Malware Analysis Report

2025-04-14 05:10

Sample ID 250106-bannca1jgv
Target JaffaCakes118_0515e47f61a95f9847545a75b876a2d5
SHA256 faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05

Threat Level: Known bad

The file JaffaCakes118_0515e47f61a95f9847545a75b876a2d5 was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

Revengerat family

RevengeRat Executable

Loads dropped DLL

Uses the VBS compiler for execution

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-06 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-06 00:56

Reported

2025-01-06 00:59

Platform

win7-20241010-en

Max time kernel

148s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe" C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2188 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2188 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2188 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2936 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2936 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 612 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 612 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 612 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 612 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2484 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2484 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2484 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2484 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3032 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3032 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3032 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3032 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2328 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1432 wrote to memory of 1100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2936 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2936 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2312 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2312 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2312 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2312 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"

C:\Users\Admin\AppData\Roaming\IExploer.exe

"C:\Users\Admin\AppData\Roaming\IExploer.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55EB9E97E90E47788EF770228FCF2F1F.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES902F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBFE942D3BB457F90C9945C9242C4BF.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES951E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP"

C:\Windows\system32\taskeng.exe

taskeng.exe {7D3DBFE6-5A9A-4375-BA4B-897514DD4680} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\IExploer.exe

C:\Users\Admin\AppData\Roaming\IExploer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 morello238.ddns.net udp

Files

memory/2188-0-0x000000007479E000-0x000000007479F000-memory.dmp

memory/2188-1-0x00000000010D0000-0x00000000010F4000-memory.dmp

memory/2188-2-0x0000000000510000-0x0000000000516000-memory.dmp

memory/2188-3-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2188-4-0x000000007479E000-0x000000007479F000-memory.dmp

memory/2188-5-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2188-6-0x0000000000560000-0x0000000000576000-memory.dmp

\Users\Admin\AppData\Roaming\IExploer.exe

MD5 0515e47f61a95f9847545a75b876a2d5
SHA1 5ac29a22ca50833014fe050a9287d0ceb47604b3
SHA256 faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
SHA512 765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483

memory/2936-14-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2188-15-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2936-16-0x0000000000B60000-0x0000000000B84000-memory.dmp

memory/2936-17-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2936-18-0x0000000074790000-0x0000000074E7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.cmdline

MD5 abfea2ee7daa69f567801dc9853aa2a4
SHA1 7d492c6fa7ad7ccfb5ba2e7d9c30b46e7efe3f1c
SHA256 845041b18081c8c56395c915cfebaf8bc622b7620b6372f3662f05affba75a84
SHA512 385b17d576c1e22276a01bc0217e756b64961d8a598e5a9ab8aede1605039ffff2216bc7b8dc86338b8e05e1106260d26a2df34d0923173e610380f616f03a83

C:\Users\Admin\AppData\Local\Temp\irxo0jva\irxo0jva.0.vb

MD5 48761fd7996409ad7ba9d662c66b11a1
SHA1 85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e
SHA256 b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f
SHA512 d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5

C:\Users\Admin\AppData\Local\Temp\vbcDA9F63C8D0904BA6B8B9F4FBD94E15A.TMP

MD5 efa86d1097e3356b4f7173a380c71c68
SHA1 f5940b67a6a5f561ff6454929eff2fb03df8b382
SHA256 8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67
SHA512 c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

C:\Users\Admin\AppData\Local\Temp\RES89A9.tmp

MD5 f1a9d50a3fc7bb782b880388f240fd7b
SHA1 812f8c9c03283e2d88430529462f4263b647edf9
SHA256 33c1d7f8c80fbd4fa46a82c0470085d49209b60b17c53858cabda1535445ace5
SHA512 69b70e2041d0e5218c1a7f41c81ec72dbb2e42d27d724268f37de5fe42e68208ee8c71f152d586b12113677e568085601566bc41f3b5ee4122338b185fb5a739

C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.cmdline

MD5 a674792855b046e9069b30859d0e4964
SHA1 eb00d02f97bc90645378d75bd04f8b421e304ee9
SHA256 52885699740cfa5ccf75284ac00031ab9bd6de3b1fc251c225fd51395609368d
SHA512 f427fba608dba5c892baf9d9645410097032d56f558887b9350ca1819a9d9fb78ee704327fe8c063ae34be3394cba22996c3ee6aa5d4e8a3ef478e78ee93a34d

C:\Users\Admin\AppData\Local\Temp\yy0v2dq5\yy0v2dq5.0.vb

MD5 3a3abdd0e264cd5f5e3306eec6d3f5f1
SHA1 e25cdd3241b49aeeed8ae14ce0ce3dbdbe69896f
SHA256 27756bcb336b00548dc71f5dda931f9dc077377c2087ef3d282cd70d13d1c381
SHA512 d75b50dc0429ea4747a2408faedee8631355230fcf5207b69db0fceeaedf2bcde304b95c3d0a1fdc9f1148dd280a725b8a7de028a928098215c4dc8b8abb2ae4

C:\Users\Admin\AppData\Local\Temp\vbc5B494F4D3D2845588BB3C88851F19C73.TMP

MD5 6592f9186211221a0a3afcf34a2dfa00
SHA1 bf3748b4ab03bdc65c242ad924653666cda3c5d9
SHA256 eac2c432a96e0d19ef3a1950bc067babe642d11af2a3c2a14bc3050e508c1b3f
SHA512 f7b072428258b7cf5d674c9df15bcb28df9369fde271e79bb2752e0266cabbc3b4bce8aa36e56f3ae99ebc2e658ca7d764628c82668adafc3d0889bd6d71dfca

