Analysis Overview
SHA256
a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56
Threat Level: Known bad
The file JaffaCakes118_a58db880f0af54721064fd5848573a72 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
RevengeRAT
RevengeRat Executable
Checks computer location settings
Drops startup file
Uses the VBS compiler for execution
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-08 18:42
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 18:42
Reported
2025-01-08 18:45
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft IntelliPoint.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6993793.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaintResource = "C:\\Users\\Admin\\Documents\\taskngr.exe" | C:\Users\Admin\Documents\taskngr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"
C:\Users\Admin\Documents\taskngr.exe
"C:\Users\Admin\Documents\taskngr.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2mibuc_.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE699.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE698.tmp"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "WindowsTable" /tr "C:\Users\Admin\Documents\taskngr.exe"
C:\Users\Admin\AppData\Local\Temp\6993793.exe
"C:\Users\Admin\AppData\Local\Temp\6993793.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acns3f6k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE86C.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f68cma81.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE909.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE908.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kierxior.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jco5jyk5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqtkfned.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA7E.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igfaanyt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFB.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m9hk5iif.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB49.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pje008ld.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB97.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqfelodm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBE5.tmp"
C:\Windows\system32\taskeng.exe
taskeng.exe {98E878ED-2072-437E-A9FE-5D696273B49D} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| RU | 31.134.133.122:1604 | tcp | |
| RU | 31.134.133.122:1604 | tcp | |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 31.134.133.122:1604 | tcp | |
| RU | 31.134.133.122:1604 | tcp | |
| RU | 31.134.133.122:1604 | tcp |
Files
memory/2392-0-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp
memory/2392-1-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2392-2-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2392-3-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2392-4-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp
C:\Users\Admin\Documents\taskngr.exe
