Analysis Overview
SHA256
faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
Threat Level: Known bad
The file JaffaCakes118_0515e47f61a95f9847545a75b876a2d5 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
RevengeRat Executable
Loads dropped DLL
Uses the VBS compiler for execution
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-06 00:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-06 00:56
Reported
2025-01-06 00:59
Platform
win7-20241010-en
Max time kernel
148s
Max time network
124s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe" | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"
C:\Users\Admin\AppData\Roaming\IExploer.exe
"C:\Users\Admin\AppData\Roaming\IExploer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55EB9E97E90E47788EF770228FCF2F1F.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES902F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBFE942D3BB457F90C9945C9242C4BF.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES951E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP"
C:\Windows\system32\taskeng.exe
taskeng.exe {7D3DBFE6-5A9A-4375-BA4B-897514DD4680} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\IExploer.exe
C:\Users\Admin\AppData\Roaming\IExploer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
Files
memory/2188-0-0x000000007479E000-0x000000007479F000-memory.dmp
memory/2188-1-0x00000000010D0000-0x00000000010F4000-memory.dmp
memory/2188-2-0x0000000000510000-0x0000000000516000-memory.dmp
memory/2188-3-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2188-4-0x000000007479E000-0x000000007479F000-memory.dmp
memory/2188-5-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2188-6-0x0000000000560000-0x0000000000576000-memory.dmp
\Users\Admin\AppData\Roaming\IExploer.exe
| MD5 | 0515e47f61a95f9847545a75b876a2d5 |
| SHA1 | 5ac29a22ca50833014fe050a9287d0ceb47604b3 |
| SHA256 | faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05 |
| SHA512 | 765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483 |
memory/2936-14-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2188-15-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2936-16-0x0000000000B60000-0x0000000000B84000-memory.dmp
memory/2936-17-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2936-18-0x0000000074790000-0x0000000074E7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline
| MD5 | abfea2ee7daa69f567801dc9853aa2a4 |
| SHA1 | 7d492c6fa7ad7ccfb5ba2e7d9c30b46e7efe3f1c |
| SHA256 | 845041b18081c8c56395c915cfebaf8bc622b7620b6372f3662f05affba75a84 |
| SHA512 | 385b17d576c1e22276a01bc0217e756b64961d8a598e5a9ab8aede1605039ffff2216bc7b8dc86338b8e05e1106260d26a2df34d0923173e610380f616f03a83 |
C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.0.vb
| MD5 | 48761fd7996409ad7ba9d662c66b11a1 |
| SHA1 | 85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e |
| SHA256 | b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f |
| SHA512 | d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5 |
C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP
| MD5 | efa86d1097e3356b4f7173a380c71c68 |
| SHA1 | f5940b67a6a5f561ff6454929eff2fb03df8b382 |
| SHA256 | 8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67 |
| SHA512 | c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354 |
C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp
| MD5 | f1a9d50a3fc7bb782b880388f240fd7b |
| SHA1 | 812f8c9c03283e2d88430529462f4263b647edf9 |
| SHA256 | 33c1d7f8c80fbd4fa46a82c0470085d49209b60b17c53858cabda1535445ace5 |
| SHA512 | 69b70e2041d0e5218c1a7f41c81ec72dbb2e42d27d724268f37de5fe42e68208ee8c71f152d586b12113677e568085601566bc41f3b5ee4122338b185fb5a739 |
C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline
| MD5 | a674792855b046e9069b30859d0e4964 |
