Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 20:32

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvqi_jfd.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38986110DC0E499C9F8CD8B3F62EBAC.TMP"
          4⤵
            PID:4800
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgoskrrq.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:704
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE76D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A11BA6A0D74278A9DA9E04BB2BF44.TMP"
            4⤵
              PID:3572
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yirrfyba.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1588
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE809.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25B74DA07DD142D2AF23AA5B92A9439C.TMP"
              4⤵
                PID:872
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cdan4ukh.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1696
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE886.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0913DF8F04F4683909FAFCFFC722DA.TMP"
                4⤵
                  PID:640
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r30mubm7.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4352
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE903.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAC44D04A7734165B3747C2A71BB42A.TMP"
                  4⤵
                    PID:4308
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-m0dpp-d.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4064
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE971.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC954A73EA07046EBB727FEE212EC2A7F.TMP"
                    4⤵
                      PID:3748
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pevuf8n6.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2148
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42B843A1A3BB4286924F79C1FA9CBD14.TMP"
                      4⤵
                        PID:1332
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dqtaizwi.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5016
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AAE10BC146047FDAC92A0A8968D10B9.TMP"
                        4⤵
                          PID:4024
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yemt3bk4.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4108
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA8CA859583340D8A7D7F29C8AA76E7B.TMP"
                          4⤵
                            PID:3472

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\-m0dpp-d.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\-m0dpp-d.cmdline

                            Filesize

                            174B

                            MD5

                            2a193d752603f1575b40743e2e2e14c5

                            SHA1

                            fc8a6de7bf1ab66d759f933b84ef584e7dcb78f9

                            SHA256

                            5c597c98395b9131363793ebc9b957645902c663e16d185da8e778f1b2fa2692

                            SHA512

                            89d26848abd395f42c3a60b946dddb69d3beaa1e182a5eb5a274dd88ae978e97baf3e0f87d0badabf515f1137602d1c9973eea6bec67a760185ef733b8014961

                          • C:\Users\Admin\AppData\Local\Temp\RESE6B2.tmp

                            Filesize

                            1KB

                            MD5

                            e326259d51c28349033173c621fbd194

                            SHA1

                            0dc848a4bb92f995e84f07b3399ec81be9ba9d9b

                            SHA256

                            a5f4bfed305f634ceebf7b5d589502a0d54ebabd8fc22ba44f9e532282faf109

                            SHA512

                            6d0b4e036629945273154d179b21bcd999919eb6d757661cb43a0c15714e605cf7c149ab668bd852b5717d54fdca78c9eef207ec27e1eace5df029dbacc2b615

                          • C:\Users\Admin\AppData\Local\Temp\RESE76D.tmp

                            Filesize

                            1KB

                            MD5

                            771b3ca1952ff3e63974a40646a1b9ba

                            SHA1

                            6d41c84b9c18bf6b03d49636dc448983af0324e5

                            SHA256

                            16edc503bcffc421d1ace7e6fcff377070a8a98e4b231426abcaa8bfc8b2cba4

                            SHA512

                            d097d686ca77445a25e0837724ae8097e4844fa3d43ef34193df752a87326148c9abac175044bac047624d481cab8863214ac91c00c3712053bda4984f179735

                          • C:\Users\Admin\AppData\Local\Temp\RESE809.tmp

                            Filesize

                            1KB

                            MD5

                            b7f5c1e12b9453d44dc935c90b0108bc

                            SHA1

                            e59c9d9c8ec8de173e12849b394e70ee347fc120

                            SHA256

                            1a7516c29843cd7cb31e4633a0df182191ca6f89ba6fc3739c7e93bec5b83e38

                            SHA512

                            c3c2a8d92ece2bb3852a420523ff4fdd63bfd3a3ad8478078767624ef717562449d8558d119b74deee151971b631f89ab0f001ef7d99fd16f2f8a4df07a036f3

                          • C:\Users\Admin\AppData\Local\Temp\RESE886.tmp

                            Filesize

                            1KB

                            MD5

                            809af67eaa0b0d932fd6ec46c3754db7

                            SHA1

                            9a28d64c6ede5c3915add6210a722ca3eb3e80ed

                            SHA256

                            0fa1678a0c2e9e5ffd30f57e80e0dcf8befa3c20f392033eb2afac39baf9bfa7

                            SHA512

                            1f363015824bb2a95730ed861db950b2bf599296478f5602cb51a39f6a182f31b4c3327256563d7c1b02cb2e8d32596d9ceaa949b5bb33040a6002c76776e9e5

                          • C:\Users\Admin\AppData\Local\Temp\RESE903.tmp

                            Filesize

                            1KB

                            MD5

                            4919f608153c4d363dc71a3cf50e0c4b

                            SHA1

                            202ed51845438cd2cb3556d8b925a9ef8d05d76f

                            SHA256

                            8b764af73af47d6754d53e5c0b16ae3f41babbcae0ba4b27816231c0fbacaac2

                            SHA512

                            71447e56b8472213ffd68bd29f31b53174a7e51134c08b9c6455c35e9df14bbac13b901159ee155206ae34e9c88383f6dfac9eb6ff47dbfbd9c99d5f96abbe39