| MD5 | a58db880f0af54721064fd5848573a72 |
| SHA1 | 4db954acd4feebbb49918211e83c0cbdf1cb4a10 |
| SHA256 | a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56 |
| SHA512 | 26e5034b2aed4b03115464f86b456f786fc246cbaef839776f1d14c5f56e4608da921015e4e6b31bf1a375c754285a98fd09935b0f80e677f3a387c1c5a04f76 |
memory/2864-13-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2392-12-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2864-14-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2864-15-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2864-16-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v2mibuc_.cmdline
| MD5 | 195db3f3aadf2289e40b1973a5251493 |
| SHA1 | 0a22a7eae5ea5982cda05871eb7df5ee5d47514a |
| SHA256 | 5411d10aaa9ec043044e7cee0c38f16e6462e3d1073df508afced3c7a1cd6cfd |
| SHA512 | e9f9dae639c6cd3bba939464d57c4ffe24da8c4984adff2a05fdbd1d994fb7e122b412b5849616e4076f44e6da3dbc0ca3d0318a347784aafcef1d1d9fa8d71c |
C:\Users\Admin\AppData\Local\Temp\v2mibuc_.0.vb
| MD5 | cdaa26fe88bf2e9296843cac186f0f8a |
| SHA1 | a8f9769fe277bfc5e2dd2f9c3db2921020cafe10 |
| SHA256 | 5e610bb330f79e0ebfa2078f9d408db2e4f4e8c4e644057183419f40ab7736ed |
| SHA512 | df18dd6e421bd9f18445b1c50aacd651956f44939249aaee9a1078855329ca0e7e92965da9b059555f55901c49e81b400e755111bc7d360e75dbf658872a4d6a |
C:\Users\Admin\AppData\Local\Temp\vbcE698.tmp
| MD5 | 253ac3eb8d80354190d7be9278727b6b |
| SHA1 | bba447681cb11f36c316a2ae223fc94e056e66bb |
| SHA256 | 2cff523b286303dd0773ace801595a2bdca962861d59b620bdd953f966655251 |
| SHA512 | eb5bc537fcd1fb4713d51662d75993646fb8c2684f1bb0078fee3697c271650d1498fd1c201f2bd9759b0e18239627d72e1a46c141655fe7b4919e0cbe871bf5 |
C:\Users\Admin\AppData\Local\Temp\RESE699.tmp
| MD5 | 822d7c9338c10ad77241ff32b213f1a4 |
| SHA1 | 69ec07766cf6fc4ebfd88f72af92cd55fd786ba7 |
| SHA256 | fe16a414f95c227c7ab815cbcb3ca22da04260daa96e93f2bd8bf6adb6bb3589 |
| SHA512 | a25a1b27b1af99d598a517725decc7d19a07698caf5f0ab1977733aa7718e16ca521392392bbb893eed4f569508687562ebbc4d70cc9027ef0af4bf1d184ef9f |
C:\Users\Admin\AppData\Local\Temp\6993793.exe
| MD5 | c4394fb4daaf350cdbf5303d812e917e |
| SHA1 | 6a780c9f1c15e555b72640299b9c10e7927252f6 |
| SHA256 | 0ac3387b6e0283c972722c2a6664ee23ac5ba10640d18b827e8732f5c57e7d2c |
| SHA512 | 585664a31ac2131efde439468f98c53423588348019edb3c767ffc9bb6a8a881959fd1f4a30d623a0e6a4cc02d180a146b37bef8679b55b111f46d2fb8fb82e1 |
C:\Users\Admin\AppData\Local\Temp\acns3f6k.cmdline
| MD5 | bc883914b728e04c5fb50ce02d264209 |
| SHA1 | 909dd8392ee387fefb9f0b4efd81c04f0d5efc38 |
| SHA256 | ce5f8bf74188d49a8e9af51eaae6301df56b82cbeb0dbca47985f9f3131c1476 |
| SHA512 | 08026cfaced8fb81f242993373e5f93c4efb46e2804d0ffbdafe922f38fc7e55bb0ce1ac1d0115076bb9c433eea0fefc9df992dca6e07d727270a920fe0cd756 |
memory/1416-41-0x0000000000B60000-0x0000000000D4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\acns3f6k.0.vb
| MD5 | e5761189550be412d3d6f7251a2b5da4 |
| SHA1 | 14667e3906bd1f52416e5d3b0857a7fc3bdeabad |