| SHA1 | eb00d02f97bc90645378d75bd04f8b421e304ee9 |
| SHA256 | 52885699740cfa5ccf75284ac00031ab9bd6de3b1fc251c225fd51395609368d |
| SHA512 | f427fba608dba5c892baf9d9645410097032d56f558887b9350ca1819a9d9fb78ee704327fe8c063ae34be3394cba22996c3ee6aa5d4e8a3ef478e78ee93a34d |
C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.0.vb
| MD5 | 3a3abdd0e264cd5f5e3306eec6d3f5f1 |
| SHA1 | e25cdd3241b49aeeed8ae14ce0ce3dbdbe69896f |
| SHA256 | 27756bcb336b00548dc71f5dda931f9dc077377c2087ef3d282cd70d13d1c381 |
| SHA512 | d75b50dc0429ea4747a2408faedee8631355230fcf5207b69db0fceeaedf2bcde304b95c3d0a1fdc9f1148dd280a725b8a7de028a928098215c4dc8b8abb2ae4 |
C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP
| MD5 | 6592f9186211221a0a3afcf34a2dfa00 |
| SHA1 | bf3748b4ab03bdc65c242ad924653666cda3c5d9 |
| SHA256 | eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f |
| SHA512 | f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca |
C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp
| MD5 | d3776ba23e54abcbad11ffdd68f93719 |
| SHA1 | 2f3e66202d2a49026929a0be052a23ab81709660 |
| SHA256 | 62fbc92e446ce5e10ae2e07c717cb265b67994a284707c6b290bf86ab6417c1a |
| SHA512 | 41d27c802ec285ca754da9f1e9ac77d5bdfcf2c9f608c7e71f256703d8a72a1e3c672b949e9f257bde6328a7816a5bd3aea8fe654dbaa3aea0a0308045cd52f8 |
C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline
| MD5 | 74de7b3ec64ab7bbb889e0b6a590f9c3 |
| SHA1 | 38a7f000f31f0878db64e09c5a1e72458ad677ab |
| SHA256 | a90ada313823e73774446e7ae90d835f58f619302234cd707a4e1eff10c3bb94 |
| SHA512 | d318d7ecfcceacb1e8dcd98dbeb71f22c57985424761b963a73e92c87bb91cc63010356cf3dbadca1fc843617a03b9263b1159af3b8c462c6a80317ff3b2d085 |
C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.0.vb
| MD5 | 861244d3b1a1da81ccf752f647194f17 |
| SHA1 | 45488514e900d5a1114c5f01cc0c64ce4d815bfd |
| SHA256 | 91fe1cb5a0659fc6e916b23796f355a69381657ebb2775b846df5cc5ce74a2a1 |
| SHA512 | 0b307e1222e69ca8948d1a64dd1ff2b41d654e4333fb5f49a324fb3a94395699a1b91e404f9c724e93aca00c13dbc1a61e2bc965f9478d4104b13c9b13d216e5 |
C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP
| MD5 | 4ffaef2181115a3647790b920aa31b31 |
| SHA1 | 7f15eee57c8482252db8286ab782978747471899 |
| SHA256 | d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843 |
| SHA512 | 501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436 |
C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp
| MD5 | c74638ecbad37dc281d6265c1d2ed875 |
| SHA1 | 6a94237a72c5c41046f0d0ffde05c82915999854 |
| SHA256 | 34a8931a6a3fd35aa94d96bad94a44d7fc01ae65c93b5f1a40240f325fd72caf |
| SHA512 | fb9959f782751bb626a92512eee70368deb4d5a5df8e726db383fe4373827e940e5fada70b671a845f00f6b0cc6dfebe377a41aec7af26dc3ad31941e71d27a9 |
C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline
| MD5 | 8e30e1f8a305b91cec6738847387fccb |
| SHA1 | 2a3536db80e35274b6c0c7487352b4840a35d6c2 |
| SHA256 | 41d606cfae44f330d2c03c46eafae53d7bba652f1b767b6d1cc523926d9b87a8 |
| SHA512 | f34717c8f490cb9a6b29c7067523eef6eee1c62fa9ee877707cba42995ae1f050a2391dd155a153b2ba30bae41d7f163cb306c2df888a9c5cd7a9243da8ea05b |
C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.0.vb
| MD5 | e89b3dbd703ab059fea51cdfc444a7a0 |
| SHA1 | 121964fae53714459d4e78a69e1894f406b15f0b |
| SHA256 | 15d3532ee6c62319b7f46dd0790d6e4f29f7e6b8831cd2b52714a0cd72a52b7d |
| SHA512 | b71ef2acd232f77bc376c80fa3fe15b00b0fdf3e67638c49b8ac2ef42b44668cccf58408e2990da0f2e349d03b9dfa02f1d56bde9a4d1819e8daec148cf9d2c3 |
C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP
| MD5 | c3e495da66a1b628c1f3d67d511f5f30 |
| SHA1 | d487b081326a052a7b7057b1f039bbe262280479 |
| SHA256 | 81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd |
| SHA512 | c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae |
