Malware Analysis Report

2025-04-14 05:11

Sample ID 250108-xcj9la1lan
Target JaffaCakes118_a58db880f0af54721064fd5848573a72
SHA256 a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56
Tags
stealer revengerat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56

Threat Level: Known bad

The file JaffaCakes118_a58db880f0af54721064fd5848573a72 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat persistence trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Checks computer location settings

Drops startup file

Uses the VBS compiler for execution

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 18:42

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 18:42

Reported

2025-01-08 18:45

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft IntelliPoint.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaintResource = "C:\\Users\\Admin\\Documents\\taskngr.exe" C:\Users\Admin\Documents\taskngr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\taskngr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\taskngr.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe C:\Users\Admin\Documents\taskngr.exe
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe C:\Users\Admin\Documents\taskngr.exe
PID 2392 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe C:\Users\Admin\Documents\taskngr.exe
PID 2864 wrote to memory of 1340 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1340 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1340 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1340 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 2860 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 1964 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\system32\schtasks.exe
PID 2864 wrote to memory of 1964 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\system32\schtasks.exe
PID 2864 wrote to memory of 1964 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\system32\schtasks.exe
PID 2864 wrote to memory of 1416 N/A C:\Users\Admin\Documents\taskngr.exe C:\Users\Admin\AppData\Local\Temp\6993793.exe
PID 2864 wrote to memory of 1416 N/A C:\Users\Admin\Documents\taskngr.exe C:\Users\Admin\AppData\Local\Temp\6993793.exe
PID 2864 wrote to memory of 1416 N/A C:\Users\Admin\Documents\taskngr.exe C:\Users\Admin\AppData\Local\Temp\6993793.exe
PID 2864 wrote to memory of 1944 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1944 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1944 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1944 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 2012 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2012 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2012 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2012 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 2092 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2092 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2092 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2092 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2092 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2092 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 1916 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1916 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1916 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1916 wrote to memory of 3024 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 3024 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 3024 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1760 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1760 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1760 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 2604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2604 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2604 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2604 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 1604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1604 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1604 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2864 wrote to memory of 1748 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1748 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1748 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1748 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2864 wrote to memory of 552 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"

C:\Users\Admin\Documents\taskngr.exe

"C:\Users\Admin\Documents\taskngr.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2mibuc_.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE698.tmp"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "WindowsTable" /tr "C:\Users\Admin\Documents\taskngr.exe"

C:\Users\Admin\AppData\Local\Temp\6993793.exe

"C:\Users\Admin\AppData\Local\Temp\6993793.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acns3f6k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE86C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f68cma81.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE909.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE908.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kierxior.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jco5jyk5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqtkfned.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA7E.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igfaanyt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFB.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m9hk5iif.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB49.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pje008ld.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB97.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqfelodm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBE5.tmp"

C:\Windows\system32\taskeng.exe

taskeng.exe {98E878ED-2072-437E-A9FE-5D696273B49D} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
RU 31.134.133.122:1604 tcp
RU 31.134.133.122:1604 tcp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
RU 31.134.133.122:1604 tcp
RU 31.134.133.122:1604 tcp
RU 31.134.133.122:1604 tcp

Files

memory/2392-0-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

memory/2392-1-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2392-2-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2392-3-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2392-4-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

C:\Users\Admin\Documents\taskngr.exe

MD5 a58db880f0af54721064fd5848573a72
SHA1 4db954acd4feebbb49918211e83c0cbdf1cb4a10
SHA256 a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56
SHA512 26e5034b2aed4b03115464f86b456f786fc246cbaef839776f1d14c5f56e4608da921015e4e6b31bf1a375c754285a98fd09935b0f80e677f3a387c1c5a04f76

memory/2864-13-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2392-12-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2864-14-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2864-15-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

memory/2864-16-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v2mibuc_.cmdline

MD5 195db3f3aadf2289e40b1973a5251493
SHA1 0a22a7eae5ea5982cda05871eb7df5ee5d47514a
SHA256 5411d10aaa9ec043044e7cee0c38f16e6462e3d1073df508afced3c7a1cd6cfd
SHA512 e9f9dae639c6cd3bba939464d57c4ffe24da8c4984adff2a05fdbd1d994fb7e122b412b5849616e4076f44e6da3dbc0ca3d0318a347784aafcef1d1d9fa8d71c

C:\Users\Admin\AppData\Local\Temp\v2mibuc_.0.vb

MD5 cdaa26fe88bf2e9296843cac186f0f8a
SHA1 a8f9769fe277bfc5e2dd2f9c3db2921020cafe10
SHA256 5e610bb330f79e0ebfa2078f9d408db2e4f4e8c4e644057183419f40ab7736ed
SHA512 df18dd6e421bd9f18445b1c50aacd651956f44939249aaee9a1078855329ca0e7e92965da9b059555f55901c49e81b400e755111bc7d360e75dbf658872a4d6a

C:\Users\Admin\AppData\Local\Temp\vbcE698.tmp

MD5 253ac3eb8d80354190d7be9278727b6b
SHA1 bba447681cb11f36c316a2ae223fc94e056e66bb
SHA256 2cff523b286303dd0773ace801595a2bdca962861d59b620bdd953f966655251
SHA512 eb5bc537fcd1fb4713d51662d75993646fb8c2684f1bb0078fee3697c271650d1498fd1c201f2bd9759b0e18239627d72e1a46c141655fe7b4919e0cbe871bf5

C:\Users\Admin\AppData\Local\Temp\RESE699.tmp

MD5 822d7c9338c10ad77241ff32b213f1a4
SHA1 69ec07766cf6fc4ebfd88f72af92cd55fd786ba7
SHA256 fe16a414f95c227c7ab815cbcb3ca22da04260daa96e93f2bd8bf6adb6bb3589
SHA512 a25a1b27b1af99d598a517725decc7d19a07698caf5f0ab1977733aa7718e16ca521392392bbb893eed4f569508687562ebbc4d70cc9027ef0af4bf1d184ef9f