| SHA256 | eb3bb3a3e609603c7391d28e05a6c2c63a7b863730cc1a577cae7a6d46a31eb4 |
| SHA512 | 1c4f974158a5536b862d5cda56079001626809fd1655cb74daccd93edf2bb83becc69d92737732c893fb8541350896e1642f98355359622af17c9562c7f77355 |
C:\Users\Admin\AppData\Local\Temp\vbcE86C.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp
| MD5 | 60ec8be2cc1c7e34f36a7a36e8c83235 |
| SHA1 | 7e24e6f54fff25cd76705aa35fa7cf8046fb74a0 |
| SHA256 | f32df14fa87b58f111f324e94fd9cb7c16c59ff2e6a662583bbe7359706d9946 |
| SHA512 | 1c437f907062df3bb220aad8bdaca848b4232e43f168216b0bc38abbf05b2753ff63794230917db3e9044099936fe9b64998f133e664ffa781178020b418d197 |
C:\Users\Admin\AppData\Local\Temp\f68cma81.cmdline
| MD5 | 2f7d197335ea4eb0450ed9750aa501f8 |
| SHA1 | 370eaccc6019e2056c518642b18ee43670d87257 |
| SHA256 | 2142a2b29ba035a378909a458922ed1586434eadb9cd7f6516c6aa99308afcc6 |
| SHA512 | f87700c0e7b107545f713da54c7c8f7151777522f8fa60747a1b8b7603e8cb53c3c0c8eb256bde5df473333250792afecb7180aa082be2354411cb58ce599a6e |
C:\Users\Admin\AppData\Local\Temp\f68cma81.0.vb
| MD5 | b73a59a72b7d941a67dc09be6a018494 |
| SHA1 | 4b9d51f84ea99886b0871857b429842901f75ec5 |
| SHA256 | 50e4b4c85690614f0273f0bf0bc78cb58788e4cba5edf0f43342435ba73feb79 |
| SHA512 | 87cdffd169268497f3442949fb15dc3bd94d81c8b453cb454c5dd3b0d84a8ea4f04853c5a34cc8f1e8b4d4962ea6948d0b7909375e7ae793648e9205ac7ff9b6 |
C:\Users\Admin\AppData\Local\Temp\RESE909.tmp
| MD5 | 9b8926a060c7f6845539946f33f41bc5 |
| SHA1 | 7645ecc0a156dcc53310e928242fcc72f9596b98 |
| SHA256 | 3e3824f32648e8be9a4aeae1bb224d17ad882f72202f9e4d1cf3d07471c91634 |
| SHA512 | 7ef0fd5796c0f03d8b8cbaf725e0bb0a7eb5ecd434d7800da91830e841787fef2232f86fd370fe9f1235ef7281794abe07e6125103b1e10da2b864a0bec3fe24 |
C:\Users\Admin\AppData\Local\Temp\vbcE908.tmp
| MD5 | 41857ef7e71c255abd4d5d2a9174e1a6 |
| SHA1 | 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c |
| SHA256 | dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302 |
| SHA512 | ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac |
C:\Users\Admin\AppData\Local\Temp\kierxior.cmdline
| MD5 | 989c64af0c8d8f41a25f5704afe9c5e1 |
| SHA1 | 990256a1fbb2323569c5695f6070000fa9b84498 |
| SHA256 | 67d3d19b00e5ef0048c4ec801353f6f2f96303bd0c07ffac91a3ded94d42eed7 |
| SHA512 | d7ff034b28f7ef8fc585462d535cd9abd7c50513166ae26c32fc543876a18bbc58d36340632cfdf8aa917ff833ad82bee4454019fd581c2540c8d636b9f1fe59 |
C:\Users\Admin\AppData\Local\Temp\kierxior.0.vb
| MD5 | 1c653b72085eba814ec06e0b6dbc2d44 |
| SHA1 | 21793bd5eec422ae8c4ec2c2dd04558b5d758fc7 |
| SHA256 | c5ec4a5c4a050be6528774688bdca002af01d1c74b3f8271840718177087b1a2 |
| SHA512 | 8098b07147423a65d64e3058fd3a6ca9d4bb7408bbbdffa4b4fe7fb4be04f87fbc3aa11ead81d8a9d992aec15bb760372c753d79efee55e31f66636c4128b736 |
C:\Users\Admin\AppData\Local\Temp\RESE966.tmp
| MD5 | 21eb64b16ae3399f9625ce2efe8b7b26 |
| SHA1 | fdd560ed797346e77312a3a86cb52a546a2b129c |
| SHA256 | 6fda24e94476d6aa3692d7904ff8d5d349da5da45ac0bb49927b928ae29e83bc |
| SHA512 | 72e810d11525add4cdab5205cb04ca5979b0ee750fad326c9e192fa24af1dd5729d2c806c1704ef5343bc09aae69476ece6e9e3e87248e7bf93a6588c5d4b63f |