C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp
| MD5 | 2e890aefe579a3e954699619e371ae9a |
| SHA1 | 62a72f1a95edad835a9ed69f758cf957d72c0ba4 |
| SHA256 | 825afe9e33f543d66b05adb00e61db05ba7b0a7cc84aecd7b3ada8b36ccfb6c6 |
| SHA512 | ae174fdd1e86b466d248f72377774eec378e817382a75320d646706e5968eef68b797a42eebd361436fd7b98af9ce3f3223b838586b79d9daa3cbf3728f6e45b |
C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline
| MD5 | 46a7f6923ef6280df0ff5d293616d03c |
| SHA1 | 4762d981167c4a6e82d4ffca8841061e65f670f8 |
| SHA256 | 2af77917ce704b3f11f8e9ebfee39db2d1c2347ab25266e1f25e9b963fed642a |
| SHA512 | a62e130d7ad20def1e6899b9b0534dcec568175244c1a610f5d8e4d77a675032ab5959f3c6d0aa64f3a64f327228eaef0deb3fcf4fc252829280c27947dca25e |
C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.0.vb
| MD5 | 56c0de9c4774ac5f1a5c7958e9787945 |
| SHA1 | cccb25583894e124c2208577b904fcadead6d729 |
| SHA256 | 78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc |
| SHA512 | 3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc |
C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp
| MD5 | 98ac89254e8e0a6e0c5098a97f5b18a1 |
| SHA1 | e4a99aa9ec20e57ccd270633a9683959811c93b0 |
| SHA256 | 90e9b752497ee11620289907b61ba5232bd041cf974f897bb02e4e571b5c8a4d |
| SHA512 | c461a4c2f1cc7603f01176f8b868640b075fd637fff951bbc8b02e6dec48f4111f689c9f5f463b2218f7759d56836f764f9872343da6e818f52464816fd96b7c |
C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline
| MD5 | fa98244a4706289d626a1e43d5a55553 |
| SHA1 | 95fd622b22d35c2abe3e93f7c4f53316e6835010 |
| SHA256 | b53ac795a44893f94045879de5182124700a7224b80ca94b68057d847cac2f4d |
| SHA512 | d36c3b3feabc1959795e2b2899db201e54dccc71f9a54d8fcd83737b0a1471fbec2a8fdec5dfcfb0dc7ea242a0c848eda0716a223f201ab55848172bfe7d2277 |
C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.0.vb
| MD5 | 8cb296fa1be7192b0d2decd5c80d4d3c |
| SHA1 | abb0eb97f148a73d043a94ba99a28dd8e5135c92 |
| SHA256 | 0c7d4823361974120582428cf8181029f3fa0ed9ed385d44b8a45ba9e027ae91 |
| SHA512 | 7a0fa788cc1c630fbe64cb0af812fe09b13d56844aaaf8cf47c2673bd63b4aaec26e28a0a11a95f749988c9e0cbec3f0d94a01665b6c11620ec032f570411218 |
C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP
| MD5 | cee1aae40ed483284d3131b9a76eae59 |
| SHA1 | 616bc1c7ea383b4f78305c4111a9816095f45b12 |
| SHA256 | bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35 |
| SHA512 | 57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee |
C:\Users\Admin\AppData\Local\Temp\RES902F.tmp
| MD5 | bed542cc869f90b13e58c78f542ef58e |
| SHA1 | 525ce6ab404a8ec9bdd8638842e025f708f07672 |
| SHA256 | fe6e850d553062e2e731baaef669013dd67540540ae08e62648a914e7ff60b54 |
| SHA512 | 4af2c64ccab6dfa87bfa9fb4d4b390207c6fbd75582ba39983dfa700372169e20827b8aac227f1f13aea83b6228cfc3a5954ab65f74b4b0a11a8c1a4ec537ac4 |
C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline
| MD5 | 7f3af5bf0d5f3001634cf9af13ae2ab4 |
| SHA1 | 2752a1833b3e8fd9d6faa8b58943b3a85ac937c7 |
| SHA256 | 6deed1f998630a56b5b4c4b39c497ddcb54a2313867c269a5da31981740d846f |
| SHA512 | d63e3dac51a84c9662e8bc3d47da6c75a1364e4b3c46c6e53ffcb80787e480087550db07ff80be5f07b4dc478477a501aed87e79dcbdeb6092e5791cd5c5b21c |
C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.0.vb
| MD5 | 0af5b2967e1b54637a99c58cf00b0970 |
| SHA1 | bd01ec69ca515afbd66c34bd0d4bb4aef432f99b |
| SHA256 | 762fc2cd68f81c6dde6c27b318b66a28cc8af38202153694cf5164a9a238f3cd |
| SHA512 | 227c4c47df1ac338a14cc91df57cbab063249e2b0552e0042cbc2cb699c1da2cfedbf1bd9fd7ba5dd4d1deed11f83680f0bd8eae1c499dbe324a52e0b18b94b3 |
C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP
| MD5 | 5be03705622d8432c727b2f54d2f8714 |
| SHA1 | d5fc067a15681b7defb145c6526331a359e6f84b |
| SHA256 | 763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f |
