Analysis Overview
SHA256
607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b
Threat Level: Known bad
The file JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
RevengeRAT
Revengerat family
RevengeRat Executable
Drops startup file
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-06 00:54
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-06 00:54
Reported
2025-01-06 00:56
Platform
win7-20240729-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2368 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2332 set thread context of 3032 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 404 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2924 set thread context of 1592 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msojwz9e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdot8g4p.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jttbyuxb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F6A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FB8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxzskfjm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FF6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-gtpnzii.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5kand0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3082.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tufgjhrs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30D0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES311F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc311E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p6btdol0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES315E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc315D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31AB.tmp"
Network
| Country | Destination | Domain | Proto |
| KR | 58.79.228.45:333 | tcp | |
| KR | 58.79.228.45:333 | tcp | |
| KR | 58.79.228.45:333 | tcp | |
| KR | 58.79.228.45:333 | tcp | |
| KR | 58.79.228.45:333 | tcp | |
| KR | 58.79.228.45:333 | tcp |
Files
memory/2368-0-0x0000000073EF1000-0x0000000073EF2000-memory.dmp
memory/2368-1-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2368-2-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2368-3-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2332-5-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-7-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-17-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-19-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2332-13-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-11-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2332-9-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2368-20-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2332-21-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2332-22-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2332-23-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/3032-24-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3032-34-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ifRtNHuiG.txt
| MD5 | f126f07b11f143f551f661d1dd5fe439 |
| SHA1 | 43fcef8857cbdf5f8c9117214b4f9a829cc74527 |
| SHA256 | f2dff827bf3db172542186cb4dad5688465092a82ea27d65a6661cea9564082d |
| SHA512 | ec24c54db085ecb08ee1d5702bb6590540b970d1c881cf52a85db59cdfa350e47baa87043b85871604c9fb45c27be48d0bd57e18b299793c676e5a7716158bc8 |