C:\Users\Admin\AppData\Local\Temp\6993793.exe

MD5 c4394fb4daaf350cdbf5303d812e917e
SHA1 6a780c9f1c15e555b72640299b9c10e7927252f6
SHA256 0ac3387b6e0283c972722c2a6664ee23ac5ba10640d18b827e8732f5c57e7d2c
SHA512 585664a31ac2131efde439468f98c53423588348019edb3c767ffc9bb6a8a881959fd1f4a30d623a0e6a4cc02d180a146b37bef8679b55b111f46d2fb8fb82e1

C:\Users\Admin\AppData\Local\Temp\acns3f6k.cmdline

MD5 bc883914b728e04c5fb50ce02d264209
SHA1 909dd8392ee387fefb9f0b4efd81c04f0d5efc38
SHA256 ce5f8bf74188d49a8e9af51eaae6301df56b82cbeb0dbca47985f9f3131c1476
SHA512 08026cfaced8fb81f242993373e5f93c4efb46e2804d0ffbdafe922f38fc7e55bb0ce1ac1d0115076bb9c433eea0fefc9df992dca6e07d727270a920fe0cd756

memory/1416-41-0x0000000000B60000-0x0000000000D4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acns3f6k.0.vb

MD5 e5761189550be412d3d6f7251a2b5da4
SHA1 14667e3906bd1f52416e5d3b0857a7fc3bdeabad
SHA256 eb3bb3a3e609603c7391d28e05a6c2c63a7b863730cc1a577cae7a6d46a31eb4
SHA512 1c4f974158a5536b862d5cda56079001626809fd1655cb74daccd93edf2bb83becc69d92737732c893fb8541350896e1642f98355359622af17c9562c7f77355

C:\Users\Admin\AppData\Local\Temp\vbcE86C.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp

MD5 60ec8be2cc1c7e34f36a7a36e8c83235
SHA1 7e24e6f54fff25cd76705aa35fa7cf8046fb74a0
SHA256 f32df14fa87b58f111f324e94fd9cb7c16c59ff2e6a662583bbe7359706d9946
SHA512 1c437f907062df3bb220aad8bdaca848b4232e43f168216b0bc38abbf05b2753ff63794230917db3e9044099936fe9b64998f133e664ffa781178020b418d197

C:\Users\Admin\AppData\Local\Temp\f68cma81.cmdline

MD5 2f7d197335ea4eb0450ed9750aa501f8
SHA1 370eaccc6019e2056c518642b18ee43670d87257
SHA256 2142a2b29ba035a378909a458922ed1586434eadb9cd7f6516c6aa99308afcc6
SHA512 f87700c0e7b107545f713da54c7c8f7151777522f8fa60747a1b8b7603e8cb53c3c0c8eb256bde5df473333250792afecb7180aa082be2354411cb58ce599a6e

C:\Users\Admin\AppData\Local\Temp\f68cma81.0.vb

MD5 b73a59a72b7d941a67dc09be6a018494
SHA1 4b9d51f84ea99886b0871857b429842901f75ec5
SHA256 50e4b4c85690614f0273f0bf0bc78cb58788e4cba5edf0f43342435ba73feb79
SHA512 87cdffd169268497f3442949fb15dc3bd94d81c8b453cb454c5dd3b0d84a8ea4f04853c5a34cc8f1e8b4d4962ea6948d0b7909375e7ae793648e9205ac7ff9b6

C:\Users\Admin\AppData\Local\Temp\RESE909.tmp

MD5 9b8926a060c7f6845539946f33f41bc5
SHA1 7645ecc0a156dcc53310e928242fcc72f9596b98
SHA256 3e3824f32648e8be9a4aeae1bb224d17ad882f72202f9e4d1cf3d07471c91634
SHA512 7ef0fd5796c0f03d8b8cbaf725e0bb0a7eb5ecd434d7800da91830e841787fef2232f86fd370fe9f1235ef7281794abe07e6125103b1e10da2b864a0bec3fe24

C:\Users\Admin\AppData\Local\Temp\vbcE908.tmp

MD5 41857ef7e71c255abd4d5d2a9174e1a6
SHA1 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c
SHA256 dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302
SHA512 ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

C:\Users\Admin\AppData\Local\Temp\kierxior.cmdline

MD5 989c64af0c8d8f41a25f5704afe9c5e1
SHA1 990256a1fbb2323569c5695f6070000fa9b84498
SHA256 67d3d19b00e5ef0048c4ec801353f6f2f96303bd0c07ffac91a3ded94d42eed7
SHA512 d7ff034b28f7ef8fc585462d535cd9abd7c50513166ae26c32fc543876a18bbc58d36340632cfdf8aa917ff833ad82bee4454019fd581c2540c8d636b9f1fe59

C:\Users\Admin\AppData\Local\Temp\kierxior.0.vb

MD5 1c653b72085eba814ec06e0b6dbc2d44
SHA1 21793bd5eec422ae8c4ec2c2dd04558b5d758fc7
SHA256 c5ec4a5c4a050be6528774688bdca002af01d1c74b3f8271840718177087b1a2
SHA512 8098b07147423a65d64e3058fd3a6ca9d4bb7408bbbdffa4b4fe7fb4be04f87fbc3aa11ead81d8a9d992aec15bb760372c753d79efee55e31f66636c4128b736

C:\Users\Admin\AppData\Local\Temp\RESE966.tmp

MD5 21eb64b16ae3399f9625ce2efe8b7b26
SHA1 fdd560ed797346e77312a3a86cb52a546a2b129c
SHA256 6fda24e94476d6aa3692d7904ff8d5d349da5da45ac0bb49927b928ae29e83bc
SHA512 72e810d11525add4cdab5205cb04ca5979b0ee750fad326c9e192fa24af1dd5729d2c806c1704ef5343bc09aae69476ece6e9e3e87248e7bf93a6588c5d4b63f

C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp

MD5 453916f7e3952d736a473b0e2eea5430
SHA1 b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b
SHA256 b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe
SHA512 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