C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp
| MD5 | 453916f7e3952d736a473b0e2eea5430 |
| SHA1 | b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b |
| SHA256 | b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe |
| SHA512 | 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f |
C:\Users\Admin\AppData\Local\Temp\jco5jyk5.cmdline
| MD5 | fcee009941b3c64732023a9724264a86 |
| SHA1 | 048a9cedb693a761ce5cbb849b7eefafea6bea70 |
| SHA256 | aa3f634f64431ed48fc5fb5c1afcfb6017af27304f690c7b463d0630a4adfca2 |
| SHA512 | e542214aeb770703524fde107e49729d73d0fa6445d633cc4e5124e7b5c3db6bb05318c073aaf4c38c75aa3b409f0de687438d5d0c059656d626087898928d92 |
C:\Users\Admin\AppData\Local\Temp\jco5jyk5.0.vb
| MD5 | 74735a9370caa035718311e0de3a4601 |
| SHA1 | cbeb19a5f0fdec056b787ba3daa23b48fb323f04 |
| SHA256 | 4c0dfb5527c7a63fe7a033d83e2e1a42085a361d2eaf8fe581708f4fa6ec2590 |
| SHA512 | 2b240a0fc2ddba3182449a41b70a5b3cf13b88ea14574f7b070bf279d89e107857aca641ba07c09774ac6ff9cfec5e6bcca0efb1ac5dcfacfaf0847eff17911b |
C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp
| MD5 | d14af469ce7dd51a23ed36dcd4d3e529 |
| SHA1 | bca732b4c6c61ae45dd1b72216fe34d0fdda279f |
| SHA256 | 8d2af93fa320af6250f8450d4f79f96aa60b1fd5b83d40076ddfa120582361de |
| SHA512 | 85e78ffc6d4219dfd862b5b5af484cf28dc0ba32ea6930ab8f69ce3c3e1007dba9bddfad29fdec0baa726f73f20ef9424f6569ab515bbe07f84a8c25a9467232 |
C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp
| MD5 | 6ed26221ebae0c285cdced27b4e4dbac |
| SHA1 | 452e9440a9c5b47a4f54aefdde36c08592e17a38 |
| SHA256 | aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c |
| SHA512 | c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce |
C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.cmdline
| MD5 | b3f5c860f29782a00d93ca497406482e |
| SHA1 | 89509457ffea199a3a62a8b0da4a755ba5f8cfa4 |
| SHA256 | 9365307f741db7c57bd2d04278a5480647459086155515a25d4e6bab7db1a148 |
| SHA512 | 07f15b07996b898c84e4ffcad2456e5b560f57473bd19195a8863f400306bfd88f92e5d53974552ef198589921c144f32dd510767a77274518bea3b83717f2c3 |
C:\Users\Admin\AppData\Local\Temp\8p9hmdc2.0.vb
| MD5 | d7e819e5c304049739e7f2a9e6b58c70 |
| SHA1 | fda2f4074c92a643c5784d3f1f873e95e08aad94 |
| SHA256 | 9203d9523aa99b6d117664d6dd5e7400b9db5d0b637d961687ed5cefba4585b5 |
| SHA512 | c86b23c403736baaa8158dad0fb2b60d04632a5a293518a0f99c1c9c548aac20dea0791082b477f2eedbd89ca10257347794b3236ba24c08628535ef79776389 |
C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp
| MD5 | b80ff595d532eb8a38ed9380941f0896 |
| SHA1 | 8f4ed379579246aebfdf1abd2ee27c2371d28cb7 |
| SHA256 | f29c39db33be7250c176fb01e8cd7868bf609bb73fadcc688be8c1145945194a |
| SHA512 | f0f6d652e081bb11d3eb9dc7323adc598c5622e8eb2046f6827cb6f4b45790d88bd97c8ffe9762ebe8814a37db76400908c4ca899d57deb404d65243b795ecd1 |
C:\Users\Admin\AppData\Local\Temp\tqtkfned.cmdline
| MD5 | 66c1ff22202c8183d022d5b49ed0dcdd |
| SHA1 | e4a30c56e0908f8b8a95d74eac22c50731807d71 |