memory/3032-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3032-30-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3032-28-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3032-26-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3032-39-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3032-37-0x0000000000400000-0x0000000000410000-memory.dmp
\Users\Admin\AppData\Roaming\Client.exe
| MD5 | 04fd5497a83ad255eb92eda4d75b9d3c |
| SHA1 | 9749bcf4d4721446c7c7a594d1d41c5e0aa3c358 |
| SHA256 | 607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b |
| SHA512 | eec5fea358b8c4e42d0d4e146e2766a924c8cf1e073ac812dabc7c9678a06ea65cc8db2c16783f336b7b7e2a9e84fbcaa60c552fa51761c1736940490174905b |
memory/2332-50-0x0000000073EF0000-0x000000007449B000-memory.dmp
memory/2924-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ifRtNHuiG.txt
| MD5 | ddacb8d91a476532677016ca8fa15154 |
| SHA1 | 3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7 |
| SHA256 | fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65 |
| SHA512 | e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9 |
memory/1592-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msojwz9e.cmdline
| MD5 | da1509a8c4753c84c4ec27615fbd02e5 |
| SHA1 | 67ce531713b8ba6c8983ada78e43195ca81c08a4 |
| SHA256 | 6dc66ce18eb4d3678d088b3ecc78ab2d4685b415c4c00883c679f87047847109 |
| SHA512 | b7b2aecb6602a5d17eb8e062a93b9bdc08830d7075b40e81b9344155b82f049c026bd9543960e92eeeb3025f9bab38349da040b379c95937544281caa3f17d3b |
C:\Users\Admin\AppData\Local\Temp\msojwz9e.0.vb
| MD5 | ae24369368f08eba738ede90a9e2f6ea |
| SHA1 | 8c7dcaec612073bf7188116faf5df0dd8625d60e |
| SHA256 | f72f4dd62a497e4eb87d5af418e82259c9d20cfe5df59ff70d9db883c9eead96 |
| SHA512 | d309556103fbdbe214574c6ac123834bfdf676c4e8994522f216c78d6bae534d072cef15bc3e14bea3f516b8433665d76395db688d48fe95882890f7124d9ae5 |
C:\Users\Admin\AppData\Local\Temp\vbc2EAE.tmp
| MD5 | 23c5f6c5bb4e5de59ec5aa884ea098d3 |
| SHA1 | 7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83 |
| SHA256 | 7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27 |
| SHA512 | bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51 |
C:\Users\Admin\AppData\Local\Temp\RES2EAF.tmp
| MD5 | bf523d93033e0509c84b3802ca865b12 |
| SHA1 | f758e4e5368fec4c2e8677625084d5eb4d61eb11 |
| SHA256 | 63623c636bb3993d58be1fc24ab5448850263b5760cafdf43280de3b67786406 |
| SHA512 | 65754be4766eb35c52da2a05fd426de06f51865609e096b43e5c4710ae51070a364f7970c68ba2558a49d86d5a46620cd7fc6b44246b35f4f678ed977438bdf5 |
C:\Users\Admin\AppData\Local\Temp\kdot8g4p.cmdline
| MD5 | da884112731514d9435402b0bab23a6b |
| SHA1 | f15d402cc0ccb04a81a16d497dc6e9f8713f0b7a |
| SHA256 | 390a20d0b3ffd2a5e9f25c109e04e43f14ea20d0cf5495003752ecd9e6bb3eb3 |
| SHA512 | 4642e56a79f884bcda0cc5f7e34f67cb618836b6ae63e657d6821c7c75e76d3f232584f672f23e826682c9a9892f436894e7f55afb3cd7f3b36b246d669521cf |
C:\Users\Admin\AppData\Local\Temp\kdot8g4p.0.vb
| MD5 | 8466f45e2867b033df8cf09c919ff6da |
| SHA1 | a7917c698040bc2d041a8bba0951aa4403462c2f |
| SHA256 | 4bafc0c494f5db6879409476f8417e81f8b55ea5c0e237530cc0a1e3f521deaf |
| SHA512 | dc63d62a4b4c92ae4720c76a2ac14c010613ee166fc2c257b6dada8a8858adb8618948d2d2ff6dc1189325181eee44a1c2e0ec92d25077d3dd0476ad5acbbe87 |
C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp
| MD5 | 94d9b8cafe541a1d0652086df3933a47 |
| SHA1 | f0be88ff80e6f2548082cd2e52778c5ab939201b |
| SHA256 | a35c27c2404ba8f2ba5fb0acbf6068226e0d9f232288687d825176bf23885e97 |
| SHA512 | 84b0a8dc9b0570d548082edc024947c5cef097c4760676945618faef8bcce53b45a5310b59d21f5d24b8e4c9a95c9e2635a47ce3ef5674394a4304591f32022e |