                          • C:\Users\Admin\AppData\Local\Temp\RESE971.tmp

                            Filesize

                            1KB

                            MD5

                            8f4f11481d481f2bf190ce25b756dd1d

                            SHA1

                            6862f3ac268ae84a0e15fedb83a1909d8ea3f6c0

                            SHA256

                            36ef71fc506b32591bf7c1333f6c7aac9cc7c926683886e71e599d29951870ed

                            SHA512

                            83293c21d9ba85a7e4099cfb85f3c7a4120dab66bf54a11222cbb65417726b0807b2ceffb1b13f5e4bebac011b664e6dbc8bca5b2fd49dc0e5b5f091297f34e2

                          • C:\Users\Admin\AppData\Local\Temp\RESE9DE.tmp

                            Filesize

                            1KB

                            MD5

                            17e836f514af0ad566d4a2817dd5d580

                            SHA1

                            70b2a0b9c45016ac7c801e5b195bdac890ad261a

                            SHA256

                            5eb40705d4f6a771bd05a76582e41c6dc76e442c9f5c3232a679201f59fc45ee

                            SHA512

                            4651a6b2088882b46588f2e2da2f65de37edafef9ddf8b5dda7e09c70f703baf5e2578f2380ef62dc2707aed063ee4d2a76d93d2295e43eb8ba6d7fb35251659

                          • C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp

                            Filesize

                            1KB

                            MD5

                            3a8194827146113e6d30145d01630ad9

                            SHA1

                            334dc23314b8f597df398b49dbf3cae2e744a2b3

                            SHA256

                            d6f82d62b9b92bb25455a618b05c7a6311f65c3c7dc913409c38b2935c9445ae

                            SHA512

                            75b7a46a654961fc6a2577e6743fafffa4ee94027ba76b6a9a8190b53f9f4ffec73d58d36602896a061604d5f512837a59afb2a40907c41cb60f5ee94548d196

                          • C:\Users\Admin\AppData\Local\Temp\RESEAA9.tmp

                            Filesize

                            1KB

                            MD5

                            b3e43e3d960fda75983beff4af07220b

                            SHA1

                            790c4ef325cf9af3addb711c32350bc2acf4c52c

                            SHA256

                            144e850a3a45e6325bde261e61c5e080546527b9e593c45cbf77693d90459a2a

                            SHA512

                            778d49a9035012b98614ca55656dbb2edbf27995a75cf1419b30d5eabe2cd5018a86236be0a4f3ef69147ffd79da274232bcbcf297fdd3a5d720d850f1f7b318

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vspxhplq.h0b.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\cdan4ukh.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\cdan4ukh.cmdline

                            Filesize

                            172B

                            MD5

                            439923565aee99cfbc77ff995fa13f4a

                            SHA1

                            8bd5e324563ad07dc0a20c465400a47438fcf7c5

                            SHA256

                            42fe8b68e24eaa9211ec5f4bfc35bd426aa1b929f2bb735faa2256fc8dc53cff

                            SHA512

                            5b4c5db9595fd7aa0dec2254f7e6cceb3600f8b0c04439c39d7cb6a9aabd2ce90028e32fd7ef8deb17975d7ab03137f4455bd5ff28a7d93469d0c5979670c113

                          • C:\Users\Admin\AppData\Local\Temp\dqtaizwi.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\dqtaizwi.cmdline

                            Filesize

                            170B

                            MD5

                            a0eade8003f9f8b86464b2ffd2eb32c3

                            SHA1

                            37edb8e9e72c2f88dfa2bdc1e69b4a63f22cd790

                            SHA256

                            398062383e1088ea1f9be0ed2e24d76b80119aafea2705eeab2afc54e98adcb0

                            SHA512

                            92ff60c08222e5a536d93c18172e5a609915df4ce379477dca680eba389f02b347bf05bad24106a0d876cc854807e9a8ac74beda67236e6801dd7239e9108071

                          • C:\Users\Admin\AppData\Local\Temp\pevuf8n6.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\pevuf8n6.cmdline

                            Filesize

                            164B

                            MD5

                            73d3a25044532d9a1b944742d29d7419

                            SHA1

                            66999556fa45763a8ce771e168757e5340cd7349

                            SHA256

                            f421ea19ae87154cc1e8acbb5d83a06eaf48b4a76b65f92e3dd939467d99e813

                            SHA512

                            05f943abc8f7cd4f00715fbda35a4323d4aee7f342d1479d7471f4261df847ab629eb69eea4798c92e2c8bdab5f60179ae3e34a2dfa8574e2721986d79719d1b