C:\Users\Admin\AppData\Local\Temp\jco5jyk5.cmdline

MD5 fcee009941b3c64732023a9724264a86
SHA1 048a9cedb693a761ce5cbb849b7eefafea6bea70
SHA256 aa3f634f64431ed48fc5fb5c1afcfb6017af27304f690c7b463d0630a4adfca2
SHA512 e542214aeb770703524fde107e49729d73d0fa6445d633cc4e5124e7b5c3db6bb05318c073aaf4c38c75aa3b409f0de687438d5d0c059656d626087898928d92

C:\Users\Admin\AppData\Local\Temp\jco5jyk5.0.vb

MD5 74735a9370caa035718311e0de3a4601
SHA1 cbeb19a5f0fdec056b787ba3daa23b48fb323f04
SHA256 4c0dfb5527c7a63fe7a033d83e2e1a42085a361d2eaf8fe581708f4fa6ec2590
SHA512 2b240a0fc2ddba3182449a41b70a5b3cf13b88ea14574f7b070bf279d89e107857aca641ba07c09774ac6ff9cfec5e6bcca0efb1ac5dcfacfaf0847eff17911b

C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp

MD5 d14af469ce7dd51a23ed36dcd4d3e529
SHA1 bca732b4c6c61ae45dd1b72216fe34d0fdda279f
SHA256 8d2af93fa320af6250f8450d4f79f96aa60b1fd5b83d40076ddfa120582361de
SHA512 85e78ffc6d4219dfd862b5b5af484cf28dc0ba32ea6930ab8f69ce3c3e1007dba9bddfad29fdec0baa726f73f20ef9424f6569ab515bbe07f84a8c25a9467232

C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp

MD5 6ed26221ebae0c285cdced27b4e4dbac
SHA1 452e9440a9c5b47a4f54aefdde36c08592e17a38
SHA256 aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c
SHA512 c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.cmdline

MD5 b3f5c860f29782a00d93ca497406482e
SHA1 89509457ffea199a3a62a8b0da4a755ba5f8cfa4
SHA256 9365307f741db7c57bd2d04278a5480647459086155515a25d4e6bab7db1a148
SHA512 07f15b07996b898c84e4ffcad2456e5b560f57473bd19195a8863f400306bfd88f92e5d53974552ef198589921c144f32dd510767a77274518bea3b83717f2c3

C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.0.vb

MD5 d7e819e5c304049739e7f2a9e6b58c70
SHA1 fda2f4074c92a643c5784d3f1f873e95e08aad94
SHA256 9203d9523aa99b6d117664d6dd5e7400b9db5d0b637d961687ed5cefba4585b5
SHA512 c86b23c403736baaa8158dad0fb2b60d04632a5a293518a0f99c1c9c548aac20dea0791082b477f2eedbd89ca10257347794b3236ba24c08628535ef79776389

C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp

MD5 b80ff595d532eb8a38ed9380941f0896
SHA1 8f4ed379579246aebfdf1abd2ee27c2371d28cb7
SHA256 f29c39db33be7250c176fb01e8cd7868bf609bb73fadcc688be8c1145945194a
SHA512 f0f6d652e081bb11d3eb9dc7323adc598c5622e8eb2046f6827cb6f4b45790d88bd97c8ffe9762ebe8814a37db76400908c4ca899d57deb404d65243b795ecd1

C:\Users\Admin\AppData\Local\Temp\tqtkfned.cmdline

MD5 66c1ff22202c8183d022d5b49ed0dcdd
SHA1 e4a30c56e0908f8b8a95d74eac22c50731807d71
SHA256 dfd6f2bf57c99f601e7ea2d39bfe2dc39fa2ff5e18153c53b5807f7d0f72bf48
SHA512 78f8638d74c00d8ca77ae076a1724a156312b882aa351b087477bf77fc41c84e048e8f526e8d40def60ed1923d1291ffa002cfde4843b28aad35b1bf35dd1616

C:\Users\Admin\AppData\Local\Temp\tqtkfned.0.vb

MD5 6f6f5637206f90c85203bd18d3194b66
SHA1 8dd722b515585763b3d795928687e829c4abd991
SHA256 4fdf26524083ba5a5226697dd84afae3718ad7bc1233e520ac1338ae486e58ce
SHA512 1e6dcc7084a536c597dfba00a5fa5febd6831b4a0c8ec0621f8f41c5f15cdad947e67676ff962f02c887506dfdaa50381b3c3d1ce0a32490f8e1a2ef6f819e08

C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp

MD5 2f72f043c40c63801290ed3ecf0978ae
SHA1 277030e789f64735cac98e62b0015be17cbfe3dc
SHA256 53e2c84e879dd4ddba7dac7937a13cad410263bbdc1d405b9dc894b002eef6a0
SHA512 1edd8e1fb1710e9000e11bd3c5dd882e03a167630204116f4b8d378ceeeb37e83e76c0bca40c865813799c75c6a58b3887f2dc73f948f17e7ebb6189bc66f74c

C:\Users\Admin\AppData\Local\Temp\vbcEA7E.tmp

MD5 b548259248343e12d417d6c938cf8968
SHA1 19703c388a51a7ff81a3deb6a665212be2e6589a
SHA256 ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366
SHA512 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

C:\Users\Admin\AppData\Local\Temp\igfaanyt.cmdline

MD5 8046e0a821a8f126135d66e52fb2fef7
SHA1 b2c8d4fbd555c8e2044fef936158186c901f2f49
SHA256 8e4a192b8a0115e6fff0127ac762f96fc75c570010b443417aa23ad705b04ec0
SHA512 793953211f71125be1ee35e4d83b600cfe0637cf88ceb217a5910bcfa0895d0aca0b592d7c24106da9dee9fea6c6474b5c233d5195f52c171104a5b747032510

C:\Users\Admin\AppData\Local\Temp\igfaanyt.0.vb

MD5 8783af5be5e9776ee12c9010b4b9977c
SHA1 0f01d056c8849febe9df881b6c39feb2dcc71b4a
SHA256 54418c6208b45725541438f67a4c5e4e073400dbdc8ecb5f61f05556565ed470
SHA512 4d509e3d8f7d7dc0650b220b51b175707c1ebe8dd59c9b3dfb9bc456ccbe77c99d403e6d05ad80f768b1774b58c56a75cf0921d919c457209118e4330da5bb84