C:\Users\Admin\AppData\Local\Temp\jttbyuxb.cmdline
| MD5 | 2bb0995917c3f9d9f0daea0d93779f52 |
| SHA1 | fd0c77206a24b3a74e3f41343ddfceb9bf3fc2b1 |
| SHA256 | c463dc2541125b1c43e33aba6e2d12d20d32fde51f9639b188e29e029b9d4c7e |
| SHA512 | 05e5a1b47ef31916c500542ec5d9f33e9fa5f9c1d0177ca648f3546ccc4e4c2e24589a8d02376461267af7121c264933155ace3aa4ca18adcc52f1af2643567c |
C:\Users\Admin\AppData\Local\Temp\jttbyuxb.0.vb
| MD5 | 87d91d03f3d3c275269d2b7001ab633c |
| SHA1 | 5dfa68f0c3b966f063b0e33325f63421f61bf563 |
| SHA256 | 72b46e70213d274f69f129807a3d2b28c0d44585e1de0c13f74b35ec1bb2ad0c |
| SHA512 | 82ed483e6edb5267437defe55266f572a24a1bac424bf90608570bef2f54bdd47709e488d1fb8a975ffe5d0a1b739151ad866aace0fba3dc45b4f613279275a3 |
C:\Users\Admin\AppData\Local\Temp\vbc2F6A.tmp
| MD5 | 41857ef7e71c255abd4d5d2a9174e1a6 |
| SHA1 | 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c |
| SHA256 | dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302 |
| SHA512 | ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac |
C:\Users\Admin\AppData\Local\Temp\RES2F6B.tmp
| MD5 | 0538dee710d9e2f9c6fd446824de5e6d |
| SHA1 | 731019093470521b17cf1732a0231e8b7038eec0 |
| SHA256 | 6232185f286a3aef70025334182f3e2785703c8a512f54ce4e5c220b45c93ec8 |
| SHA512 | fe63292b246dfb6a7189a827b51042dc2bc33ce959221724424138887ce2e14a0938ba2cc278a11818e5c6f2ba49f2b902135cf87bb84871f12cc88f3ab32e13 |
C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.cmdline
| MD5 | 588164e373053ecf356fe7fa9d4c0f0a |
| SHA1 | 674347ea63773d011c28541fff65c053734e7c0b |
| SHA256 | 916df1e153890db0cf410b2d9a0d352edc712c18be0250e2d3bcb6f7f9f76852 |
| SHA512 | 4bb36094730084e3539dd2be356aab24f2900c2608bb65c993583f66920ef4b334cdf52a8ff1b594cabdd8f49d86e8188b836628b63b24357f796294124ee2c4 |
C:\Users\Admin\AppData\Local\Temp\1nhs1e-k.0.vb
| MD5 | 3b8762e2c886bac66e24649e4750fce2 |
| SHA1 | a2da202923d04aeac2514a1607e5eae838e37dbb |
| SHA256 | 6bd6fae6570ad4b9a45ffcfae4ba4f8bbe959386183ebfbc56190b6311ab4600 |
| SHA512 | 80d4329a26f4b7c70f70252430fb4aa13b4fb6c8199f4891826d5ae135e32beaccdc76980afa5ee8ce2f935185eaf18fb01ea6b3c2b34a68b8a6914bc49bf178 |
C:\Users\Admin\AppData\Local\Temp\vbc2FB8.tmp
| MD5 | 453916f7e3952d736a473b0e2eea5430 |
| SHA1 | b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b |
| SHA256 | b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe |
| SHA512 | 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f |
C:\Users\Admin\AppData\Local\Temp\RES2FB9.tmp
| MD5 | f067a9758e2abe81b469f88f17d8a844 |
| SHA1 | 2173e5a92cd1e6b9a2a408ecadd3f78f68563ce3 |
| SHA256 | 443dd6dcd2323937cc657742c27062133c6ccc1c8a62a6bac9783958b49bfe1b |
| SHA512 | 43c5aa6ebd53da744b06d554ac15b5c3e4751a26f3947c248a6dc14cdcecfe4a73db277ab7f9cef2388e2aeb7474cf793f0670d16376c0de3f2dc8c187bba839 |
C:\Users\Admin\AppData\Local\Temp\bxzskfjm.cmdline
| MD5 | 72e3b6191765de75f1e5bce757b11ad8 |
| SHA1 | 0c7653d0f7692ffbdeb941ec55415d7425aa7335 |
| SHA256 | 13439198533fa90ac8f434689fe91824ffbcfa3fb92d462153d70a2bc3c282fa |
| SHA512 | 7f409918a37e5e86690943a56aa4c48c743e0fde3004e2313aa162d4741d470a23d8209779fc978534deeeb32bc83cbf4bcd0d983b3bc6a89e6585157c7043f3 |
C:\Users\Admin\AppData\Local\Temp\bxzskfjm.0.vb
| MD5 | 811d23aeacd42aaae65290aaae9ec2f0 |
| SHA1 | 70a80ece94d19a509e4683ef1539d22fbc1f6806 |
| SHA256 | c1e748f53559c07a1643bb008c1c0181b8db66763c7732f677545815cdafe89a |
| SHA512 | bff902971f73bb270cd7e96d547d7dbab2c7d1c46a6cc9b3273ac9c960e45786fed3cb0394a69201dfc32842257a4d82cac055a6193b0b556a943605fa3bc99a |
