Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 20:42

General

  • Target

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

  • Size

    21KB

  • MD5

    6fe3fb85216045fdf8186429c27458a7

  • SHA1

    ef2c68d0b3edf3def5d90f1525fe87c2142e5710

  • SHA256

    905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

  • SHA512

    d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

  • SSDEEP

    384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Revengerat family
  • RevengeRat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
    "C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Windows\system32\MSSCS.exe
      "C:\Windows\system32\MSSCS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n-a4-jse.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc411E17785F7942128582CB6E91291EC0.TMP"
          4⤵
            PID:3344
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qgnpdi8v.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5320
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE961.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C8E3B4D5152454C9FDC0B815AA504C.TMP"
            4⤵
              PID:2300
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zcpzxlo6.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5528
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc775F34FF44FF410D9D3EB6869C1B0B1.TMP"
              4⤵
                PID:5664
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o85epngr.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5560
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F4CDE42353458A8B694E2F9B6C88A.TMP"
                4⤵
                  PID:5484
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4g000ip6.cmdline"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4436
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8F0439336BA43DB90D9EBA46CC9BCB7.TMP"
                  4⤵
                    PID:4564
                • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bfa5hxj2.cmdline"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4484
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8A870D6C92E4F12AC5F40A0F2F9EECA.TMP"
                    4⤵
                      PID:2672
                  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ro6u_asl.cmdline"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4424
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF85E97AE40BB4775933C119198EF573C.TMP"
                      4⤵
                        PID:4396
                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4qjlxpz.cmdline"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5132
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc525385001370442BBF7780A6B7C2FAEC.TMP"
                        4⤵
                          PID:3808
                      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfn11djw.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3172
                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53B02C802149468A8A40A41CAD6B83F.TMP"
                          4⤵
                            PID:5964

                    Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\4g000ip6.0.vb

                            Filesize

                            271B

                            MD5

                            325f27ef75bebe8b3f80680add1943d3

                            SHA1

                            1c48e211258f8887946afb063e9315b7609b4ee3

                            SHA256

                            034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

                            SHA512

                            e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

                          • C:\Users\Admin\AppData\Local\Temp\4g000ip6.cmdline

                            Filesize

                            171B

                            MD5

                            d87791c41657a03774f990bc2eae6ae0

                            SHA1

                            ac2420bee7589d612261ff2b9f1494c3add8a3c4

                            SHA256

                            ceae8b4f77311521b9971ffad20ce7a0c1e11296dec1491a0f98c471c3879161

                            SHA512

                            2a738f6d4659832146244e49c2ee9a751d994db50497ac3214236f55b7e947edc3e3dd0041ef0d49cfcfb3f730c67e3fa3fe7d0b9057876461b7a14220c4fad6

                          • C:\Users\Admin\AppData\Local\Temp\RESE848.tmp

                            Filesize

                            1KB

                            MD5

                            9f452d6794be79414ff0371b070beaed

                            SHA1

                            75c57c498045cb9e5c7c89dd991edc46e0def8ee

                            SHA256

                            495bf4a578867ec958712f8a2734ea685bca497770903ed8a77aba3e57ad00e6

                            SHA512

                            d0111f84fc4769cd1f2398496111480aa3f64b2b5ad55f9ec9e50cdd31e3869786a3dfba1a42ec199325bdd69690ce6e9b0bb2c1daa465c3854d1ded19e8bcab

                          • C:\Users\Admin\AppData\Local\Temp\RESE961.tmp

                            Filesize

                            1KB

                            MD5

                            787e612c0ca3e75b0771e3c84e925979

                            SHA1

                            7c53cd6c472f8ca3fc2e6bed3bf482ee9b676361

                            SHA256

                            b3103c2eb9bfcb4c6903db9a3953a647c73377de0b0731ca1b1f7450ae920677

                            SHA512

                            2a23be774571effbdae0c26e29a6b967007073a4c3ff1c176a87e937a8d99ca3ee6c30342e2a6dd18d186f1eec459fe66b911b8c5cde382bd53234a01bde7f9a