| SHA512 | 1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77 |
C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp
| MD5 | ea4fc10ddcc8d9854436e7090c25652c |
| SHA1 | 28a5ae6261f73133c27cf588b26cfef66a70711f |
| SHA256 | 11553348f722b12bf3c218ff11e268683ebcf885e76a40cda38e1beecef2692f |
| SHA512 | 3e9d021e9828e0c9a558bd03b835543ba09d860da267fded1b819388175524a0955b6e14a8fec39e971c78b0a8f5ab6cbea6921257f830d324b08c1f4b0b0822 |
C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline
| MD5 | dacfeda5a2b639669ddb77ca94ce9a5e |
| SHA1 | 47a9421c9aa30fc891e20e9b42369a09eac05b46 |
| SHA256 | b132275b4adb298bbdb8f4244ab664c4e53867c114c8bb46e30839dca6cabb2c |
| SHA512 | 056b11badf39eb4029d5122dfbf50c9c4f5c4136ab68104f2a5a9369becc3129c9c09b2cab47d8ff42e19461cc510fd803b3415755f6006154a7d1488168097e |
C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.0.vb
| MD5 | e4a81f91139eceb4961c9a691825d976 |
| SHA1 | cf8deb4a997e8dcf89098934105585bc9011ea4f |
| SHA256 | da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d |
| SHA512 | b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7 |
C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP
| MD5 | 32060b25f1b853322f55b00e646349eb |
| SHA1 | 3f48939a11387738bbdaaecf03302bf210653b11 |
| SHA256 | 49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c |
| SHA512 | db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d |
C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp
| MD5 | 517937816c295a9f1a5bd3a056e00f97 |
| SHA1 | e8336e4d9b0eb5227f747d162a91fc89d9900416 |
| SHA256 | e29ce04eb168f6e639d00e184ebaf678ae8da6826769eaa74045999702bd5db3 |
| SHA512 | 0c82486ea60b6d63d5b7e93114c306256fb306fc686a76ab3df6e779151ded520ee6c26a95a2426cc2e1ad894647bf699185cd10b66f7ca1118dc8dffd00ab65 |
C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline
| MD5 | 7c56cd97f48471ba5052edaece4eb87d |
| SHA1 | e635a8b2dbb2c574f6f9046faf4a6ce1fdc6432c |
| SHA256 | 163b3ad062ca0e6a52d639f64cb1d18c346fb9515ec7b44c95b28c2d43062e7b |
| SHA512 | 0e674d7c9aa9d6e2ffcba5d1df22eba8b5c0209397c913e640b21428daee2c9f778b0815d4e4400d31d7bb1a7fe71900f9e548619cce8a26a14ae968f124763b |
C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.0.vb
| MD5 | 6a8ebfe0dedfe1ad4ed8e6dec0ee501a |
| SHA1 | 0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2 |
| SHA256 | a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb |
| SHA512 | 6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684 |
C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp
| MD5 | 99baf8ccdaf541d65ecf2f3f8389537e |
| SHA1 | 8d34d648301c0c99842da3d4cbd36d12b3c29709 |
| SHA256 | 52ed466991625ec6dc8eb06e22134410edf0896b12b2321f76eb4f5b00682ac4 |
| SHA512 | 9c6222752973402403687dcfff2caccefae5fdbe65f74d100636a32b90b5dd54b743af598eb74c7c579826758ed7173ada599644166924d48ca3cb27e483503c |
C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline
| MD5 | a6d387d3a75bde8b6fd71a1870d05996 |
| SHA1 | 160d4d7a1f1bdc74210d6795b8e4be595a8ab1d7 |
| SHA256 | c7a701ac1e49ba497e0b3fc2024f81def0ed0fcbd012a92b03b4a82fd81f82c8 |
| SHA512 | 926a8a7053149dbb1d73f5db8c19d391451e528cc472c68fa86efffc14a24ab374223a95893b8f1d23278117a728d83a16ece2fb24dc37680b2ea40241c4885a |
C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.0.vb
| MD5 | 752ff9ad1e0d1ef8019b4effd2ce4104 |
| SHA1 | 4e89f5b89854405bf14ca3aeff93808d0f6886ff |
| SHA256 | ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61 |
| SHA512 | 92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43 |
C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP
| MD5 | d7d9f8d1ac18d21666caab1c2340838a |
| SHA1 | a33791468a096f2ecd0b9d46a3550879ddb20b6b |
| SHA256 | 5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce |
| SHA512 | 2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10 |
C:\Users\Admin\AppData\Local\Temp\RES951E.tmp
| MD5 | 8d1b9725dbf5d1a95cdd04689cc53eab |
| SHA1 | 06d0afa0e9f63688ffc4638b9166e2dc6022c045 |
| SHA256 | 41e434c1226069b23c8a8ff1960762d5a216892b3a3b8c338ff9648585bca0da |
| SHA512 | f0f6627a3117a5bcfb1443548791d46d6a763aba50336aeb8006c0160098e8321c8f3937b08384a3fe1691d31710442f07ab8abd4c4cb6830d4ff95509f2fab5 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-06 00:56
Reported
2025-01-06 00:59
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe" | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\IExploer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"
C:\Users\Admin\AppData\Roaming\IExploer.exe
"C:\Users\Admin\AppData\Roaming\IExploer.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2987.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B7769D2734C4DE293A2253C6FA93676.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FB5AA5B27444F59DF645CC7C151D48.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF8BA6463E044F76B75378107BC99D92.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc988282C3759746F9ADD7BD82BB3D3650.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA78101168F2842EBA82D7CDFBBC2A8DD.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP"
C:\Users\Admin\AppData\Roaming\IExploer.exe
C:\Users\Admin\AppData\Roaming\IExploer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
| US | 8.8.8.8:53 | morello238.ddns.net | udp |
Files
memory/2708-0-0x000000007535E000-0x000000007535F000-memory.dmp
memory/2708-1-0x00000000009B0000-0x00000000009D4000-memory.dmp
memory/2708-2-0x00000000010A0000-0x00000000010A6000-memory.dmp
memory/2708-3-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/2708-4-0x000000007535E000-0x000000007535F000-memory.dmp
memory/2708-5-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/2708-6-0x000000000AA90000-0x000000000AB2C000-memory.dmp
memory/2708-7-0x00000000010B0000-0x00000000010C6000-memory.dmp
memory/2708-8-0x000000000B0E0000-0x000000000B684000-memory.dmp
memory/2708-9-0x0000000005380000-0x00000000053E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\IExploer.exe
| MD5 | 0515e47f61a95f9847545a75b876a2d5 |
| SHA1 | 5ac29a22ca50833014fe050a9287d0ceb47604b3 |
| SHA256 | faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05 |
| SHA512 | 765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483 |
memory/3800-21-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/2708-23-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/3800-24-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/3800-25-0x0000000075350000-0x0000000075B00000-memory.dmp
memory/3800-26-0x0000000002D80000-0x0000000002D96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline
| MD5 | 0564648e8098537c660ec47947667f07 |
| SHA1 | b727963e9bbee912a0dd3048c5b57f3ff5b965a5 |
| SHA256 | df2eaeb02a6eb7abb6349e63de65a0436d198e58acec0580df5d9f9b81720781 |
| SHA512 | 61b6b62084863b1ddef46191bf6979a1e2abe6d218e87680698489b7326c590c66182264122ff9dfe0e0d9434246c31ec4536bdf48fe386242b7a53ec59fec0f |
C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.0.vb
| MD5 | 38dbc4ca76e82ddf244df032aa6ac614 |
| SHA1 | 10691c5e41281e06b85423a023ca24c1ba084e18 |
| SHA256 | 0381ad144884bd9880c264f34467813a1a1b5ea7ab62c0cb3b82481bf2baa1f9 |
| SHA512 | 0aad470787c0aaf54d456446b7a4420b4e672b814ef94c5dc3316e9f7fdafc2aacd645c28c810f0f94295565f6456fd2b124e4ec72671689bd3af20b456811d9 |
C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP
| MD5 | 32060b25f1b853322f55b00e646349eb |
| SHA1 | 3f48939a11387738bbdaaecf03302bf210653b11 |
| SHA256 | 49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c |
| SHA512 | db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d |
C:\Users\Admin\AppData\Local\Temp\RES2987.tmp