C:\Users\Admin\AppData\Local\Temp\RES2FF7.tmp
| MD5 | 71504b4bbed15072f4861a7fb5be6c50 |
| SHA1 | e65e7507d6cd8d8ba95fa805a7fdc37bc6a11ccb |
| SHA256 | 747ad35d72ce37353b98dad825534c54dd2817ecf8ea53b46fd421c5a7e57ed1 |
| SHA512 | 4c48a51b319163480dd926e1712ec7e3fbe2bcdd60c1dc9c02b0d1e3b916ac20889e6e3db198f6a1c93587c0bf80f795b8cebbd73046541e034065eacbaaaa88 |
C:\Users\Admin\AppData\Local\Temp\vbc2FF6.tmp
| MD5 | 6ed26221ebae0c285cdced27b4e4dbac |
| SHA1 | 452e9440a9c5b47a4f54aefdde36c08592e17a38 |
| SHA256 | aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c |
| SHA512 | c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce |
C:\Users\Admin\AppData\Local\Temp\-gtpnzii.cmdline
| MD5 | 7f5dd5b8d6bb8b14177f5db4a92ce7fd |
| SHA1 | c9207597080c07c2a10ab6d99c53088f706eec32 |
| SHA256 | 225cd0d59da1fc8318289daeac007fe172a697bdcf200e1bf84c17f14815174d |
| SHA512 | 8a0e75bb0adb45a3892e0faa396cd04e581a779259809d6abc274eeca6903ce392cf86612c671db02b0a29617e4e1e550ff683db7877741dc5d766b6dac55c94 |
C:\Users\Admin\AppData\Local\Temp\-gtpnzii.0.vb
| MD5 | fbf2e45e518f0caba9c7aa2dca3b83ec |
| SHA1 | 1326a428ab9082e3ba75e70135b291278da2a038 |
| SHA256 | 901a1373d9434e9ec1882e3015fc616210947b7f5677987b6006abea2ebc15a9 |
| SHA512 | fa39ba5fd0c0c53f5ab684966f0c8ab525c21756a2d7e6c795b1dd6ab3a43fa0edc65e4e8bb7480635d30ce8fcbe54595175ff211a69483c6abbbfa7030623ca |
C:\Users\Admin\AppData\Local\Temp\RES3035.tmp
| MD5 | da04183f62bfb237063a43cc2d5308d6 |
| SHA1 | a84b03919ed16da8b0d1565ca5a3b6ba7276b10f |
| SHA256 | 00aa699cae83098e441f5cd94a9dc95488b5b076993ffdb29e29d0485c84274c |
| SHA512 | 8d6d7da62ce159dfb62704af97b4308f8d71d8dd9ac10fa4e47dc7cb2f99653e116dc4c10defd7a245bae08f5b1334a1f1be187dc164f4e4ffadff2cf67496ad |
C:\Users\Admin\AppData\Local\Temp\wi5kand0.cmdline
| MD5 | 7f045438516ef4b018efae23bb467ca4 |
| SHA1 | f282a030d7809cdd5081251816287828a738142a |
| SHA256 | f85071b6c1083635d1b37e4e180f8a92560b37780abfbd023ad80de572d4ab60 |
| SHA512 | d6dcc79521210ce4236bf96df36f742640e96f381e6717c65509b7268f805dc04ec0fa502b15070e20c978df5ff1066e5b8916078ec1e6141b1a7a0006ead55d |
C:\Users\Admin\AppData\Local\Temp\wi5kand0.0.vb
| MD5 | 36f605395fb01d5fe44a8ba775f127e1 |
| SHA1 | 7194f4f5296f6126af3580177a2346ce3391e57b |
| SHA256 | 48fbcb6d9cc7930d4212754ab02f6c4b84cd4e3e3c0958491f842ca95b157953 |
| SHA512 | 0861fcf1a8d443e0bd36f284742fd21ff846100deeed95d179bdad944bc442c3dfa06e777fcecb14075ba734ce11a144e525c7d3eb06d578af3b31e839081ed5 |
C:\Users\Admin\AppData\Local\Temp\RES3083.tmp
| MD5 | a81d828b371263e351b91bf086e93026 |
| SHA1 | d10a30595345342d6eaf4be67f59b440b11421e7 |
| SHA256 | aa8fcff295f3fb4da1fc165c5da136480556305c8955892e0936e283ba22e68d |
| SHA512 | 5040fc525bdaf6896cfcdf387d182cf34ec0da553c6158582e11be3f1570c7649941355fe30098982b89a80a46dccf39bcf74a830221544acdcc2f6962297c3e |
C:\Users\Admin\AppData\Local\Temp\vbc3082.tmp
| MD5 | b548259248343e12d417d6c938cf8968 |
| SHA1 | 19703c388a51a7ff81a3deb6a665212be2e6589a |
| SHA256 | ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366 |
| SHA512 | 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81 |
C:\Users\Admin\AppData\Local\Temp\tufgjhrs.cmdline
| MD5 | 2153e244242f4d0123cf4ff6002e495b |
| SHA1 | 18c467d0cc68b526d9b6002e986e0eee165d8d3f |
| SHA256 | e54101a8761b97ba4af9f3ddf250bf8d6c29e8df7ef0894646a24ce1d84658c7 |
| SHA512 | 034ac8c3d7b6f9744c3a402747487158c57b727ea5c2f3d8d7002367646e428fcf8f6287b71779fb0e5691db6c19aea4232ff11a86dfc2b40f7ff66af61ac423 |
C:\Users\Admin\AppData\Local\Temp\tufgjhrs.0.vb