C:\Users\Admin\AppData\Local\Temp\RES8B01.tmp

MD5 d3776ba23e54abcbad11ffdd68f93719
SHA1 2f3e66202d2a49026929a0be052a23ab81709660
SHA256 62fbc92e446ce5e10ae2e07c717cb265b67994a284707c6b290bf86ab6417c1a
SHA512 41d27c802ec285ca754da9f1e9ac77d5bdfcf2c9f608c7e71f256703d8a72a1e3c672b949e9f257bde6328a7816a5bd3aea8fe654dbaa3aea0a0308045cd52f8

C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.cmdline

MD5 74de7b3ec64ab7bbb889e0b6a590f9c3
SHA1 38a7f000f31f0878db64e09c5a1e72458ad677ab
SHA256 a90ada313823e73774446e7ae90d835f58f619302234cd707a4e1eff10c3bb94
SHA512 d318d7ecfcceacb1e8dcd98dbeb71f22c57985424761b963a73e92c87bb91cc63010356cf3dbadca1fc843617a03b9263b1159af3b8c462c6a80317ff3b2d085

C:\Users\Admin\AppData\Local\Temp\avssadbn\avssadbn.0.vb

MD5 861244d3b1a1da81ccf752f647194f17
SHA1 45488514e900d5a1114c5f01cc0c64ce4d815bfd
SHA256 91fe1cb5a0659fc6e916b23796f355a69381657ebb2775b846df5cc5ce74a2a1
SHA512 0b307e1222e69ca8948d1a64dd1ff2b41d654e4333fb5f49a324fb3a94395699a1b91e404f9c724e93aca00c13dbc1a61e2bc965f9478d4104b13c9b13d216e5

C:\Users\Admin\AppData\Local\Temp\vbc7C23E33CA8D94CC7886EA89793E3A5D.TMP

MD5 4ffaef2181115a3647790b920aa31b31
SHA1 7f15eee57c8482252db8286ab782978747471899
SHA256 d52cc5df93cac8616b0ecebdf21c6e11bf14e0308f97d6406f4e1c76d0738843
SHA512 501991abd0d0f5780084b9584292183d55bf2c5587de4a7182e1f0979a68f051ef2e1a94753d9da0add2f4f04107320d664952f018c516f3354fdda4e11ec436

C:\Users\Admin\AppData\Local\Temp\RES8C77.tmp

MD5 c74638ecbad37dc281d6265c1d2ed875
SHA1 6a94237a72c5c41046f0d0ffde05c82915999854
SHA256 34a8931a6a3fd35aa94d96bad94a44d7fc01ae65c93b5f1a40240f325fd72caf
SHA512 fb9959f782751bb626a92512eee70368deb4d5a5df8e726db383fe4373827e940e5fada70b671a845f00f6b0cc6dfebe377a41aec7af26dc3ad31941e71d27a9

C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.cmdline

MD5 8e30e1f8a305b91cec6738847387fccb
SHA1 2a3536db80e35274b6c0c7487352b4840a35d6c2
SHA256 41d606cfae44f330d2c03c46eafae53d7bba652f1b767b6d1cc523926d9b87a8
SHA512 f34717c8f490cb9a6b29c7067523eef6eee1c62fa9ee877707cba42995ae1f050a2391dd155a153b2ba30bae41d7f163cb306c2df888a9c5cd7a9243da8ea05b

C:\Users\Admin\AppData\Local\Temp\xcval2xa\xcval2xa.0.vb

MD5 e89b3dbd703ab059fea51cdfc444a7a0
SHA1 121964fae53714459d4e78a69e1894f406b15f0b
SHA256 15d3532ee6c62319b7f46dd0790d6e4f29f7e6b8831cd2b52714a0cd72a52b7d
SHA512 b71ef2acd232f77bc376c80fa3fe15b00b0fdf3e67638c49b8ac2ef42b44668cccf58408e2990da0f2e349d03b9dfa02f1d56bde9a4d1819e8daec148cf9d2c3

C:\Users\Admin\AppData\Local\Temp\vbc54854D16818843408A1BBCBAFBB964BB.TMP

MD5 c3e495da66a1b628c1f3d67d511f5f30
SHA1 d487b081326a052a7b7057b1f039bbe262280479
SHA256 81cbcb4840551143dbb1f8215d7c54f87f0397173b35d6a101564a784827dffd
SHA512 c596c316e8519a33e4360f87c40a812f904145a12c1d4c3c59f95b08a353eda781e40da8e95b0e971c24faa7d15b19170a67027cf8732246a6978cc6571b29ae

C:\Users\Admin\AppData\Local\Temp\RES8DAF.tmp

MD5 2e890aefe579a3e954699619e371ae9a
SHA1 62a72f1a95edad835a9ed69f758cf957d72c0ba4
SHA256 825afe9e33f543d66b05adb00e61db05ba7b0a7cc84aecd7b3ada8b36ccfb6c6
SHA512 ae174fdd1e86b466d248f72377774eec378e817382a75320d646706e5968eef68b797a42eebd361436fd7b98af9ce3f3223b838586b79d9daa3cbf3728f6e45b

C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.cmdline

MD5 46a7f6923ef6280df0ff5d293616d03c
SHA1 4762d981167c4a6e82d4ffca8841061e65f670f8
SHA256 2af77917ce704b3f11f8e9ebfee39db2d1c2347ab25266e1f25e9b963fed642a
SHA512 a62e130d7ad20def1e6899b9b0534dcec568175244c1a610f5d8e4d77a675032ab5959f3c6d0aa64f3a64f327228eaef0deb3fcf4fc252829280c27947dca25e