                          • C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp

                            Filesize

                            1KB

                            MD5

                            30b813ee3dd25cfd026c62083aac1672

                            SHA1

                            81b9e327d0ad389efd3a24ede94d39bc7db5101b

                            SHA256

                            c940974966dd393c8e54fb312a09454e35c6fee16857c06157e77e0163bd55f8

                            SHA512

                            ee7bb8bbfeb2d270a2c443a50a1482e3ef553486d19b483607fe398069187e57d5ea11cf8da8335832040d7ae9629881cf459d04602415c0d5d4c630c9ea49fa

                          • C:\Users\Admin\AppData\Local\Temp\RESEB17.tmp

                            Filesize

                            1KB

                            MD5

                            678b7ea25a1a7c7e460559d69ed942da

                            SHA1

                            64aa4c5c13194aca1376ebc3a6aa79564776cf1c

                            SHA256

                            06793dd5a6f2e01e744843463109ee9fcb65872d8153875587061b0b48f377fa

                            SHA512

                            c1e1e1bc1c81b5251d53f700e0c5e7af67d7f6def6cd2275857fc09f77489010341794e81af209d5286abaeeedd4ce4147c733b8adb07d95b3b80dbde779f33b

                          • C:\Users\Admin\AppData\Local\Temp\RESEBC2.tmp

                            Filesize

                            1KB

                            MD5

                            60811a7663f7284b149a3d184c3357e5

                            SHA1

                            d73916b814693e68097b9b2f01a6b567a6d57f87

                            SHA256

                            55f201476c0f908403c5a32d224954b11b1cec0712a1f3d09023e33329eaa052

                            SHA512

                            b5b15c1c5f048168a941914cbb3f0f419392b4ff1ce977724c20a08c2d09ae867c08ba05f6bde0c9f7b39c65b395a7810b35951a590ada378479c664d550fa94

                          • C:\Users\Admin\AppData\Local\Temp\RESEC30.tmp

                            Filesize

                            1KB

                            MD5

                            c98d1c5971011594ca29f218d23f0997

                            SHA1

                            9e352501735ef74e595e3493123a3380190045b9

                            SHA256

                            064ddeb505175eabb81583fcb17d524a2faeba06707b24f21b567d1bd861ccba

                            SHA512

                            67281491b995c0c1d1960e607522143be65517e241841fe49ee8547bcf97a3b528526c6e6df841e47358cfc7068dc68c4e123117d8cdfd366b7c6b714688311f

                          • C:\Users\Admin\AppData\Local\Temp\RESECAD.tmp

                            Filesize

                            1KB

                            MD5

                            98d6c1b2eb0cbe06ceb0dd829145a7ce

                            SHA1

                            2d936c5b7f7fafc653f360ac9013981fe47ddcac

                            SHA256

                            bd9c42c78dbf823d2deaf2c5e3ba5d327ea528a7b124efbbeb574636decacb6f

                            SHA512

                            09421a34678800cb5c002f3fbea720629bda1018ff6ec460695b1a8fb62521067da25f176abb63203c57432f28424b3c8ad7541f109ddef3c972f86da5aa3efb

                          • C:\Users\Admin\AppData\Local\Temp\RESED1A.tmp

                            Filesize

                            1KB

                            MD5

                            30c3c9149be2b372a6dbe58a243f91ce

                            SHA1

                            f407514d63917291d67858743ac0d99bb9164967

                            SHA256

                            b1a9194d6b1f63e3cd4e463552017f4988e81ce3ed4db8fab313a12a9074d4c5

                            SHA512

                            feaf2ba4fd7ae23e9febc50e83000e0c681d6afc3410621916574ad7ce08e3e8c530bd930c380bc5f928b2a5e11f2123ec2b29892bbed434f9a7a68c633d81fa