| MD5 | aeb27c15c6ab04793ce24928693b75d6 |
| SHA1 | d5558d114c9ff1d1d4fd26798a733b9411fe46a3 |
| SHA256 | a59aea7b946ed5ab312141a37f0c1628bf2262e1fe2a1291868ce993b8bfbbf5 |
| SHA512 | c33bfd2d1acb10dfffa008bec45caf0317338f2408733709241e62d72ceea4c4570443aab843f33dff9adac3be931f5e1d137bda168cb9ba218ddccc775a8eab |
C:\Users\Admin\AppData\Local\Temp\vbc30D0.tmp
| MD5 | ba2c43095c1c82b8024e968d16bee036 |
| SHA1 | 41ea006dbc9f0f6e80941d7547a980a1dde868e0 |
| SHA256 | 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72 |
| SHA512 | 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61 |
C:\Users\Admin\AppData\Local\Temp\RES30D1.tmp
| MD5 | 03f71cd82f810a0bf0501c7f0845d6c3 |
| SHA1 | df41523018656cc493bdb8d31f8d86d7f041d2e9 |
| SHA256 | 0affb6536bff20c70ecb9a9101a8a2c8028642259f53792ad1e351a872b521f3 |
| SHA512 | a76328af0cc2151c05422a51edef126d304d3dbffb3fa9b03290f318ce8b03368942008d3b9a4015bd822ed100abdd9891ad8ff1322e5b457fc24336a41485e9 |
C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.cmdline
| MD5 | ee9041936742af9c3cc20296aeaa2393 |
| SHA1 | 44e0ba0a954cd1bbff5046ba378f2d4f22bf299d |
| SHA256 | 6ef50b87b770eaa53feddf722689be290de9bfe16dbfdaa47231e471cdaded70 |
| SHA512 | 51f500b78bd07bf693d6309475ca44cdd85bcc2d0d0a67b2b9769c645bab871e06cec7dffa1f3f036810a28ce3e39c3fc3c0f7d82815f9a2befe8aa416f7f4d4 |
C:\Users\Admin\AppData\Local\Temp\e4ac3z5o.0.vb
| MD5 | 869d0d041bf23f1dd9bd7c7cca60a73d |
| SHA1 | f76f2ce6fafd7cadf58f2638e150bf715cf7c742 |
| SHA256 | 335a8a1813541fd547823b2a468ed18cfb31bd19f380e3d459ded9d3ad9576a3 |
| SHA512 | 4968154c2676e553d31c6d31e078396fcd77e166613a96b3e2751c32131a8909b1d1aa35f4bf9c45b311f787c4aaeabf4265711c94ff15b9849c1c46d6f226bd |
C:\Users\Admin\AppData\Local\Temp\RES311F.tmp
| MD5 | 6d3ff9aa6c17d4b6ec490d640e215005 |
| SHA1 | 578162ef5af017cde5399b87dc2589ebf14990b9 |
| SHA256 | 11debeeca1bebac3d07505d040e3319689a51ddb01baa4eb7b3e202be8bb5207 |
| SHA512 | d448fcb39ed77684ee2dbab0da81ec1281d8f78b8cd1d198b3225141c4fc1c25bffab569e9535370849e5e0e4ce70ea7de9a995e71ed98f9301ab597c25f1e0e |
C:\Users\Admin\AppData\Local\Temp\vbc311E.tmp
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\p6btdol0.cmdline
| MD5 | 8352d30a29cc4e1e2496171e80805cc3 |
| SHA1 | fdbefb4b706a95dc6d016623973ea2efb1a0cfd9 |
| SHA256 | 28bbb791fa5d2c596fd7ead871460714efbf144f15eff02577a3c0fded6ad89d |
| SHA512 | 06bac8dca9412131d29e7119b7d7a7151a526d44c519c19cd01bcc2e9642a082daaace274ddf709c48b1275de49640f588972ba1d509b7af66f28dc0a43116dc |
C:\Users\Admin\AppData\Local\Temp\p6btdol0.0.vb
| MD5 | cd0c6d3ac4da8fbb08c84e238a9d68a9 |
| SHA1 | d4e01b5fcbbe3c4b93ce76d6c3e5dcd4ae30cdea |
| SHA256 | 610b60b2b2b0b90b7e649ab1f8aa375f50e7fd64eb1211cbee1b0e8c27d5f087 |
| SHA512 | 377755552d83765c72e52a8a974cad570276cdbe51fe315abb1c7456a23a7d856a4ecdb63a79b11c0859a45db81e854d128543cb907534eecd0e51f2346067a5 |
C:\Users\Admin\AppData\Local\Temp\RES315E.tmp
| MD5 | 908bd690c0732863427088d236726435 |
| SHA1 | 1b0ad5dff132136266ed6cbd73401e104e177483 |
| SHA256 | 6824cb9b9f78f94178d8d504acad3a144d1e8d33d3b477d5b2cc4a893bbacbc4 |
| SHA512 | 61c154c8126c111dc564c3e8fd993716248c46fceee157a87d5da271f50bfeb172742f6bc31fecad193c89a8bc4dbd4bf5351828cdc51b587d47662fbf186b22 |
C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.cmdline
| MD5 | baad789bd25bda4d19d172eb504b4cb4 |
| SHA1 | b2def4e08e45c4b0631a3052b177f21908dbd744 |
| SHA256 | 3389d8f0fe20753aef6ca71e814c1daae1cb1d10427a6bd45c2a7264286ff6c0 |