C:\Users\Admin\AppData\Local\Temp\ygvhnmc1\ygvhnmc1.0.vb

MD5 56c0de9c4774ac5f1a5c7958e9787945
SHA1 cccb25583894e124c2208577b904fcadead6d729
SHA256 78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc
SHA512 3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc

C:\Users\Admin\AppData\Local\Temp\RES8F06.tmp

MD5 98ac89254e8e0a6e0c5098a97f5b18a1
SHA1 e4a99aa9ec20e57ccd270633a9683959811c93b0
SHA256 90e9b752497ee11620289907b61ba5232bd041cf974f897bb02e4e571b5c8a4d
SHA512 c461a4c2f1cc7603f01176f8b868640b075fd637fff951bbc8b02e6dec48f4111f689c9f5f463b2218f7759d56836f764f9872343da6e818f52464816fd96b7c

C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.cmdline

MD5 fa98244a4706289d626a1e43d5a55553
SHA1 95fd622b22d35c2abe3e93f7c4f53316e6835010
SHA256 b53ac795a44893f94045879de5182124700a7224b80ca94b68057d847cac2f4d
SHA512 d36c3b3feabc1959795e2b2899db201e54dccc71f9a54d8fcd83737b0a1471fbec2a8fdec5dfcfb0dc7ea242a0c848eda0716a223f201ab55848172bfe7d2277

C:\Users\Admin\AppData\Local\Temp\1pt1rwxy\1pt1rwxy.0.vb

MD5 8cb296fa1be7192b0d2decd5c80d4d3c
SHA1 abb0eb97f148a73d043a94ba99a28dd8e5135c92
SHA256 0c7d4823361974120582428cf8181029f3fa0ed9ed385d44b8a45ba9e027ae91
SHA512 7a0fa788cc1c630fbe64cb0af812fe09b13d56844aaaf8cf47c2673bd63b4aaec26e28a0a11a95f749988c9e0cbec3f0d94a01665b6c11620ec032f570411218

C:\Users\Admin\AppData\Local\Temp\vbc6D7AF3E83F8C47BEA72FCE5BE976725.TMP

MD5 cee1aae40ed483284d3131b9a76eae59
SHA1 616bc1c7ea383b4f78305c4111a9816095f45b12
SHA256 bc10f0b64e7c4e54e0d840d904c395326907aa9e30b243959e00aea0a51b8d35
SHA512 57976c6b66ca77489f168915be4b0b7c3b53747f6a62e60984db5d0aa2ff8428a0c8a78b515191e2c257afd11a4fb17c4bd6f05a49bd429120e588ac040addee

C:\Users\Admin\AppData\Local\Temp\RES902F.tmp

MD5 bed542cc869f90b13e58c78f542ef58e
SHA1 525ce6ab404a8ec9bdd8638842e025f708f07672
SHA256 fe6e850d553062e2e731baaef669013dd67540540ae08e62648a914e7ff60b54
SHA512 4af2c64ccab6dfa87bfa9fb4d4b390207c6fbd75582ba39983dfa700372169e20827b8aac227f1f13aea83b6228cfc3a5954ab65f74b4b0a11a8c1a4ec537ac4

C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.cmdline

MD5 7f3af5bf0d5f3001634cf9af13ae2ab4
SHA1 2752a1833b3e8fd9d6faa8b58943b3a85ac937c7
SHA256 6deed1f998630a56b5b4c4b39c497ddcb54a2313867c269a5da31981740d846f
SHA512 d63e3dac51a84c9662e8bc3d47da6c75a1364e4b3c46c6e53ffcb80787e480087550db07ff80be5f07b4dc478477a501aed87e79dcbdeb6092e5791cd5c5b21c

C:\Users\Admin\AppData\Local\Temp\lf1isl0k\lf1isl0k.0.vb

MD5 0af5b2967e1b54637a99c58cf00b0970
SHA1 bd01ec69ca515afbd66c34bd0d4bb4aef432f99b
SHA256 762fc2cd68f81c6dde6c27b318b66a28cc8af38202153694cf5164a9a238f3cd
SHA512 227c4c47df1ac338a14cc91df57cbab063249e2b0552e0042cbc2cb699c1da2cfedbf1bd9fd7ba5dd4d1deed11f83680f0bd8eae1c499dbe324a52e0b18b94b3

C:\Users\Admin\AppData\Local\Temp\vbcCC7BD2EDAB434262B5E8C5A3F9453712.TMP

MD5 5be03705622d8432c727b2f54d2f8714
SHA1 d5fc067a15681b7defb145c6526331a359e6f84b
SHA256 763889d47a575bea1067919ee6b7da90e470394d08f92f0a12cdb7a95c5f8d6f
SHA512 1aa7ddd4493dcbe9c635594d75c30ed3a4ad68c26f0e437ae32b1098a3d1992b5467777308f6d84ece5be4368136da12202c928d14d785691c9201223adafe77

C:\Users\Admin\AppData\Local\Temp\RES91A5.tmp

MD5 ea4fc10ddcc8d9854436e7090c25652c
SHA1 28a5ae6261f73133c27cf588b26cfef66a70711f
SHA256 11553348f722b12bf3c218ff11e268683ebcf885e76a40cda38e1beecef2692f
SHA512 3e9d021e9828e0c9a558bd03b835543ba09d860da267fded1b819388175524a0955b6e14a8fec39e971c78b0a8f5ab6cbea6921257f830d324b08c1f4b0b0822