                          • C:\Users\Admin\AppData\Local\Temp\RESED97.tmp

                            Filesize

                            1KB

                            MD5

                            86322c651399d7e8238dfa733a1dda20

                            SHA1

                            45c8153cc9f3b496744dbc849118813ebd57765d

                            SHA256

                            314a6304776d02ffb95f17a5220f598ab9b57b87d8a7ea183f776787b0abe190

                            SHA512

                            1401d33eccdf6db1a024fc2cb292eb9718a7605e0ba4be2f9998189610559b2a889784ad9c0000b3755be0975a1f4e624fdc6b2155d560a4705b704fe00f56b0

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pusqytm2.ssi.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\bfa5hxj2.0.vb

                            Filesize

                            274B

                            MD5

                            539683c4ca4ee4dc46b412c5651f20f5

                            SHA1

                            564f25837ce382f1534b088cf2ca1b8c4b078aed

                            SHA256

                            ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

                            SHA512

                            df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

                          • C:\Users\Admin\AppData\Local\Temp\bfa5hxj2.cmdline

                            Filesize

                            174B

                            MD5

                            3d03343655a38d746cc6b9e09199d9b9

                            SHA1

                            9a2855751de27e4096ef581074e69440819ffba9

                            SHA256

                            5570ea0e426425875da206c21c69520618da9fb3f1d1ade8ca76c4e5faf94f98

                            SHA512

                            2dbc523f4fae5ef41321a474c11580e67919ef3f3f330eb2781806fa8c3b4b6ee03c8c0d5b6cecedbf97304a2524b466aef8c12dabe9c542459694a86495900d

                          • C:\Users\Admin\AppData\Local\Temp\c4qjlxpz.0.vb

                            Filesize

                            270B

                            MD5

                            658573fde2bebc77c740da7ddaa4634b

                            SHA1

                            073da76c50b4033fcfdfb37ba6176afd77b0ea55

                            SHA256

                            c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

                            SHA512

                            f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

                          • C:\Users\Admin\AppData\Local\Temp\c4qjlxpz.cmdline

                            Filesize

                            170B

                            MD5

                            1f0aa38d4185ba123f1c4bb6e3df444c

                            SHA1

                            c10aace225a138a11b913214692101d36c283de4

                            SHA256

                            1c5eb0edc7a1e5a8a2f639278537cf47b816139af27962c5180c4353ee06ebfd

                            SHA512

                            dec0d4b5fac16d79faf8f051dffff59d4ab2187d4a85f49e44c6957d581c9e0c8a7976f64a38ce2485b72307dced12e8c434efb368ae3c5017677899404215fc

                          • C:\Users\Admin\AppData\Local\Temp\dfn11djw.0.vb

                            Filesize

                            273B

                            MD5

                            3c3d3136aa9f1b87290839a1d26ad07a

                            SHA1

                            005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

                            SHA256

                            5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

                            SHA512

                            fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

                          • C:\Users\Admin\AppData\Local\Temp\dfn11djw.cmdline

                            Filesize

                            173B

                            MD5

                            e42b2a09ab7807a672dc1b2389b06e29

                            SHA1

                            2afe139f1d5d7f51219770885451d84a859974d5

                            SHA256

                            d0ba12faee6e3fc0d11dcc085dd52ef6dbb0f75c99f45d9f8b44f1fcb2223885

                            SHA512

                            341172d9a5f072cd2ac89978276a7f06e558bdb8274e8fd02ae46b9a69dae538d328a8b5d7e1dc6e741e0f1cccaff8781b3d0c9231026d9dc060b2279571eb8a

                          • C:\Users\Admin\AppData\Local\Temp\n-a4-jse.0.vb

                            Filesize

                            256B

                            MD5

                            076803692ac8c38d8ee02672a9d49778

                            SHA1

                            45d2287f33f3358661c3d6a884d2a526fc6a0a46

                            SHA256

                            5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

                            SHA512

                            cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

                          • C:\Users\Admin\AppData\Local\Temp\n-a4-jse.cmdline

                            Filesize

                            156B

                            MD5

                            5e7e1cf3924fa0be12e1c6490e454204

                            SHA1

                            18128e0575b1c59c1203d8b71df2cd479d9ef24b

                            SHA256

                            ca12d87f31036f712cff76378cb7085f271a98867ed9d1fa486380aa03d10145

                            SHA512

                            1bb4825495c9ee7de0ae07e98c3571354cbe8152a0c9db9d437600e81888e6861a5ef1500991d2529c8085e3a3bcb1bfcd0a4f621dd9e92f1507d66502cf263f