C:\Users\Admin\AppData\Local\Temp\vbcEAFB.tmp

MD5 ba2c43095c1c82b8024e968d16bee036
SHA1 41ea006dbc9f0f6e80941d7547a980a1dde868e0
SHA256 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72
SHA512 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

C:\Users\Admin\AppData\Local\Temp\RESEAFC.tmp

MD5 cc91105ecdfd214098e06e6f9aa9aea5
SHA1 cdadb44c46c560efe07ad28ef064f38ab429551e
SHA256 9ba55352546aedf9c22a6c054a845a226d0cc71c6b904a2d1295ea36885fd6a5
SHA512 caf815d8c962a6c625e2d2bbc06193f67c23c1a9327089a37aa37d9dd54966b184855401b6d09dddabbe4e49aad71ebd05ea1308a7536a83af5da466ee2e1570

C:\Users\Admin\AppData\Local\Temp\m9hk5iif.cmdline

MD5 e0277467efadbd472ea5e5274c5433cf
SHA1 4eb2a07eb303f733f6236e10c2cb0310c067c92d
SHA256 a9273655b6378e0323428f44a0949711d43d0598eb2aed305ae2d57244d3c2cf
SHA512 c3c775e08dad15399b8fdacf4ada2f7e6712128418e070058fa747c2085a393f012b29ad75f20e9a7407290064b18e8af1a6ac9bb38114c33fd5fe8b08d31a56

C:\Users\Admin\AppData\Local\Temp\m9hk5iif.0.vb

MD5 f7414480c14ed927b96983a454b45ad4
SHA1 f0b9701777b2643e03165a5e3932fab15fa054bf
SHA256 21344d6b94d6f9460b875f7120934f8a230418719f6b6951baf423c6244e6fd8
SHA512 645a18383cea2f1107b2d0dda0c04b059f0385fc77a6da837a9bd180df410fc34534df4f595d766b030cfae3c9c696e2400a6d4abd0852e6a2120e1859876145

C:\Users\Admin\AppData\Local\Temp\vbcEB49.tmp

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp

MD5 244e708dcd01befab155c558c2eb0c9c
SHA1 0fa7da1e87ef322dd26221396c77fed0ad571105
SHA256 19aaf894d474dd6b83912da857811996c8b54c47709caac1e71b200a060c0547
SHA512 b22f0244717cb6f98efde95fdf9a70808b1e5649e834611b98d53b417fe0af7d6d1e02f82820e8c6f6a855b99c39298af675fd7f2d60a579dc6e72885ac80a71

C:\Users\Admin\AppData\Local\Temp\pje008ld.cmdline

MD5 adb7a114e8fa71a3034e159c6ac3ff11
SHA1 7ad03f85c4c5fd7388375492cd1d8dc677d58099
SHA256 4af212e664800b050aadcffb84d02bc742dca0a76b8e7a55e78f6115a4a88aad
SHA512 c8e44adb9c92a7386348e8bc6a63fd709e35723846a91a24aeac3bf82edc664a840b630ac5e08328e24ca43a24db8afb1ffbcfad786273aab64cec9909be042e

C:\Users\Admin\AppData\Local\Temp\pje008ld.0.vb

MD5 36dec6c894af5ba982846e27dce1da21
SHA1 553bf67b97d9150b99ccd8e950c381f21dd4a43c
SHA256 7a9414b12f9628abf0a42999e4c954ec5151f719ec34812a7b18824e7994ffec
SHA512 821d6c5f565761f837bc97b94830a7d55bb6796ba531078195ebaaeee6b050d88a8e97fb45138277ae3d09da3c8ae36d28a80643425c57e69afc28222b01b1fe

C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp

MD5 f406640de589bfe860bdb474a04af94e
SHA1 11be41f18bb133a03bd5aca526cd1a97b1abbd72
SHA256 01a6b471b9b5e9157e476911167d610044773303b88c0f5a51072d532aa9dc82
SHA512 583b8bcaed632c21a0d94407e38121b5d2a602a2236bc8725fc6c8800126ef5f12b85b374d85f0234c9132dae9f97b401e5efd531afad6fb4940122a47a613bd

C:\Users\Admin\AppData\Local\Temp\qqfelodm.cmdline

MD5 95e3f6dd8eb79a6a65bf5bd73198c44d
SHA1 90bab222aabeccb541d8b0e36b29aaafc4247d75
SHA256 df93424d56a4030b8745db441838e58d24b74179db2108e195b600eadf7936e2
SHA512 022d886e0087b037093cb4ae7c5fb93259fd928e412774345cc8937e581f688df293373ae299d106f78d44c6189833d2ca2fa9a17506ad475f2559cfda7328e8

C:\Users\Admin\AppData\Local\Temp\qqfelodm.0.vb

MD5 d2bbf198a5efe2d0c53eb7302c6b2a25
SHA1 adf8a6092bcde5738aea72861cbdd90409c6f3ee
SHA256 44a8b749b445cbf5e18647d40d430113341c37c5ab943f3287dd9660e5052a62
SHA512 bcecf3e7ae6c12e412136b740024824a8f8d13c5e897822b7a8ba5ea7171a6336f1e3621d6e1c35cf341c849523ac7f008c50093614369d610fbde1b7739213b

C:\Users\Admin\AppData\Local\Temp\vbcEBE5.tmp

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RESEBE6.tmp

MD5 afdb78a276ac1130430bd261fc9c7a32
SHA1 9c9c14ee8b7d09ebf1af06c41fa8837b2bd82c36
SHA256 bdfb1122c84d3641716986f81386f108b4ee40ba73454a0ec689226a5d29ea2b
SHA512 d2a3408fe7cac5afd37571b537dd54f86acf0dafb993c0fff07fb82bfd79c8702e078f916c74ca65da09669f77f6e37bfc32900fc745b43b22345c26fb1a249c