| SHA512 | 27c9d09c0b7705d34ed19f8144459da7655443be708675f57fd3375363b73e4ca27de22b7fa5f12a11e008f8c4217ab3710f09999f5fd1990a76b9e76b6b9150 |
C:\Users\Admin\AppData\Local\Temp\lkj0ymyg.0.vb
| MD5 | fe82b496fc0869ac5a6af8f5e2995c0f |
| SHA1 | 4eb77fffa5303d4bce29b13f30d04f6870b7c615 |
| SHA256 | e99e6f7256732c8eb576bf9993f93b8e81122512fd9b9d40ad782c197387aff9 |
| SHA512 | c3c4fed2340cc138a140d69dbe6fdb94930aecdde43b481cec1486aedb85a39f633906013224ebdc9cd9eb145ccefd7185933e6ea32403fd27a6f5971e49a58d |
C:\Users\Admin\AppData\Local\Temp\RES31AC.tmp
| MD5 | 6e856e72367533b85c418c09f62ad7f9 |
| SHA1 | 8ba21c75e44a076afb9d265735a241976fb3ea35 |
| SHA256 | fcc743a027c7413c42b914e8c3bfc09a2b46dd1b9d63a316e2b43dbf510f2791 |
| SHA512 | 8670da4348e74e2f6206819efa821fecbb76922670fdb54f4ceba7f449ab6dc924fdb00fa17dd125a429256136e7bef99468b7d883d7d4799a22687377bc420b |
C:\Users\Admin\AppData\Local\Temp\vbc31AB.tmp
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-06 00:54
Reported
2025-01-06 00:56
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3640 set thread context of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 1872 set thread context of 3428 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 3916 set thread context of 4200 | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04fd5497a83ad255eb92eda4d75b9d3c.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4200 -ip 4200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| KR | 58.79.228.45:333 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 58.79.228.45:333 | tcp | |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3640-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp
memory/3640-1-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3640-2-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3640-3-0x0000000074CD2000-0x0000000074CD3000-memory.dmp
memory/3640-4-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1872-6-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3640-7-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1872-9-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1872-10-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1872-12-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1872-11-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1872-13-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3428-14-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ifRtNHuiG.txt
| MD5 | f126f07b11f143f551f661d1dd5fe439 |
| SHA1 | 43fcef8857cbdf5f8c9117214b4f9a829cc74527 |
| SHA256 | f2dff827bf3db172542186cb4dad5688465092a82ea27d65a6661cea9564082d |
| SHA512 | ec24c54db085ecb08ee1d5702bb6590540b970d1c881cf52a85db59cdfa350e47baa87043b85871604c9fb45c27be48d0bd57e18b299793c676e5a7716158bc8 |
memory/3428-16-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3428-17-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3428-18-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3428-20-0x0000000074CD0000-0x0000000075281000-memory.dmp
C:\Users\Admin\AppData\Roaming\Client.exe
| MD5 | 04fd5497a83ad255eb92eda4d75b9d3c |
| SHA1 | 9749bcf4d4721446c7c7a594d1d41c5e0aa3c358 |
| SHA256 | 607c83c609fbe308f30c0cbd197c8fc8c33ef4c85a21794463091a962609fd4b |
| SHA512 | eec5fea358b8c4e42d0d4e146e2766a924c8cf1e073ac812dabc7c9678a06ea65cc8db2c16783f336b7b7e2a9e84fbcaa60c552fa51761c1736940490174905b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/1872-33-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/4200-36-0x0000000000780000-0x0000000000798000-memory.dmp
memory/4200-39-0x0000000000780000-0x0000000000798000-memory.dmp