C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.cmdline

MD5 dacfeda5a2b639669ddb77ca94ce9a5e
SHA1 47a9421c9aa30fc891e20e9b42369a09eac05b46
SHA256 b132275b4adb298bbdb8f4244ab664c4e53867c114c8bb46e30839dca6cabb2c
SHA512 056b11badf39eb4029d5122dfbf50c9c4f5c4136ab68104f2a5a9369becc3129c9c09b2cab47d8ff42e19461cc510fd803b3415755f6006154a7d1488168097e

C:\Users\Admin\AppData\Local\Temp\araz30og\araz30og.0.vb

MD5 e4a81f91139eceb4961c9a691825d976
SHA1 cf8deb4a997e8dcf89098934105585bc9011ea4f
SHA256 da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d
SHA512 b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7

C:\Users\Admin\AppData\Local\Temp\vbcD78598B75FFA49DFBE7842D3C325E3F9.TMP

MD5 32060b25f1b853322f55b00e646349eb
SHA1 3f48939a11387738bbdaaecf03302bf210653b11
SHA256 49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c
SHA512 db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp

MD5 517937816c295a9f1a5bd3a056e00f97
SHA1 e8336e4d9b0eb5227f747d162a91fc89d9900416
SHA256 e29ce04eb168f6e639d00e184ebaf678ae8da6826769eaa74045999702bd5db3
SHA512 0c82486ea60b6d63d5b7e93114c306256fb306fc686a76ab3df6e779151ded520ee6c26a95a2426cc2e1ad894647bf699185cd10b66f7ca1118dc8dffd00ab65

C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.cmdline

MD5 7c56cd97f48471ba5052edaece4eb87d
SHA1 e635a8b2dbb2c574f6f9046faf4a6ce1fdc6432c
SHA256 163b3ad062ca0e6a52d639f64cb1d18c346fb9515ec7b44c95b28c2d43062e7b
SHA512 0e674d7c9aa9d6e2ffcba5d1df22eba8b5c0209397c913e640b21428daee2c9f778b0815d4e4400d31d7bb1a7fe71900f9e548619cce8a26a14ae968f124763b

C:\Users\Admin\AppData\Local\Temp\hiyuhymu\hiyuhymu.0.vb

MD5 6a8ebfe0dedfe1ad4ed8e6dec0ee501a
SHA1 0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2
SHA256 a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb
SHA512 6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684

C:\Users\Admin\AppData\Local\Temp\RES93F6.tmp

MD5 99baf8ccdaf541d65ecf2f3f8389537e
SHA1 8d34d648301c0c99842da3d4cbd36d12b3c29709
SHA256 52ed466991625ec6dc8eb06e22134410edf0896b12b2321f76eb4f5b00682ac4
SHA512 9c6222752973402403687dcfff2caccefae5fdbe65f74d100636a32b90b5dd54b743af598eb74c7c579826758ed7173ada599644166924d48ca3cb27e483503c

C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.cmdline

MD5 a6d387d3a75bde8b6fd71a1870d05996
SHA1 160d4d7a1f1bdc74210d6795b8e4be595a8ab1d7
SHA256 c7a701ac1e49ba497e0b3fc2024f81def0ed0fcbd012a92b03b4a82fd81f82c8
SHA512 926a8a7053149dbb1d73f5db8c19d391451e528cc472c68fa86efffc14a24ab374223a95893b8f1d23278117a728d83a16ece2fb24dc37680b2ea40241c4885a

C:\Users\Admin\AppData\Local\Temp\egwonkqf\egwonkqf.0.vb

MD5 752ff9ad1e0d1ef8019b4effd2ce4104
SHA1 4e89f5b89854405bf14ca3aeff93808d0f6886ff
SHA256 ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61
SHA512 92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43

C:\Users\Admin\AppData\Local\Temp\vbcCA41FB607E174BCE88B757CB3C30E6FF.TMP

MD5 d7d9f8d1ac18d21666caab1c2340838a
SHA1 a33791468a096f2ecd0b9d46a3550879ddb20b6b
SHA256 5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce
SHA512 2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

C:\Users\Admin\AppData\Local\Temp\RES951E.tmp

MD5 8d1b9725dbf5d1a95cdd04689cc53eab
SHA1 06d0afa0e9f63688ffc4638b9166e2dc6022c045
SHA256 41e434c1226069b23c8a8ff1960762d5a216892b3a3b8c338ff9648585bca0da
SHA512 f0f6627a3117a5bcfb1443548791d46d6a763aba50336aeb8006c0160098e8321c8f3937b08384a3fe1691d31710442f07ab8abd4c4cb6830d4ff95509f2fab5

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-06 00:56

Reported

2025-01-06 00:59

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IExploer.exe C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IExploer = "C:\\Users\\Admin\\AppData\\Roaming\\IExploer.exe" C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IExploer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IExploer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 2708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe C:\Users\Admin\AppData\Roaming\IExploer.exe
PID 3800 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4612 wrote to memory of 5064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 5064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4612 wrote to memory of 5064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3832 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3832 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3832 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1912 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1912 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1912 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3020 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3020 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3020 wrote to memory of 3760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2280 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2280 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2280 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3124 wrote to memory of 3576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3124 wrote to memory of 3576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3124 wrote to memory of 3576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1972 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1196 wrote to memory of 3668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1196 wrote to memory of 3668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1196 wrote to memory of 3668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3536 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3536 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3536 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3800 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3800 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\IExploer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5080 wrote to memory of 3784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0515e47f61a95f9847545a75b876a2d5.exe"