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 18:42

Reported

2025-01-08 18:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\taskngr.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft IntelliPoint.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaintResource = "C:\\Users\\Admin\\Documents\\taskngr.exe" C:\Users\Admin\Documents\taskngr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\taskngr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6993793.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe C:\Users\Admin\Documents\taskngr.exe
PID 5020 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe C:\Users\Admin\Documents\taskngr.exe
PID 5004 wrote to memory of 2028 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 2028 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2028 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 2200 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5004 wrote to memory of 2200 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5004 wrote to memory of 3788 N/A C:\Users\Admin\Documents\taskngr.exe C:\Users\Admin\AppData\Local\Temp\6993793.exe
PID 5004 wrote to memory of 3788 N/A C:\Users\Admin\Documents\taskngr.exe C:\Users\Admin\AppData\Local\Temp\6993793.exe
PID 5004 wrote to memory of 4584 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 4584 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4584 wrote to memory of 3560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4584 wrote to memory of 3560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 3892 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 3892 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3892 wrote to memory of 3196 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3892 wrote to memory of 3196 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 444 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 444 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 444 wrote to memory of 3380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 444 wrote to memory of 3380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 2564 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 2564 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2564 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2564 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 4764 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 4764 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4764 wrote to memory of 1788 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4764 wrote to memory of 1788 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 1936 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 1936 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1936 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1936 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 2644 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 2644 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2644 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2644 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 3424 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 3424 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3424 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3424 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 3068 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 3068 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5004 wrote to memory of 4356 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5004 wrote to memory of 4356 N/A C:\Users\Admin\Documents\taskngr.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4356 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4356 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"

C:\Users\Admin\Documents\taskngr.exe

"C:\Users\Admin\Documents\taskngr.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s7gth_cx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES912F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC119ABC10AB4A92B3141C3A7C1B565B.TMP"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "WindowsTable" /tr "C:\Users\Admin\Documents\taskngr.exe"

C:\Users\Admin\AppData\Local\Temp\6993793.exe

"C:\Users\Admin\AppData\Local\Temp\6993793.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugjblhvq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE17FA493A14B4754A0447BF0696D6A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES945B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc360FF46F43964119AD2FBE16E8C9713.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4xug7tx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD03318FC13704F13B89F3BDFA8ECA72.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e86ec0lf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81BBA62494E842AA943257233D803AAA.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F734BF59DE94DD98669284BCF33E5EE.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qlwnihg7.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9788.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA080CC3B7F4240E1A03C25EF2F6CFF6.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CC42A094504E5992B2ACF02B618EA4.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lurpxany.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3775F296D9C45DDAF807844DB24E929.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\suocmaei.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AFB58614AE47B2B734D21E2D86BA24.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyv47xjd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc669807EC9932404D91F79EDF878EDFBB.TMP"

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

C:\Users\Admin\Documents\taskngr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp
US 8.8.8.8:53 day2281.ddns.net udp
RU 31.134.133.122:1604 tcp

Files

memory/5020-0-0x00007FFAB1DE5000-0x00007FFAB1DE6000-memory.dmp

memory/5020-1-0x000000001C3D0000-0x000000001C89E000-memory.dmp

memory/5020-3-0x000000001C8A0000-0x000000001C946000-memory.dmp

memory/5020-2-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5020-4-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5020-5-0x000000001CAA0000-0x000000001CB02000-memory.dmp

memory/5020-6-0x00007FFAB1DE5000-0x00007FFAB1DE6000-memory.dmp

memory/5020-7-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

C:\Users\Admin\Documents\taskngr.exe

MD5 a58db880f0af54721064fd5848573a72
SHA1 4db954acd4feebbb49918211e83c0cbdf1cb4a10
SHA256 a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56
SHA512 26e5034b2aed4b03115464f86b456f786fc246cbaef839776f1d14c5f56e4608da921015e4e6b31bf1a375c754285a98fd09935b0f80e677f3a387c1c5a04f76

memory/5004-21-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5020-20-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5004-22-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5004-23-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

memory/5004-24-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s7gth_cx.cmdline

MD5 58dc2c017875cb66d23ad9b6651191c6
SHA1 4e6f6e6553bccf9a8358fac8ce1c125c5810b3d9
SHA256 1f8aedcc50fa188d52967d7f39661b880b64cf38e69f9b16dc13c7d66b47a4a9
SHA512 3b5f9702fe5b5548fed5017135655eb78c0c15d51e7e8c0e8a629893bd0ef4da357a86ee5f5ce3295ba498aeffa7e92fa0aa8a658b174c69097f13f7c7075a80

C:\Users\Admin\AppData\Local\Temp\s7gth_cx.0.vb

MD5 cdaa26fe88bf2e9296843cac186f0f8a
SHA1 a8f9769fe277bfc5e2dd2f9c3db2921020cafe10
SHA256 5e610bb330f79e0ebfa2078f9d408db2e4f4e8c4e644057183419f40ab7736ed
SHA512 df18dd6e421bd9f18445b1c50aacd651956f44939249aaee9a1078855329ca0e7e92965da9b059555f55901c49e81b400e755111bc7d360e75dbf658872a4d6a

C:\Users\Admin\AppData\Local\Temp\vbcFC119ABC10AB4A92B3141C3A7C1B565B.TMP

MD5 253ac3eb8d80354190d7be9278727b6b
SHA1 bba447681cb11f36c316a2ae223fc94e056e66bb
SHA256 2cff523b286303dd0773ace801595a2bdca962861d59b620bdd953f966655251
SHA512 eb5bc537fcd1fb4713d51662d75993646fb8c2684f1bb0078fee3697c271650d1498fd1c201f2bd9759b0e18239627d72e1a46c141655fe7b4919e0cbe871bf5

C:\Users\Admin\AppData\Local\Temp\RES912F.tmp

MD5 5f4e9dab81d78c7f1333233eef396c94
SHA1 5a4bef92e6069ae2d807f1a74d798934b839489b
SHA256 f9c8572931fd23860ca419ac028d37d9a9a06a93f1121534c6af6b99d3ba8297
SHA512 dd9ab5c2aeaf54b53f65217f64861d7f9c9bf8c7db52fc1c26482b875a874da2a021d741b3b3f8236d86808badd20dd2b86969bdae53e680ba9a265e49edc9dc