| MD5 | 0843ddcca603783db36238bb60329300 |
| SHA1 | db6fe40e1eec6b16c29355508973c53e9b03286c |
| SHA256 | 2f1c211c87c3f6c8df3039cb011bed255f77887481976102486124b6c74516bd |
| SHA512 | 408fd16e1816d28269874536a5c20a44acb63662ad12158b1b16c50d8c756214676076de7deaccbf7246b4f6289116d41523c1df51a383a1b1f723e18458e139 |
C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline
| MD5 | 38b14a56db98f1d5f67322184a7f5e0f |
| SHA1 | d34e409d442eb3a4c75c70d96d2a466b03c82caf |
| SHA256 | 228a7c776562c7eefbd2011d436ad42d448fd6c28dfd7ed7939b35e77418759f |
| SHA512 | f05ce0dd5347ffe5d78014b901c2feff16997cb1d967342934a58207add4e46358a14cc9aa28b1bfea266b45c7e13e99bad0d8f802be2bbb68696b62aa1348f6 |
C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.0.vb
| MD5 | 48761fd7996409ad7ba9d662c66b11a1 |
| SHA1 | 85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e |
| SHA256 | b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f |
| SHA512 | d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5 |
C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP
| MD5 | efa86d1097e3356b4f7173a380c71c68 |
| SHA1 | f5940b67a6a5f561ff6454929eff2fb03df8b382 |
| SHA256 | 8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67 |
| SHA512 | c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354 |
C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp
| MD5 | 07386e70caffe2c47b141626dcce1380 |
| SHA1 | 55bd153c2a063238cb32f4abcf65f78e409a3e7c |
| SHA256 | 642bbeeb1a32744bbe072ea763c82e0ab97e2f185f8ba0f1c4338d590f736281 |
| SHA512 | 1c51e2ae671daba6312523c559fa792604cfe1bc3690268782f06d5d2dcdddcd2a0d815aaedbaecd0e255018a3609d54a2b89fbf023893d8f6bb5d2ae83083ba |
C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline
| MD5 | 7d11bfec45533ae83420cab58fab5eb2 |
| SHA1 | 4d4bd7a517f46da5653fd8a4f085d241896dfe51 |
| SHA256 | 137d6f1d5e051d53b198442a04db9aac42e7761478f493a298f554c495028b6c |
| SHA512 | 05cf9206cdb07c4fd4f51ea348c74c38f4658ecda447c4eb261176653e01d20256ecd2a9f481c69cdc99235ff16377c15424702e53ac657806f46c703c07f1f2 |
C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.0.vb
| MD5 | 496f2570e4b0140bea4afccee7c6d9c9 |
| SHA1 | e498334997ef90c3ed30b7f843bf19308294502f |
| SHA256 | 4f2e6fc6fd4e5f9ebb2f7c40af2ea22296afc6b598ace3d63408b520860a3987 |
| SHA512 | 7c6c2ec4ba1b39c11039c5059e84138d12442b2e4cf320b0c661722d7b9299c0428cd7cf5be653d03e08d474793603719be3e19ec06df37736fb874b25f1e152 |
C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP
| MD5 | 369b17d06cfd628bfe04b3f677d21526 |
| SHA1 | b9d23c0dc5467f73fe2331eb584bd0c40b129d0e |
| SHA256 | e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7 |
| SHA512 | 00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd |
C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp
| MD5 | 7f48f900a147a69fd55b4bdd13c91a75 |
| SHA1 | 6c1c4d926f3a2232183c13d90b4ed5c617c076bf |
| SHA256 | 4bafa1730c76fe5be8c9e5ccd54e9114d1e18c977c22131d3e6d384b1a10a885 |
| SHA512 | 83ba8a532e407ffeb980f7a589cc8801d66c7921807a498de49fcd843fe665e6c46913e313be0516b6ef86bbb351a0c3271d1e48a4c6ed7fb5b0c42dd89658de |
C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline
| MD5 | fcc7c9c196a3d18c538c8f966ef19aa9 |
| SHA1 | fe01589b82f7440553f4e62fccd0f6cf02c06520 |
| SHA256 | 2188e4a6cbd16fa57aa0281f5d175cf6b591313cc8c432d7934d70e73bea8834 |
| SHA512 | 57aaa024289d87ac5ca0bf31bca5f2a9e8b783c91285833ccf75ca4c82a967c39abddc9319f3e04d8f84f80749208119d12842bb99e4ff9ef54d4ae786aa6133 |
C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.0.vb
| MD5 | 56c0de9c4774ac5f1a5c7958e9787945 |
| SHA1 | cccb25583894e124c2208577b904fcadead6d729 |
| SHA256 | 78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc |
| SHA512 | 3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc |
C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp
| MD5 | 70a270e687e05831f95bb474dd68c954 |
| SHA1 | 3e87077daff88f57ec2e56ffb6e98c34728ca829 |
| SHA256 | a2a0c904fed58782175c251c1d09bcb3762f8df933074d142210c9c6297a2417 |
| SHA512 | 0c78d0d59e6b3160811b51fd349605b134a4863b00b2f5553f6a6c2ec12ddab4dd069d4f59762a85ca3d556bfda6c26e067929aa4f14ce80d7a5347e1fddd36a |
C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline
| MD5 | 247743599a15e3b36f7416f56617b09d |
| SHA1 | 0d67fa124198e836ec155085b261f1b216db4c5e |
| SHA256 | 3e9537051b0f0905e5a5fed54ac45f8854e062070aa536d82e06140ae9fa7f27 |
| SHA512 | 4642ff4999038349fa00140bd7b626243e6ac25c6e8cf8b4f0e48ffe8144862b873403b0b6f2128e393cfc6e26529012326e3eef777eb44674112619d52414b3 |
C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.0.vb
| MD5 | c93b22a4d581838b655288b8323fd2f0 |
| SHA1 | 459f13d24417453d2d52fc2b392743e7eb093aa1 |
| SHA256 | 2e92fbafb930ff1a853156b4cd190853bc16c606ca8a8b6775adb634e3274deb |
| SHA512 | ae1e31d23796cff336d80340abd81c35a3d6ee5aa27485783dd822885273b07477ca0390fc62c526f45ba633e6876ee63f603ff2d5846a60b2a6f6c52cf6e7df |
C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp
| MD5 | aa4e0cf02c19a966b77ffe8398382aca |
| SHA1 | 0fee0b5d080c16e4af74d3aaa557e108fd01ea7b |
| SHA256 | 0e3fbd38bf06cecff66fa82a402c5ecede0ca5068578f23180a15250b8d0a73d |
| SHA512 | b2fead35a6b38b011d4769c2349de884f848e9cb79ac2ad98385643343df17a3f8ea5e3b0e2d84b497846e78f513d1bcdfba79096386f0ac3237af609c31588c |
C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline
| MD5 | 06991807dfe047f1343ebe3a241224a5 |
| SHA1 | 3afb7aa88861fc37977534198e3af2ec7daf61b2 |
| SHA256 | 1e705f9a61edf2b1171a0e6c074f2af2639862349c665421600271e3a3e6a7a0 |
| SHA512 | 3a745b4e516e47c73de35257cb29356291b872d951c865bb46e712a958ff235e6ec11c3ef740ba836d0e6fa6e0fe2f814e944c70b637f80bcf5f1fe381710d91 |
C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.0.vb
| MD5 | fd696a66111590060e88ef6e836e2859 |
| SHA1 | 1b26c0e1c28aac0b68132693f0980c5f25dc5900 |
| SHA256 | 15c3515777f353c39c64cc969f1e01c57045903930bddb92fd79dbd14d188ffb |
| SHA512 | c15c0b93a5a002ea6db1b7c83869c747617b838e2f76fdb11d574653118ac6fbcbf0ed7960da70269e0293fd248a2299b240b1955da7e955b4844ac10085e6f8 |
C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp
| MD5 | 9441995c54a8dd6caba9666b3a16c04c |
| SHA1 | 7d604933c0917621e8a9f364a77a8a01a82856b9 |
| SHA256 | 7b9a98baf3a1382c46b670993af2f10fbe11c01e8aed8d2318330d8d574b23ac |
| SHA512 | b8553850bacf071cad906d51414307237770f0d5e81c6a7470dee84e81186b67eff58a81fcd823144ab61f9e3136826e6cba87ab1bb229f0127715428100aa57 |
C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline
| MD5 | 59d43a2cd2298df22ad47132f95959c9 |
| SHA1 | 93fe16347a79a8b95fd9cd6a1021a8c03fba42c1 |
| SHA256 | eec2e756a7e4c75ad0106ce9388994788e04e44c8255cd37e9281399c6758536 |
| SHA512 | 8b4698c16e85f272862c71563b6cac821d1cac3ab6126d6b62a4ecb3fc9b0863c5a008c375282e2a821784749f5720b21c331583ee1fb36ded0b8240ca6a08b6 |
C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.0.vb
| MD5 | fd15db08477ef28ef9e28f42d8a3f9e4 |
| SHA1 | 500ce5b0507ed8e5e37ec32f9ee7b92e53f338ca |
| SHA256 | e9559b091d6ea8b7a5e35e14c3b715eec1ba8c566356755c6946592b1adc4f0c |
| SHA512 | c2c3c170a9007178d7257441a4e70a946f04a13c2825a733570429499e1a83d74e7d54f1266b059bc333a3290e4731da2ae1e759232ffa24358e87510e61f92c |
C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP
| MD5 | 24218d2d116d5c470e34a5da0f5ee7c3 |
| SHA1 | b6546a2bdb8ce0b664100214b63371cc75187132 |
| SHA256 | 0604323dfcee505a3199d0029fbbd0ae4768a59dc14ca8fc75b6ea3b3c850063 |
| SHA512 | 7c08cd603e78c633c8e9eba12094d92d32238b565caa15b96f7d554eae67e4556aba9aaad544e0eb5803519428c8987a404b4a680917be4e00ae82a9d8e7cc6e |
C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp
| MD5 | 8d04b20d8aa3649309f5cc3dbff6fa7c |
| SHA1 | c6502b550e0dd1f88be2c48eb6016f140bf6e21a |
| SHA256 | 557f834e0c1cf2e39b6a24c4f6382ca9b8615b0a1927fd5ce5c0b1bd9bf83531 |
| SHA512 | 81ba22a7369aa92735a54118f1affd9efc0542617dc5b082b09570e9198f8dbc0d4d330f12164558d226c8d5d4dc848f174eff57e67941bb8351541d12fe0c60 |
C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline
| MD5 | e50ec7a70dc55664b349ffa9bf2f6e57 |
| SHA1 | 6e5d9316c26f894d582b3920d2b3e3f1b7aaed51 |
| SHA256 | aef67a29cc30c97493f209711865291b12b1176b36160db64e6d286c6e79a80e |
| SHA512 | 0e6de9226f444e19f1c794f961b10443fabcefb2ca508941716fe860f74af598b7700b8827966c2b305f1efe153026ac2e3e5de855e41c7311a65acf49d75e8c |
C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.0.vb
| MD5 | e4a81f91139eceb4961c9a691825d976 |
| SHA1 | cf8deb4a997e8dcf89098934105585bc9011ea4f |
| SHA256 | da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d |
| SHA512 | b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7 |
C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp
| MD5 | 89710dbba03325f057cb08d3866eb57b |
| SHA1 | f99c5936a891fe1f97f51f223e76f7f00d20a229 |
| SHA256 | 633f9cc61c4a5165edab5fd92bd184ddc13b549e069229fe8e5450d5cc963f1f |
| SHA512 | 98aaa27ffd2e6cb52241a3d44a0c3288146c4064165dbf62a8d79d8879ad5e82b5df38d60e9155b5b75835c2b25f9b6b318a55dbc5bfeff0b25c46f2270ad4e7 |
C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline
| MD5 | c3d980ab4e4ac10a2dba244166224138 |
| SHA1 | 5e88f70853bbaec33b89529251f422614b5b7839 |
| SHA256 | 7d324733fd2a0b92ae63baf084f9445fa6a33653c3cf741ba09c7280821a2d99 |
| SHA512 | d8819d0ac0f092903c2200b54b6c0b76ec6b39a9df2399567a78210878b0abf8271ee1833bd5d030c9e6a119699f5a4cec7be3312252d657a97c30a63ba2fab8 |
C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.0.vb
| MD5 | 6a8ebfe0dedfe1ad4ed8e6dec0ee501a |
| SHA1 | 0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2 |
| SHA256 | a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb |
| SHA512 | 6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684 |
C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp
| MD5 | fc2918a4335a9674b0c0762d9817db45 |
| SHA1 | 1f6d49eb69ef6b1fa39067c39f4bb6828ecc49ad |
| SHA256 | 1d9d7502a86f6e56f51ca03848bbb31fa1388cc736158e461153f0b92eae88c8 |
| SHA512 | 9f1812c0859a1e868a3be427c0b5c23c1b02509f67f737fd22d5d082e7af9c0115aea53bb96bec45b28c3df76d2b8a0769d68df9057ea48ba2afcde4fed314be |
C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline
| MD5 | 258080497e3b327a28232b894cbf69ac |
| SHA1 | 65ea722a63320b732f9d33c5a978d8ba7297afb6 |
| SHA256 | 4760efed61e4a7f8f3a6cc312b67abc25e496d6fc567eea8071dff0b156d4393 |
| SHA512 | 508dc74be8de2365de25abe3ba293f0828f8d33e409c50fd4245d42178f00f8849313f6def2fefbf405e34b009c8867ee78114aadb14c395a425f8c6dbe82b9d |
C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.0.vb
| MD5 | 752ff9ad1e0d1ef8019b4effd2ce4104 |
| SHA1 | 4e89f5b89854405bf14ca3aeff93808d0f6886ff |
| SHA256 | ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61 |
| SHA512 | 92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43 |
C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP
| MD5 | d7d9f8d1ac18d21666caab1c2340838a |
| SHA1 | a33791468a096f2ecd0b9d46a3550879ddb20b6b |
| SHA256 | 5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce |
| SHA512 | 2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10 |
C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp
| MD5 | 7a1083d73d5cc46bad7e589a283f8e58 |
| SHA1 | 312b344bc80872cad23556547fc5265643e955c9 |
| SHA256 | dbc9e186dde3cc8f6381ad7275d3c08871e971961740349690424bd5169e7708 |
| SHA512 | 65af097b5124d09bcac8f0fb70e364f33fd247bea55a4441af73d50dca44253863257f764bf63822d8c53cb4b5f952b642c43c81db0444c92e0f6f9a8c3a3281 |