C:\Users\Admin\AppData\Roaming\IExploer.exe

"C:\Users\Admin\AppData\Roaming\IExploer.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "IExploer" /tr "C:\Users\Admin\AppData\Roaming\IExploer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2987.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B7769D2734C4DE293A2253C6FA93676.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87FB5AA5B27444F59DF645CC7C151D48.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF8BA6463E044F76B75378107BC99D92.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc988282C3759746F9ADD7BD82BB3D3650.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA78101168F2842EBA82D7CDFBBC2A8DD.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP"

C:\Users\Admin\AppData\Roaming\IExploer.exe

C:\Users\Admin\AppData\Roaming\IExploer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp
US 8.8.8.8:53 morello238.ddns.net udp

Files

memory/2708-0-0x000000007535E000-0x000000007535F000-memory.dmp

memory/2708-1-0x00000000009B0000-0x00000000009D4000-memory.dmp

memory/2708-2-0x00000000010A0000-0x00000000010A6000-memory.dmp

memory/2708-3-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/2708-4-0x000000007535E000-0x000000007535F000-memory.dmp

memory/2708-5-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/2708-6-0x000000000AA90000-0x000000000AB2C000-memory.dmp

memory/2708-7-0x00000000010B0000-0x00000000010C6000-memory.dmp

memory/2708-8-0x000000000B0E0000-0x000000000B684000-memory.dmp

memory/2708-9-0x0000000005380000-0x00000000053E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\IExploer.exe

MD5 0515e47f61a95f9847545a75b876a2d5
SHA1 5ac29a22ca50833014fe050a9287d0ceb47604b3
SHA256 faaf7582d93e929167cf114573d910f51bfea4afaa8bf0314add2bda61806f05
SHA512 765cc4b27bfa50923f32fe16038ffc603aec6df04b4a3687b4f28102198a432af33a26e1d864340592f1e206db8f18f7f3a9923d62df7e09d6a8a0f66cf14483

memory/3800-21-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/2708-23-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/3800-24-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/3800-25-0x0000000075350000-0x0000000075B00000-memory.dmp

memory/3800-26-0x0000000002D80000-0x0000000002D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.cmdline

MD5 0564648e8098537c660ec47947667f07
SHA1 b727963e9bbee912a0dd3048c5b57f3ff5b965a5
SHA256 df2eaeb02a6eb7abb6349e63de65a0436d198e58acec0580df5d9f9b81720781
SHA512 61b6b62084863b1ddef46191bf6979a1e2abe6d218e87680698489b7326c590c66182264122ff9dfe0e0d9434246c31ec4536bdf48fe386242b7a53ec59fec0f

C:\Users\Admin\AppData\Local\Temp\1dmapvuw\1dmapvuw.0.vb

MD5 38dbc4ca76e82ddf244df032aa6ac614
SHA1 10691c5e41281e06b85423a023ca24c1ba084e18
SHA256 0381ad144884bd9880c264f34467813a1a1b5ea7ab62c0cb3b82481bf2baa1f9
SHA512 0aad470787c0aaf54d456446b7a4420b4e672b814ef94c5dc3316e9f7fdafc2aacd645c28c810f0f94295565f6456fd2b124e4ec72671689bd3af20b456811d9

C:\Users\Admin\AppData\Local\Temp\vbc999472547E04853931C1655F548D0.TMP

MD5 32060b25f1b853322f55b00e646349eb
SHA1 3f48939a11387738bbdaaecf03302bf210653b11
SHA256 49e5606fb65b14e33097ca86115ea6c55061517334188958984941a116189d6c
SHA512 db81b28d76f9469e07c1f91c2557acb7109a5c35f35ecd29d41df61e18b934bf36a3569f01aa2d3dc649e54537669d6d7ba492ed25bd4596d04cd0d714e20d4d

C:\Users\Admin\AppData\Local\Temp\RES2987.tmp

MD5 0843ddcca603783db36238bb60329300
SHA1 db6fe40e1eec6b16c29355508973c53e9b03286c
SHA256 2f1c211c87c3f6c8df3039cb011bed255f77887481976102486124b6c74516bd
SHA512 408fd16e1816d28269874536a5c20a44acb63662ad12158b1b16c50d8c756214676076de7deaccbf7246b4f6289116d41523c1df51a383a1b1f723e18458e139

C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.cmdline

MD5 38b14a56db98f1d5f67322184a7f5e0f
SHA1 d34e409d442eb3a4c75c70d96d2a466b03c82caf
SHA256 228a7c776562c7eefbd2011d436ad42d448fd6c28dfd7ed7939b35e77418759f
SHA512 f05ce0dd5347ffe5d78014b901c2feff16997cb1d967342934a58207add4e46358a14cc9aa28b1bfea266b45c7e13e99bad0d8f802be2bbb68696b62aa1348f6

C:\Users\Admin\AppData\Local\Temp\lf2rq4ds\lf2rq4ds.0.vb

MD5 48761fd7996409ad7ba9d662c66b11a1
SHA1 85e4ef1d815bd99b31ee2d3080cbe27ad39d3c5e
SHA256 b34b5f89b536c1c01ca4604fc6b6c03b31f3431be9af583c005a59c080bc4b6f
SHA512 d97c993ecd2afa300ae0c1672984d6bc1772a89208737281182bbeba4694d989f5e2486c9972abe6ee8b01c5e9dbdd9146d7b6531a82786b4b05612ba1d0d2a5