C:\Users\Admin\AppData\Local\Temp\6993793.exe

MD5 c4394fb4daaf350cdbf5303d812e917e
SHA1 6a780c9f1c15e555b72640299b9c10e7927252f6
SHA256 0ac3387b6e0283c972722c2a6664ee23ac5ba10640d18b827e8732f5c57e7d2c
SHA512 585664a31ac2131efde439468f98c53423588348019edb3c767ffc9bb6a8a881959fd1f4a30d623a0e6a4cc02d180a146b37bef8679b55b111f46d2fb8fb82e1

memory/3788-50-0x00000000004F0000-0x00000000006DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugjblhvq.cmdline

MD5 430af3d42e44352312a811a0a3f5f024
SHA1 54f2f248c2ee37ee084285d19df0ca781cd7f114
SHA256 e892848400baff2bcd517962813a52dbdf412015c0395b3aae8c6ab9157c893b
SHA512 9b9b0a8d69e0224a7d72eff5a6c861a6d99aecdf18b327cbe71e7738d65c53fb24082e258f896d2afc4ecf84b2cffadb6e0e5340e27393bbdf1a55983be98c3d

C:\Users\Admin\AppData\Local\Temp\ugjblhvq.0.vb

MD5 f4df20e7a7eab798062c060b3af91607
SHA1 3c503186d0aaa6c5307d8c0757efc75d84a74051
SHA256 11c8faa798c33d98f1d85092cc52ffe7c6779ac9514573ab5ee8f693ddd7a2ce
SHA512 c5741e1e170ad450b763bfb715709579abf216ff920db4b0004502c7207ec4f97940e8a9a4ccb5850a90dad89315fde80b9674792cb7e0f4b5e4b48cf7f9023f

C:\Users\Admin\AppData\Local\Temp\vbcE17FA493A14B4754A0447BF0696D6A.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RES93CF.tmp

MD5 6d6b22a580c1afad409c2dc74e5c31cf
SHA1 a7027521c281f7f3b3434b7fc272f73182da6feb
SHA256 ed430cbb581a82e1c36985e982deb4845bdf8afe7a6aad5354e603e923a61e43
SHA512 0a4d1c120257fc12b891989da10ce2cf74a6e362b4bec7e64a2f4ffaf8a12819241ea3c361deca81955dcfdde8a1361c9455a89cc700d0986b8113eee9e598b5

C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.cmdline

MD5 275143cf4c2efade49eb5befcce8baff
SHA1 4d47d55d7b9677c09718203e8f892a43e2c91f9d
SHA256 cef79f14bea9f6d8c825a32e35b86fae4fe68f05da985b92ff209d63892fd2f0
SHA512 e3aaf4eff356eae39c79907f576b47cd8954eca9f2be0bc5c9e88c12333c9a65455e0f9ea1e9165adc03c6ff39bc4fdad4600e8d24d316773cacb38cb2a65111

C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.0.vb

MD5 e5761189550be412d3d6f7251a2b5da4
SHA1 14667e3906bd1f52416e5d3b0857a7fc3bdeabad
SHA256 eb3bb3a3e609603c7391d28e05a6c2c63a7b863730cc1a577cae7a6d46a31eb4
SHA512 1c4f974158a5536b862d5cda56079001626809fd1655cb74daccd93edf2bb83becc69d92737732c893fb8541350896e1642f98355359622af17c9562c7f77355

C:\Users\Admin\AppData\Local\Temp\vbc360FF46F43964119AD2FBE16E8C9713.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RES945B.tmp

MD5 0ade6390de6674674c6c217c30cba5bc
SHA1 14afd6374f274401d058738eb5275abac3f70261
SHA256 6e6bbe2eabcca643e07cc1a2fb91e0cf52ca628ca8097e79acfed78b30709a7f
SHA512 50cd3d08d90154111308c7d38c0f1e0861b3d6bd1c19745e183332088f2e482c1095dbfc6208cb5bd4b7890f5d67c111e4605adf091ab2e03c9ee5dd0bdedaa0

C:\Users\Admin\AppData\Local\Temp\e4xug7tx.cmdline

MD5 ac483223a329b9d5d3c5e179d18367e6
SHA1 4a0994802524b61b526162280f7ea15dc8f010f1
SHA256 1730d587b28f6e64852716ef84a24b4731ad9013008f71c7f5983ddc6cd7afc7
SHA512 25421cb205c9d3d14d80312dd7fda4ec2b5c4dbdf8f860809bba2693bbdfdf34eaaf43805d39fe0fc4b2adfd408df43f3896023b7108a83a68267cc8876ba410

C:\Users\Admin\AppData\Local\Temp\e4xug7tx.0.vb

MD5 11b3e4db71f1d3b4dbe885207d37d4f9
SHA1 0327e0916daf2feac8163a6e85a91577c26614d2
SHA256 0398a89f8df4b496ee06b6f34c4608cca0ac29fa7adf7d20db57f3d3d60754f1
SHA512 b56f4b83fff06bd2f8437aa89679850dc9b9ac257cf78e7c0cc33651dda5589ce221945abf8cc705e739633a420e5cc7941393847d72d22b171a1cbefa12eadd

C:\Users\Admin\AppData\Local\Temp\vbcD03318FC13704F13B89F3BDFA8ECA72.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\RES9527.tmp

MD5 3472231adb827cd095e823ce8adc917b
SHA1 d00ff868cdbeda3212fce41906e029eea317b0fc
SHA256 05de04ff06630667681e64054530b96e9941ff7edf5575fbc9cb35e3bc01e43c
SHA512 7b2c668e7c8453da942f0ef7545599cb3fb856e31505186af06ebb2c6c23aba8dca9b21bb1719e46927bd40e50f035a069d966e3fe226dce933c6c4d145ae4d3

memory/3788-97-0x000000001C220000-0x000000001C232000-memory.dmp

memory/3788-98-0x000000001C560000-0x000000001C59C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e86ec0lf.cmdline