                          • C:\Users\Admin\AppData\Local\Temp\o85epngr.0.vb

                            Filesize

                            272B

                            MD5

                            2b3aac520562a93ebef6a5905d4765c9

                            SHA1

                            10ab45c5d73934b16fac5e30bf22f17d3e0810c8

                            SHA256

                            b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

                            SHA512

                            9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

                          • C:\Users\Admin\AppData\Local\Temp\o85epngr.cmdline

                            Filesize

                            172B

                            MD5

                            6704457b7a48e2ccf0c5ce8653680b6f

                            SHA1

                            24a540e719c4c54e0f7f8f3a59b73ceffa20af4d

                            SHA256

                            aef17f7e25e0120d1c552851557898f5c4729a632ae084a66e0bac9d5505b459

                            SHA512

                            54d20fd96c21a422d7d94bf8e36d26aa0ac643087ceb24447c1c309ae7e83cc0152e6056142f2999c206265a2ef2417819ed26d64d8285951231d9fa7230bd1b

                          • C:\Users\Admin\AppData\Local\Temp\qgnpdi8v.0.vb

                            Filesize

                            262B

                            MD5

                            88cc385da858aaa7057b54eaeb0df718

                            SHA1

                            b108224d4686b5ca3faaeb1c728dfba8740a6eca

                            SHA256

                            08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

                            SHA512

                            4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

                          • C:\Users\Admin\AppData\Local\Temp\qgnpdi8v.cmdline

                            Filesize

                            162B

                            MD5

                            fddc8c9b7f480cff045eb5b6ee55ac8c

                            SHA1

                            885280dd780ea52dccd593e44573e9247164dc24

                            SHA256

                            3cb2339209e57cd7e93e10ffe955391792b97a1523ff70b880287842fa17097f

                            SHA512

                            b6317f1c252513658c6696b68c41d4d08b6427e1b7e9a1542298fe27e6bbedc06a74362d412d9ad0c07c2edf8c9d5f8101fcf1132134f387683ef5291fa63f6f

                          • C:\Users\Admin\AppData\Local\Temp\ro6u_asl.0.vb

                            Filesize

                            264B

                            MD5

                            5ce3977a153152978fa71f8aa96909e9

                            SHA1

                            52af143c553c92afc257f0e0d556908eaa8919cb

                            SHA256

                            e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

                            SHA512

                            eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

                          • C:\Users\Admin\AppData\Local\Temp\ro6u_asl.cmdline

                            Filesize

                            164B

                            MD5

                            fe134da5265f5fece5eb9fc12ab6d5a9

                            SHA1

                            18b929cb8c01fde77c70ff80148b47afc6775fdf

                            SHA256

                            2934c27f4541aee370160a922a602f47bab4ab995a4b951685a4380e1061b344

                            SHA512

                            65c2dbc3b2a6c92935a276a27e2202bc76610d961976e956c540efc07b906bb05c1710a8fb1910f6f61ad0c881fde6904b66b635aa937c73f90724c274d5e6e9