C:\Users\Admin\AppData\Local\Temp\vbc1A573807C1C14D75AEAAC8357A26B6A.TMP

MD5 efa86d1097e3356b4f7173a380c71c68
SHA1 f5940b67a6a5f561ff6454929eff2fb03df8b382
SHA256 8ccd957c9cf2aa677ee3e872feaa327cba85201d1066ba2c702d0b103bff1b67
SHA512 c409a703465f22a2094381be7a5ec066a487cb42c043fefe15f0654f6820e6fc7047786d257da754f20b9cdc4a9f5bb07d6691492d8d30800c6bad607a15b354

C:\Users\Admin\AppData\Local\Temp\RES2A14.tmp

MD5 07386e70caffe2c47b141626dcce1380
SHA1 55bd153c2a063238cb32f4abcf65f78e409a3e7c
SHA256 642bbeeb1a32744bbe072ea763c82e0ab97e2f185f8ba0f1c4338d590f736281
SHA512 1c51e2ae671daba6312523c559fa792604cfe1bc3690268782f06d5d2dcdddcd2a0d815aaedbaecd0e255018a3609d54a2b89fbf023893d8f6bb5d2ae83083ba

C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.cmdline

MD5 7d11bfec45533ae83420cab58fab5eb2
SHA1 4d4bd7a517f46da5653fd8a4f085d241896dfe51
SHA256 137d6f1d5e051d53b198442a04db9aac42e7761478f493a298f554c495028b6c
SHA512 05cf9206cdb07c4fd4f51ea348c74c38f4658ecda447c4eb261176653e01d20256ecd2a9f481c69cdc99235ff16377c15424702e53ac657806f46c703c07f1f2

C:\Users\Admin\AppData\Local\Temp\owr2nf43\owr2nf43.0.vb

MD5 496f2570e4b0140bea4afccee7c6d9c9
SHA1 e498334997ef90c3ed30b7f843bf19308294502f
SHA256 4f2e6fc6fd4e5f9ebb2f7c40af2ea22296afc6b598ace3d63408b520860a3987
SHA512 7c6c2ec4ba1b39c11039c5059e84138d12442b2e4cf320b0c661722d7b9299c0428cd7cf5be653d03e08d474793603719be3e19ec06df37736fb874b25f1e152

C:\Users\Admin\AppData\Local\Temp\vbcA13DC5B6423C4998A749A8A63745F4.TMP

MD5 369b17d06cfd628bfe04b3f677d21526
SHA1 b9d23c0dc5467f73fe2331eb584bd0c40b129d0e
SHA256 e95b4b80f5fad8e923641d423ecb96b591a208f2f898846cd9ef107e2cd7c2e7
SHA512 00826786585653c66a434589d0e231c9f37f055b642867faa2ca8cd735a138b5d38eeddf985d268b822cbdc29916f5993fde5bb1b7ef9395710d75f1d49230bd

C:\Users\Admin\AppData\Local\Temp\RES2AA0.tmp

MD5 7f48f900a147a69fd55b4bdd13c91a75
SHA1 6c1c4d926f3a2232183c13d90b4ed5c617c076bf
SHA256 4bafa1730c76fe5be8c9e5ccd54e9114d1e18c977c22131d3e6d384b1a10a885
SHA512 83ba8a532e407ffeb980f7a589cc8801d66c7921807a498de49fcd843fe665e6c46913e313be0516b6ef86bbb351a0c3271d1e48a4c6ed7fb5b0c42dd89658de

C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.cmdline

MD5 fcc7c9c196a3d18c538c8f966ef19aa9
SHA1 fe01589b82f7440553f4e62fccd0f6cf02c06520
SHA256 2188e4a6cbd16fa57aa0281f5d175cf6b591313cc8c432d7934d70e73bea8834
SHA512 57aaa024289d87ac5ca0bf31bca5f2a9e8b783c91285833ccf75ca4c82a967c39abddc9319f3e04d8f84f80749208119d12842bb99e4ff9ef54d4ae786aa6133

C:\Users\Admin\AppData\Local\Temp\q0m1vpqs\q0m1vpqs.0.vb

MD5 56c0de9c4774ac5f1a5c7958e9787945
SHA1 cccb25583894e124c2208577b904fcadead6d729
SHA256 78adb3f06dbe3b39e5d5e1726696e7545216b6cc991db05d6f9a3493f7dd1edc
SHA512 3d0cc984bc9e708a7e48db90e7d76113041bd3bf840bd75f5c90e3f2dd3d646085ffd5b8fa5a9c47c7ff3b6c99a87af57b22eeccd631154dced49d32d82fbffc

C:\Users\Admin\AppData\Local\Temp\RES2B1D.tmp

MD5 70a270e687e05831f95bb474dd68c954
SHA1 3e87077daff88f57ec2e56ffb6e98c34728ca829
SHA256 a2a0c904fed58782175c251c1d09bcb3762f8df933074d142210c9c6297a2417
SHA512 0c78d0d59e6b3160811b51fd349605b134a4863b00b2f5553f6a6c2ec12ddab4dd069d4f59762a85ca3d556bfda6c26e067929aa4f14ce80d7a5347e1fddd36a