                          • C:\Users\Admin\AppData\Local\Temp\r30mubm7.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\r30mubm7.cmdline

                            Filesize

                            171B

                            MD5

                            95f111d3016951b79386498137d54a3b

                            SHA1

                            3ea1025ab137650dad6381eb2c007888955c5a5e

                            SHA256

                            f66dd4c4729ba6c6fb3f98b7d5c8f05379d7d2fab0d88e6c04b3729eb85f53e3

                            SHA512

                            42e920ef0736bf5c357134d4e7966c2f7fc4743b872533c76a6e8225386771e5bca10d06bb63dfc9010373be331df25201a3f91e32ac2d21027c7043f299b73e

                          • C:\Users\Admin\AppData\Local\Temp\tgoskrrq.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\tgoskrrq.cmdline

                            Filesize

                            162B

                            MD5

                            8d354b574a0ea029ca3c4e42845030ca

                            SHA1

                            766b5192cdb19e3ebce37f63f399ecf124da85e5

                            SHA256

                            40b08574003bd8166a28da74a33459731283112485dcc32f91276c31c7fb816a

                            SHA512

                            59edd91cc4db20a399e8f1cf3b3a5b3dbda1309ee98193f8a41d2d82f035ffb077801fc391a21cc57a8b2d3d953ab026c591ccd8f9ba455ad0dbefdb65847de6

                          • C:\Users\Admin\AppData\Local\Temp\vbc38986110DC0E499C9F8CD8B3F62EBAC.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc54A11BA6A0D74278A9DA9E04BB2BF44.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcAA8CA859583340D8A7D7F29C8AA76E7B.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbcC0913DF8F04F4683909FAFCFFC722DA.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\vbcC954A73EA07046EBB727FEE212EC2A7F.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\xvqi_jfd.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\xvqi_jfd.cmdline

                            Filesize

                            156B

                            MD5

                            be111772d53ecf75a7cabe1cbf8e626a

                            SHA1

                            78acb39eef956f50372619c43202fd72c5b3e968

                            SHA256

                            054e2b562a95084d85786240d35ebb8eaa1d398471ff91b9a8490faeccac15e3

                            SHA512

                            6e0731e7e248d83d5cdff1d439c4a5b4690cb9d761ee486e257a88d6cbbd2d9074ec7762546001766b27a8eda6f37142ed3983c05160b694b2edf61a18891401

                          • C:\Users\Admin\AppData\Local\Temp\yemt3bk4.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\yemt3bk4.cmdline

                            Filesize

                            173B

                            MD5

                            5e0ccd0d5cfd4334de89dda1af79e64c

                            SHA1

                            6079532e820c503c4c48e7e15573195ebf484951

                            SHA256

                            081ad088e93bb32c8ae17caf3dfa84d514aa8e954cd405ba39095c472a552dde

                            SHA512

                            ef7122ac1363038376979e639cd7991590a29d563e36845a9ee8c26dbca724ae06542ea9e496700737e8ecc9d38cda7249055fa468a737a0bbf887ea35962261

                          • C:\Users\Admin\AppData\Local\Temp\yirrfyba.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\yirrfyba.cmdline

                            Filesize

                            171B

                            MD5

                            5811eade217cf61777ba89ff3c06da8b

                            SHA1

                            74c71b15e668ffb32e84cb550581dd40c6f8df0c

                            SHA256

                            64d94beae50fa20c2cf51ce0f172da657faa19762b2806ca21ab133afb3a3c0c

                            SHA512

                            49b67f8f5d9e93252c04f8d8bc29b413d415c05c2a18f2be9b09f6f413ddabc188fc44c0ecdeeb411f472875dbda35c87c4c181fd9e311239ea6e6e502dac251

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/1108-32-0x00000216CDA40000-0x00000216CDA62000-memory.dmp

                            Filesize

                            136KB

                          • memory/4028-21-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4028-0-0x00007FFB53D95000-0x00007FFB53D96000-memory.dmp

                            Filesize

                            4KB

                          • memory/4028-5-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4028-2-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4028-6-0x000000001D2B0000-0x000000001D34C000-memory.dmp

                            Filesize

                            624KB

                          • memory/4028-4-0x000000001C9E0000-0x000000001CA42000-memory.dmp

                            Filesize

                            392KB

                          • memory/4028-3-0x000000001C8C0000-0x000000001C966000-memory.dmp

                            Filesize

                            664KB

                          • memory/4028-9-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4028-8-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4028-7-0x00007FFB53D95000-0x00007FFB53D96000-memory.dmp

                            Filesize

                            4KB

                          • memory/4028-1-0x000000001C340000-0x000000001C80E000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/4092-18-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4092-19-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/4092-22-0x00007FFB53AE0000-0x00007FFB54481000-memory.dmp

                            Filesize

                            9.6MB