                          • C:\Users\Admin\AppData\Local\Temp\vbc411E17785F7942128582CB6E91291EC0.TMP

                            Filesize

                            644B

                            MD5

                            dac60af34e6b37e2ce48ac2551aee4e7

                            SHA1

                            968c21d77c1f80b3e962d928c35893dbc8f12c09

                            SHA256

                            2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

                            SHA512

                            1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

                          • C:\Users\Admin\AppData\Local\Temp\vbc53B02C802149468A8A40A41CAD6B83F.TMP

                            Filesize

                            684B

                            MD5

                            7a707b422baa7ca0bc8883cbe68961e7

                            SHA1

                            addf3158670a318c3e8e6fdd6d560244b9e8860e

                            SHA256

                            453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

                            SHA512

                            81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

                          • C:\Users\Admin\AppData\Local\Temp\vbc5C8E3B4D5152454C9FDC0B815AA504C.TMP

                            Filesize

                            668B

                            MD5

                            3906bddee0286f09007add3cffcaa5d5

                            SHA1

                            0e7ec4da19db060ab3c90b19070d39699561aae2

                            SHA256

                            0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

                            SHA512

                            0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

                          • C:\Users\Admin\AppData\Local\Temp\vbcD8A870D6C92E4F12AC5F40A0F2F9EECA.TMP

                            Filesize

                            684B

                            MD5

                            8135713eeb0cf1521c80ad8f3e7aad22

                            SHA1

                            1628969dc6256816b2ab9b1c0163fcff0971c154

                            SHA256

                            e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

                            SHA512

                            a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

                          • C:\Users\Admin\AppData\Local\Temp\vbcF2F4CDE42353458A8B694E2F9B6C88A.TMP

                            Filesize

                            676B

                            MD5

                            85c61c03055878407f9433e0cc278eb7

                            SHA1

                            15a60f1519aefb81cb63c5993400dd7d31b1202f

                            SHA256

                            f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

                            SHA512

                            7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

                          • C:\Users\Admin\AppData\Local\Temp\zcpzxlo6.0.vb

                            Filesize

                            271B

                            MD5

                            ac972015bef75b540eb33503d6e28cc2

                            SHA1

                            5c1d09fcf4c719711532dcfd0544dfc6f2b90260

                            SHA256

                            fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

                            SHA512

                            36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

                          • C:\Users\Admin\AppData\Local\Temp\zcpzxlo6.cmdline

                            Filesize

                            171B

                            MD5

                            4ecd4b0b0656a7ba0521bd81de98a3f7

                            SHA1

                            ef13cc89c180df3d024654d9628a361e0265d619

                            SHA256

                            df9b63ca049b1ac43b74f731e3c47761db6747bd83fa0ac167a832ec0f489676

                            SHA512

                            40521b50571ab9d174a322b931f5b38d580505ba42c050babcba0caf916d4cd2c74885f8eb058fd0bdfa34777e72c1953bcab4cd650b21f47152f669bfd0ce61

                          • C:\Windows\System32\MSSCS.exe

                            Filesize

                            21KB

                            MD5

                            6fe3fb85216045fdf8186429c27458a7

                            SHA1

                            ef2c68d0b3edf3def5d90f1525fe87c2142e5710

                            SHA256

                            905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

                            SHA512

                            d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

                          • memory/3424-37-0x00000206750C0000-0x00000206750E2000-memory.dmp

                            Filesize

                            136KB

                          • memory/3448-3-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3448-9-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3448-5-0x000000001C590000-0x000000001C62C000-memory.dmp

                            Filesize

                            624KB

                          • memory/3448-4-0x000000001BE20000-0x000000001BE82000-memory.dmp

                            Filesize

                            392KB

                          • memory/3448-6-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3448-21-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3448-8-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/3448-1-0x000000001B8E0000-0x000000001BDAE000-memory.dmp

                            Filesize

                            4.8MB

                          • memory/3448-0-0x00007FF956DD5000-0x00007FF956DD6000-memory.dmp

                            Filesize

                            4KB

                          • memory/3448-2-0x000000001B2D0000-0x000000001B376000-memory.dmp

                            Filesize

                            664KB

                          • memory/3448-7-0x00007FF956DD5000-0x00007FF956DD6000-memory.dmp

                            Filesize

                            4KB

                          • memory/5780-22-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5780-20-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB

                          • memory/5780-19-0x00007FF956B20000-0x00007FF9574C1000-memory.dmp

                            Filesize

                            9.6MB