C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.cmdline

MD5 247743599a15e3b36f7416f56617b09d
SHA1 0d67fa124198e836ec155085b261f1b216db4c5e
SHA256 3e9537051b0f0905e5a5fed54ac45f8854e062070aa536d82e06140ae9fa7f27
SHA512 4642ff4999038349fa00140bd7b626243e6ac25c6e8cf8b4f0e48ffe8144862b873403b0b6f2128e393cfc6e26529012326e3eef777eb44674112619d52414b3

C:\Users\Admin\AppData\Local\Temp\pmpnmy15\pmpnmy15.0.vb

MD5 c93b22a4d581838b655288b8323fd2f0
SHA1 459f13d24417453d2d52fc2b392743e7eb093aa1
SHA256 2e92fbafb930ff1a853156b4cd190853bc16c606ca8a8b6775adb634e3274deb
SHA512 ae1e31d23796cff336d80340abd81c35a3d6ee5aa27485783dd822885273b07477ca0390fc62c526f45ba633e6876ee63f603ff2d5846a60b2a6f6c52cf6e7df

C:\Users\Admin\AppData\Local\Temp\RES2B9A.tmp

MD5 aa4e0cf02c19a966b77ffe8398382aca
SHA1 0fee0b5d080c16e4af74d3aaa557e108fd01ea7b
SHA256 0e3fbd38bf06cecff66fa82a402c5ecede0ca5068578f23180a15250b8d0a73d
SHA512 b2fead35a6b38b011d4769c2349de884f848e9cb79ac2ad98385643343df17a3f8ea5e3b0e2d84b497846e78f513d1bcdfba79096386f0ac3237af609c31588c

C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.cmdline

MD5 06991807dfe047f1343ebe3a241224a5
SHA1 3afb7aa88861fc37977534198e3af2ec7daf61b2
SHA256 1e705f9a61edf2b1171a0e6c074f2af2639862349c665421600271e3a3e6a7a0
SHA512 3a745b4e516e47c73de35257cb29356291b872d951c865bb46e712a958ff235e6ec11c3ef740ba836d0e6fa6e0fe2f814e944c70b637f80bcf5f1fe381710d91

C:\Users\Admin\AppData\Local\Temp\zhxs4pai\zhxs4pai.0.vb

MD5 fd696a66111590060e88ef6e836e2859
SHA1 1b26c0e1c28aac0b68132693f0980c5f25dc5900
SHA256 15c3515777f353c39c64cc969f1e01c57045903930bddb92fd79dbd14d188ffb
SHA512 c15c0b93a5a002ea6db1b7c83869c747617b838e2f76fdb11d574653118ac6fbcbf0ed7960da70269e0293fd248a2299b240b1955da7e955b4844ac10085e6f8

C:\Users\Admin\AppData\Local\Temp\RES2C56.tmp

MD5 9441995c54a8dd6caba9666b3a16c04c
SHA1 7d604933c0917621e8a9f364a77a8a01a82856b9
SHA256 7b9a98baf3a1382c46b670993af2f10fbe11c01e8aed8d2318330d8d574b23ac
SHA512 b8553850bacf071cad906d51414307237770f0d5e81c6a7470dee84e81186b67eff58a81fcd823144ab61f9e3136826e6cba87ab1bb229f0127715428100aa57

C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.cmdline

MD5 59d43a2cd2298df22ad47132f95959c9
SHA1 93fe16347a79a8b95fd9cd6a1021a8c03fba42c1
SHA256 eec2e756a7e4c75ad0106ce9388994788e04e44c8255cd37e9281399c6758536
SHA512 8b4698c16e85f272862c71563b6cac821d1cac3ab6126d6b62a4ecb3fc9b0863c5a008c375282e2a821784749f5720b21c331583ee1fb36ded0b8240ca6a08b6

C:\Users\Admin\AppData\Local\Temp\cow2g12e\cow2g12e.0.vb

MD5 fd15db08477ef28ef9e28f42d8a3f9e4
SHA1 500ce5b0507ed8e5e37ec32f9ee7b92e53f338ca
SHA256 e9559b091d6ea8b7a5e35e14c3b715eec1ba8c566356755c6946592b1adc4f0c
SHA512 c2c3c170a9007178d7257441a4e70a946f04a13c2825a733570429499e1a83d74e7d54f1266b059bc333a3290e4731da2ae1e759232ffa24358e87510e61f92c

C:\Users\Admin\AppData\Local\Temp\vbc9A11A2C5804D43C496C0AB4BE3DE9315.TMP

MD5 24218d2d116d5c470e34a5da0f5ee7c3
SHA1 b6546a2bdb8ce0b664100214b63371cc75187132
SHA256 0604323dfcee505a3199d0029fbbd0ae4768a59dc14ca8fc75b6ea3b3c850063
SHA512 7c08cd603e78c633c8e9eba12094d92d32238b565caa15b96f7d554eae67e4556aba9aaad544e0eb5803519428c8987a404b4a680917be4e00ae82a9d8e7cc6e

C:\Users\Admin\AppData\Local\Temp\RES2CD3.tmp

MD5 8d04b20d8aa3649309f5cc3dbff6fa7c
SHA1 c6502b550e0dd1f88be2c48eb6016f140bf6e21a
SHA256 557f834e0c1cf2e39b6a24c4f6382ca9b8615b0a1927fd5ce5c0b1bd9bf83531
SHA512 81ba22a7369aa92735a54118f1affd9efc0542617dc5b082b09570e9198f8dbc0d4d330f12164558d226c8d5d4dc848f174eff57e67941bb8351541d12fe0c60