MD5 513c18f01e28fc452329efc9cb5a8a5a
SHA1 5399c8d4a1a3818080e11e4534f6ffcb804b5e83
SHA256 1d4137d64667d417c899259703811c93f9c430df4f330eb82519d1462679f327
SHA512 109a6c2ee57ad6694c4cc248c35d9a473448451430cc78736b7311de47f303209ee637065874db882eb1fadc8882fbe33c3e901749d07ab3adffb8c921c91c04

C:\Users\Admin\AppData\Local\Temp\e86ec0lf.0.vb

MD5 d7e819e5c304049739e7f2a9e6b58c70
SHA1 fda2f4074c92a643c5784d3f1f873e95e08aad94
SHA256 9203d9523aa99b6d117664d6dd5e7400b9db5d0b637d961687ed5cefba4585b5
SHA512 c86b23c403736baaa8158dad0fb2b60d04632a5a293518a0f99c1c9c548aac20dea0791082b477f2eedbd89ca10257347794b3236ba24c08628535ef79776389

C:\Users\Admin\AppData\Local\Temp\RES95C3.tmp

MD5 cc17e098061041a0f499ea2f61177ac9
SHA1 b8d9c3ea62d0bf076dd776f61a7f4f5bc368c59b
SHA256 41ac52b0d2e9dba50ccd6a98332eaee3ebd77b8acccff95f255cce117df1bbf5
SHA512 4c7fd521c61fb15d78dcfa92488be0a469822708015a092372b94ba5c6769e0041084cafc23a21a8da2ebc0fc3da4b00fcd95f93b7d07cffa25f0502a8514f84

C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.cmdline

MD5 6f58d98b2bb698e9fb750dcf7d06b841
SHA1 79341ab478ca354846c0b89945b04c83d74d9656
SHA256 ce4b9bfc3d943e560a1b05be650180f20c2f6faf954de36a2d9c28f408c8582d
SHA512 7fd3415e575705b1b6fbbe29d8e8d832d7a237819bc007c063e057d1ad53195d2f44b34526cf0abae44a866e398497713973548592c74221eabd4a2e74a616c8

C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.0.vb

MD5 f2a05fa49c8095ff3f83411bb53ae404
SHA1 c10cb9190ba92948f8ea2d1ae451e4636ceaae71
SHA256 c85d0c3445ba49732c88da6e6bc80c5fd63e7a5b4c809e38d46dfa091c223dbf
SHA512 edabc2a63a332b835c39b6523e7ecf633d752f4f08fa8fd1603a72f17aa05438c483af25fed6e388f1372ac61bdc0271856c7d7d3c46730f1e776b1e4f016171

C:\Users\Admin\AppData\Local\Temp\RES96AD.tmp

MD5 59be2702b7cbc53d23433e53154e7b22
SHA1 17680f3ede7428b1323f94c4e6839b657193b874
SHA256 3b896a4ece73f695742ef2e2f7db410307bf6b1a5b20cd0fd2310138eb6cca6a
SHA512 20b83f60891c28c59e541c43797dffb7fe4bfd1730d756f9d6150b74563798a086433666db46a0dc8909caed79ceb1b3056faf6bb3126c82527edfbbb90eb541

C:\Users\Admin\AppData\Local\Temp\qlwnihg7.cmdline

MD5 1309a5fbc62784ed7d4acef6573b9d78
SHA1 104e91b6b3415feed9286e8632c585c4be0ae489
SHA256 a3f1b673fe1feea5c2ff78cab289012ecfcc2b703b6c50470c5a5b9b9ca9be62
SHA512 4449adaff65c760fdcec6bc60079c9270b049b0c3339a6370f3eda6d49a1bfc333544220b9f59aab99150ea9cd63cc9d127df760828fa3b28e8a1fd17c552a9d

C:\Users\Admin\AppData\Local\Temp\qlwnihg7.0.vb

MD5 a3149c23cdfcefa52372f731551ac7ac
SHA1 b033408b73e3986d342c530d3a748e95e7648c78
SHA256 3ec44e5500f18ecfda3187c48af050342802dfa950230fbe96cdb6b4b4a0ec3c
SHA512 3bd71c4b417bc2a6d60f5d858823ae0f72b8983094825c0f09d253d802e6a8dd5de847e70ef1a765824eac2b82b2d73a4855d08dc172fde7fd716e5871d085ed

C:\Users\Admin\AppData\Local\Temp\RES9788.tmp

MD5 482aca810725ad5ff7ee352cccf2e562
SHA1 f42292a9e320095a7e76998326473bd9566e0fc1
SHA256 cd15c15e8e39c41ac3225d8f366fd47bf8ec62cd1a451cbbb4a593a7f0c02cb0
SHA512 080ebbdd497b1de7fda1633409eb894ed2fecbfdfb3228fa0c88cb416d0b0e6d3d33a9525379418375937d53cff29651e50228839663c10c2fb1cab773a7cd11

C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.cmdline

MD5 712e36a21e7d48f44be8a9b0d763ba8c
SHA1 f2b25440b49c2a2bda3f53fa1364b7da7a4b46ea
SHA256 55b69703ea4c1c55f892e56ae7209c15707511998780266b8581775f3901d6b8
SHA512 765934384474a7ee28ff6b84b558f938a46b91ecab03acbb291260febb8efd25788348426937de6d93bb71be96d9408aabe76e81fc13a712f27e3cc794f4eb16

C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.0.vb

MD5 c5b9d8d6365919b42a26adea6001fca4
SHA1 f4d7a2d623be4c22363daffe70e4d1b40b33b775
SHA256 cbad8217cc2df744da6830c565b2c19993dac461dccadef167af3b62229d95b8
SHA512 3bed75479d2beac4d5526cc598d2a7b58c09d1e05212c9705f96913d1100edcc6b46189a6c5a0e615cd73e1cf9751efc11d3598de3db088b8372425c72ec2497

C:\Users\Admin\AppData\Local\Temp\vbc90CC42A094504E5992B2ACF02B618EA4.TMP

MD5 8135713eeb0cf1521c80ad8f3e7aad22
SHA1 1628969dc6256816b2ab9b1c0163fcff0971c154
SHA256 e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512 a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

