a8zzfp8b.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\a8zzfp8b.cmdline

                            Filesize

                            173B

                            MD5

                            faaa745d03e2d737983b25c4f997fdb2

                            SHA1

                            d6bd4591830508d5ad656c6f89a515c9922667a4

                            SHA256

                            6ba0c68f6661739ff10b76487546af686806062e3ccb8cb1eb27ee7dc95fd332

                            SHA512

                            8d8921e028fbb998cca3b6cdcaa37178151b1b164182c02bd85bab66150d735cea63772141af018248b475c44eac9cf2bfb33613ad283109d163d5648b866824

                          • C:\Users\Admin\AppData\Local\Temp\f_csagjx.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\f_csagjx.cmdline

                            Filesize

                            171B

                            MD5

                            8f11f49f3c90bfdc09c0b90c3f0ff050

                            SHA1

                            ad7d5c12916a5dccc991d542815a2f82c66d3c79

                            SHA256

                            4a76e32ddc114a27b4b8923ad0551d09b2b349597643c1d47a5597d12ce80318

                            SHA512

                            d8363805bdd1f30dab9bececf6cf0a8357cc4022622c90222ceb264f2d3527bcea8696d133a28f586b8d7a59fa9a423acffc973f84b48da46d89474028464c86

                          • C:\Users\Admin\AppData\Local\Temp\myi1pa3t.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\myi1pa3t.cmdline

                            Filesize

                            174B

                            MD5

                            47579a315e69727edfd6d2dfd458b34c

                            SHA1

                            95d21c95a37395f3887eda03604533fb4ba23312

                            SHA256

                            2050686a9d69e7acc973a2b584cc516c235ca55d08ab20e657c5c5d17e52a510

                            SHA512

                            f54f7b0099b03fece3d64bee99096bfafca13c406964f874476aa47a89878e89450f46f9abbefb87384c6001543bd0fc863bca90c7875c1c6f36ffbf7634e005

                          • C:\Users\Admin\AppData\Local\Temp\ocgtfkpg.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\ocgtfkpg.cmdline

                            Filesize

                            171B

                            MD5

                            47363a5dba11b8541940f4f043bc0341

                            SHA1

                            2c56e809354dfbfce9f61a7fd8f7638a0bd21009

                            SHA256

                            f9ffea3c055ae48a200c391a6d802b630509d9d0a81735604974c957b09761e5

                            SHA512

                            b9a7b0275aeac49857fd95a116247f19e16661b33d83351381c9bd1c10953d87b2e890a187bbe6d8cd11287aab5959039c105bc0ae99fdcf568b73a6e8f3dbc4

                          • C:\Users\Admin\AppData\Local\Temp\smtivzbu.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\smtivzbu.cmdline

                            Filesize

                            172B

                            MD5

                            11a969c4daff27adf6c628a0f2ccdf01

                            SHA1

                            bd1da7f5f52479e8ce11bf0da71b3812f4d5450e

                            SHA256

                            7a1a21d4cfe76dd8daf77eb9f2f682850962e9f91eac4930458cda0da299850a

                            SHA512

                            dcdba75522b59917ac1f2cbf6ad5c7d856287cc90b9537cad7548c4e4a52ef903fe1f196b008307e2b9edf600977a928bebba4aa5aa0b37a63d0c983f63c4135

                          • C:\Users\Admin\AppData\Local\Temp\ta9ke5bw.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\ta9ke5bw.cmdline

                            Filesize

                            164B

                            MD5

                            08bb14b811b5da2fd936df41a149d4ad

                            SHA1

                            a9e262ea6358565843a4a4e1de0e1908e327f64e

                            SHA256

                            a6e2245b87bfca0940a22c516c792e23b7cc5d0ff80b19e7549396a612b964bf

                            SHA512

                            9c6bb8734e5e7ec7d3f4d7e1a9e20ea5003c45a8a432af804acd95b63d66d142f6888626e21b3798fecd19593cb3c8c3d9180b584c90536b6e9ac4bc78980e83

                          • C:\Users\Admin\AppData\Local\Temp\v83in2kh.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\v83in2kh.cmdline

                            Filesize

                            156B

                            MD5

                            7ac1c09f48cff59cbe3e73e042bf701a

                            SHA1

                            7b44c162867314f491883959f5090d21d43dfb4c

                            SHA256

                            54ff46ff90fe9389e45f7e45fc569cc09da00331b844861188fa41b6f28d5f57

                            SHA512

                            8c1ab5b4c4140b9933b2846bbbf7321d128b9865f35025f5bcc7dcb1ce78b568639d6ae58ca75e32fc1a69f45ec8c2cf1a07df5f2e9dd8db50591974f49b7ef8

                          • C:\Users\Admin\AppData\Local\Temp\vbc11C1558D96344E50A062404AFCA78A38.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbc715C525E635E46A09FC5818C2658C296.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbcB2DF9E5C7816456A9C4C4ABC3CF5FB17.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcC520076EF99649BCB2B54352B188F978.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcE229B2AA6D744CD4BC6F4BDDFACE2033.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\zpqbxuyj.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\zpqbxuyj.cmdline

                            Filesize

                            170B

                            MD5

                            bc68766e3fbf5b11861176dcc91782f9

                            SHA1

                            6fa38769012e2f83447d9a9cd3b6c17f9b7569bf

                            SHA256

                            251f37d5203ab345ca82f976adaf9261633937bac66f8f494ad2482383a7dfd3

                            SHA512

                            8e4e5e9947293da7b290147c8daae94983e8011b6a748785a78281c1836835d26674656715ad7d0852d6ae97c6367ab70e2da091332af1540946446839546197

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1012-23-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1012-21-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1012-20-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/1012-18-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/2872-31-0x0000025D3E6B0000-0x0000025D3E6D2000-memory.dmp

                            Filesize

                            136KB

                          • memory/4240-22-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4240-8-0x00007FFF5A0C5000-0x00007FFF5A0C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/4240-9-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4240-7-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4240-6-0x000000001CFE0000-0x000000001D07C000-memory.dmp

                            Filesize

                            624KB

                          • memory/4240-5-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4240-4-0x000000001C6C0000-0x000000001C722000-memory.dmp

                            Filesize

                            392KB

                          • memory/4240-3-0x000000001C550000-0x000000001C5F6000-memory.dmp

                            Filesize

                            664KB

                          • memory/4240-2-0x00007FFF59E10000-0x00007FFF5A7B1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4240-0-0x00007FFF5A0C5000-0x00007FFF5A0C6000-memory.dmp

                            Filesize

                            4KB

                          • memory/4240-1-0x000000001C080000-0x000000001C54E000-memory.dmp

                            Filesize

                            4.8MB