C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.cmdline

MD5 e50ec7a70dc55664b349ffa9bf2f6e57
SHA1 6e5d9316c26f894d582b3920d2b3e3f1b7aaed51
SHA256 aef67a29cc30c97493f209711865291b12b1176b36160db64e6d286c6e79a80e
SHA512 0e6de9226f444e19f1c794f961b10443fabcefb2ca508941716fe860f74af598b7700b8827966c2b305f1efe153026ac2e3e5de855e41c7311a65acf49d75e8c

C:\Users\Admin\AppData\Local\Temp\ptli04q5\ptli04q5.0.vb

MD5 e4a81f91139eceb4961c9a691825d976
SHA1 cf8deb4a997e8dcf89098934105585bc9011ea4f
SHA256 da7a460fbdb983421efce82f05ad69d2859b9ad1fafa7526a25c2ed7a5c2027d
SHA512 b70e7f8e1736e104229bf4b84434e0dfe17f9d8300039f2cd501582bbe7d83fd33a96d2012438073fb6126817a8dc863f788911992073fcc46d8d5eaa3f4f3c7

C:\Users\Admin\AppData\Local\Temp\RES2D5F.tmp

MD5 89710dbba03325f057cb08d3866eb57b
SHA1 f99c5936a891fe1f97f51f223e76f7f00d20a229
SHA256 633f9cc61c4a5165edab5fd92bd184ddc13b549e069229fe8e5450d5cc963f1f
SHA512 98aaa27ffd2e6cb52241a3d44a0c3288146c4064165dbf62a8d79d8879ad5e82b5df38d60e9155b5b75835c2b25f9b6b318a55dbc5bfeff0b25c46f2270ad4e7

C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.cmdline

MD5 c3d980ab4e4ac10a2dba244166224138
SHA1 5e88f70853bbaec33b89529251f422614b5b7839
SHA256 7d324733fd2a0b92ae63baf084f9445fa6a33653c3cf741ba09c7280821a2d99
SHA512 d8819d0ac0f092903c2200b54b6c0b76ec6b39a9df2399567a78210878b0abf8271ee1833bd5d030c9e6a119699f5a4cec7be3312252d657a97c30a63ba2fab8

C:\Users\Admin\AppData\Local\Temp\uoo3dk13\uoo3dk13.0.vb

MD5 6a8ebfe0dedfe1ad4ed8e6dec0ee501a
SHA1 0fe1f3ed1cd5326da2c0c7d92f8f7db50a83abe2
SHA256 a690c6e275b56ea1332fa6188838520047f086be4b0fe9149aa46e90b43b58fb
SHA512 6f9bbf862b834fd28372caf234919378a2cf4c5125a624e2cb52fbdfb105c54ff9ef89849f0a8ba8fe11b9daf161ba464d17016ffbd327da837b300a55f9d684

C:\Users\Admin\AppData\Local\Temp\RES2DCD.tmp

MD5 fc2918a4335a9674b0c0762d9817db45
SHA1 1f6d49eb69ef6b1fa39067c39f4bb6828ecc49ad
SHA256 1d9d7502a86f6e56f51ca03848bbb31fa1388cc736158e461153f0b92eae88c8
SHA512 9f1812c0859a1e868a3be427c0b5c23c1b02509f67f737fd22d5d082e7af9c0115aea53bb96bec45b28c3df76d2b8a0769d68df9057ea48ba2afcde4fed314be

C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.cmdline

MD5 258080497e3b327a28232b894cbf69ac
SHA1 65ea722a63320b732f9d33c5a978d8ba7297afb6
SHA256 4760efed61e4a7f8f3a6cc312b67abc25e496d6fc567eea8071dff0b156d4393
SHA512 508dc74be8de2365de25abe3ba293f0828f8d33e409c50fd4245d42178f00f8849313f6def2fefbf405e34b009c8867ee78114aadb14c395a425f8c6dbe82b9d

C:\Users\Admin\AppData\Local\Temp\g2acv1fh\g2acv1fh.0.vb

MD5 752ff9ad1e0d1ef8019b4effd2ce4104
SHA1 4e89f5b89854405bf14ca3aeff93808d0f6886ff
SHA256 ccc200f18d6056f21ae10555e9e33d0a33392018a36cf79ba452c1f1d0e82b61
SHA512 92b3aca78e7e64bd513d361a5cf8a8d6af10b293412cb6aaf77bc30fd3b68ca52bfac97fd765ba37170a89414ded3fbbe33193636490a6ccc9a72523932b7c43

C:\Users\Admin\AppData\Local\Temp\vbcF3EF6F946B81438DA94CC3C5D3EBC2.TMP

MD5 d7d9f8d1ac18d21666caab1c2340838a
SHA1 a33791468a096f2ecd0b9d46a3550879ddb20b6b
SHA256 5131ea59abf4dc33da21ae8a0fa4302960428d430b974368bb294c50cf92d6ce
SHA512 2e4736a5e5635d5769fe1087add8fe3ec73286778485708882c3c98ab03b7b8b6e418b311218f093dc7946d1a5309a2738c08a6418dfc60e6c75406a14700f10

C:\Users\Admin\AppData\Local\Temp\RES2E59.tmp

MD5 7a1083d73d5cc46bad7e589a283f8e58
SHA1 312b344bc80872cad23556547fc5265643e955c9
SHA256 dbc9e186dde3cc8f6381ad7275d3c08871e971961740349690424bd5169e7708
SHA512 65af097b5124d09bcac8f0fb70e364f33fd247bea55a4441af73d50dca44253863257f764bf63822d8c53cb4b5f952b642c43c81db0444c92e0f6f9a8c3a3281