C:\Users\Admin\AppData\Local\Temp\RES98C0.tmp

MD5 16dfd4e7a317e6eb1d63fe1f1debefb0
SHA1 9ed96ac83275f00b05bfa9e944fc6f03410237a8
SHA256 d5614da6d5382334a1ca05de999d82bbb7a4dd5df4960636daa2c7f5f44883d8
SHA512 214104552ba4bd4b08d6be9e88ba929c992ce23e3d245a99e5e6d37d3f5838fae44c90f8fb30bb4e8c92be2324bd724f8034ec2aae3e22f2f038d7c6cad7c8a2

C:\Users\Admin\AppData\Local\Temp\lurpxany.cmdline

MD5 45b3b0b34550da27f77d7434a987234d
SHA1 11d9ca295ee431e2d93fcf4f76dcbe5fc130e00b
SHA256 eb8f897e891a8039549c8bfa3c7ff65467ee471d906a4b54bc77e593cf396972
SHA512 61172c8cd3108df0772ff63317d6b2ff272729fc54b346fefcf3e1ad8878053e308f3cc3923b52c12bcbe086a0c82b5b93b7b06374adcc5b605cc7010a1976ac

C:\Users\Admin\AppData\Local\Temp\lurpxany.0.vb

MD5 f7414480c14ed927b96983a454b45ad4
SHA1 f0b9701777b2643e03165a5e3932fab15fa054bf
SHA256 21344d6b94d6f9460b875f7120934f8a230418719f6b6951baf423c6244e6fd8
SHA512 645a18383cea2f1107b2d0dda0c04b059f0385fc77a6da837a9bd180df410fc34534df4f595d766b030cfae3c9c696e2400a6d4abd0852e6a2120e1859876145

C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp

MD5 1e38c51637990e3c3df08ab2941a32e9
SHA1 c31329875ac8ad8792e0dd7e023558e5eb3b29a4
SHA256 ba930603eeb8a6bf3b851a4d1cc5a44ff8f485bf4944d55488c722f1c26c4178
SHA512 2afc1ff878018930bdd3869767828e53cef77e1c8ac805fb0e24b1b0321a36a77554e525f8681e9b9ca007e340fd118ae5d95d17a03c1782db39c87781cd59cf

C:\Users\Admin\AppData\Local\Temp\suocmaei.cmdline

MD5 f8b3a95589ca0c483e9db1850da1bdf4
SHA1 c714bc5b22ff018da5fe158c45dab4875cf43346
SHA256 a63dd09a485f141863ded7b86b6a9c4e19873ac35228114cc95fe92c17c911d3
SHA512 dce25d83418497fc096ffb8c91ee6e175516786c83f7ad0248d810f467505ee45c6cc9202d1eb0c53896445ed9a970faf48b27d53066de87ce6f064661f62c59

C:\Users\Admin\AppData\Local\Temp\suocmaei.0.vb

MD5 36dec6c894af5ba982846e27dce1da21
SHA1 553bf67b97d9150b99ccd8e950c381f21dd4a43c
SHA256 7a9414b12f9628abf0a42999e4c954ec5151f719ec34812a7b18824e7994ffec
SHA512 821d6c5f565761f837bc97b94830a7d55bb6796ba531078195ebaaeee6b050d88a8e97fb45138277ae3d09da3c8ae36d28a80643425c57e69afc28222b01b1fe

C:\Users\Admin\AppData\Local\Temp\RES9B8F.tmp

MD5 86dcfdb65c59f38f82d55e723a7e3441
SHA1 94fe4769c9eabae859280e49f68728c14d912e88
SHA256 99d3ab67590eb6bc8da287405dbbe42e0dfa7aa22c31727ddaa88d574a614c14
SHA512 517567647f43f5fd6a39ec152fc30defb3bc03aa522b5af716d42c78f64bc99c61b2c3ce8e076c47f1d53a6e600ade67f6f6376fdfef106aba77369c671dab70

C:\Users\Admin\AppData\Local\Temp\kyv47xjd.cmdline

MD5 70aec7733a089a1fc19e7c455a919035
SHA1 138a46de438340be8299ed0dc87488cf8dd6c76a
SHA256 051bbeabc0b0852d5e160d72303cd68de26986b8a870123b1808b9bcc59b81da
SHA512 1c9f98b6c0f8ce4adfbfeed0d51ed3fa81cbee880ce1a91a14a30a68281301a3e7aea61f85ea5ce97af64232d4de3f7e541aae601bb083ae396638af0a0a9bb2

C:\Users\Admin\AppData\Local\Temp\kyv47xjd.0.vb

MD5 d2bbf198a5efe2d0c53eb7302c6b2a25
SHA1 adf8a6092bcde5738aea72861cbdd90409c6f3ee
SHA256 44a8b749b445cbf5e18647d40d430113341c37c5ab943f3287dd9660e5052a62
SHA512 bcecf3e7ae6c12e412136b740024824a8f8d13c5e897822b7a8ba5ea7171a6336f1e3621d6e1c35cf341c849523ac7f008c50093614369d610fbde1b7739213b

C:\Users\Admin\AppData\Local\Temp\vbc669807EC9932404D91F79EDF878EDFBB.TMP

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RES9C99.tmp

MD5 fb72241bc0a33c01d0172af50276db17
SHA1 7c61d85a792145650a2af11ecdf49a4b78eeabfe
SHA256 2e8b6623420f16f82dfe6a64661d48fe2143253ad824f98a7b1c3cde873d94df
SHA512 ffba38ace2eb3b8a9f9d6981bfbeaf04f596eff445c7a4b60d69768e3de631324803fa2291081476a0f226b3b9eebfcf30e67715aa1f95fb0cdf779cd2f2a8e6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\taskngr.exe.log

MD5 a88f1b9da8d070af429e5805056af97c
SHA1 ae5da96c64a792f70b474233b2d3296dd34c23e7
SHA256 8b51a8aaac1d2fe2b1121736465a17887560817fcc8b39fd7a41cba178fa6edc
SHA512 6500a5e9945bba4e75859602487e6e6c31c8100b508683c807d7e4676ba2032a4e35a9050acb393d5db55e084951e11a6c73eb7cb8113dcddcee9d073352a667