| SHA256 | dfd6f2bf57c99f601e7ea2d39bfe2dc39fa2ff5e18153c53b5807f7d0f72bf48 |
| SHA512 | 78f8638d74c00d8ca77ae076a1724a156312b882aa351b087477bf77fc41c84e048e8f526e8d40def60ed1923d1291ffa002cfde4843b28aad35b1bf35dd1616 |
C:\Users\Admin\AppData\Local\Temp\tqtkfned.0.vb
| MD5 | 6f6f5637206f90c85203bd18d3194b66 |
| SHA1 | 8dd722b515585763b3d795928687e829c4abd991 |
| SHA256 | 4fdf26524083ba5a5226697dd84afae3718ad7bc1233e520ac1338ae486e58ce |
| SHA512 | 1e6dcc7084a536c597dfba00a5fa5febd6831b4a0c8ec0621f8f41c5f15cdad947e67676ff962f02c887506dfdaa50381b3c3d1ce0a32490f8e1a2ef6f819e08 |
C:\Users\Admin\AppData\Local\Temp\RESEA7F.tmp
| MD5 | 2f72f043c40c63801290ed3ecf0978ae |
| SHA1 | 277030e789f64735cac98e62b0015be17cbfe3dc |
| SHA256 | 53e2c84e879dd4ddba7dac7937a13cad410263bbdc1d405b9dc894b002eef6a0 |
| SHA512 | 1edd8e1fb1710e9000e11bd3c5dd882e03a167630204116f4b8d378ceeeb37e83e76c0bca40c865813799c75c6a58b3887f2dc73f948f17e7ebb6189bc66f74c |
C:\Users\Admin\AppData\Local\Temp\vbcEA7E.tmp
| MD5 | b548259248343e12d417d6c938cf8968 |
| SHA1 | 19703c388a51a7ff81a3deb6a665212be2e6589a |
| SHA256 | ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366 |
| SHA512 | 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81 |
C:\Users\Admin\AppData\Local\Temp\igfaanyt.cmdline
| MD5 | 8046e0a821a8f126135d66e52fb2fef7 |
| SHA1 | b2c8d4fbd555c8e2044fef936158186c901f2f49 |
| SHA256 | 8e4a192b8a0115e6fff0127ac762f96fc75c570010b443417aa23ad705b04ec0 |
| SHA512 | 793953211f71125be1ee35e4d83b600cfe0637cf88ceb217a5910bcfa0895d0aca0b592d7c24106da9dee9fea6c6474b5c233d5195f52c171104a5b747032510 |
C:\Users\Admin\AppData\Local\Temp\igfaanyt.0.vb
| MD5 | 8783af5be5e9776ee12c9010b4b9977c |
| SHA1 | 0f01d056c8849febe9df881b6c39feb2dcc71b4a |
| SHA256 | 54418c6208b45725541438f67a4c5e4e073400dbdc8ecb5f61f05556565ed470 |
| SHA512 | 4d509e3d8f7d7dc0650b220b51b175707c1ebe8dd59c9b3dfb9bc456ccbe77c99d403e6d05ad80f768b1774b58c56a75cf0921d919c457209118e4330da5bb84 |
C:\Users\Admin\AppData\Local\Temp\vbcEAFB.tmp
| MD5 | ba2c43095c1c82b8024e968d16bee036 |
| SHA1 | 41ea006dbc9f0f6e80941d7547a980a1dde868e0 |
| SHA256 | 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72 |
| SHA512 | 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61 |
C:\Users\Admin\AppData\Local\Temp\RESEAFC.tmp
| MD5 | cc91105ecdfd214098e06e6f9aa9aea5 |
| SHA1 | cdadb44c46c560efe07ad28ef064f38ab429551e |
| SHA256 | 9ba55352546aedf9c22a6c054a845a226d0cc71c6b904a2d1295ea36885fd6a5 |
| SHA512 | caf815d8c962a6c625e2d2bbc06193f67c23c1a9327089a37aa37d9dd54966b184855401b6d09dddabbe4e49aad71ebd05ea1308a7536a83af5da466ee2e1570 |
C:\Users\Admin\AppData\Local\Temp\m9hk5iif.cmdline
| MD5 | e0277467efadbd472ea5e5274c5433cf |
| SHA1 | 4eb2a07eb303f733f6236e10c2cb0310c067c92d |
| SHA256 | a9273655b6378e0323428f44a0949711d43d0598eb2aed305ae2d57244d3c2cf |
| SHA512 | c3c775e08dad15399b8fdacf4ada2f7e6712128418e070058fa747c2085a393f012b29ad75f20e9a7407290064b18e8af1a6ac9bb38114c33fd5fe8b08d31a56 |
C:\Users\Admin\AppData\Local\Temp\m9hk5iif.0.vb
| MD5 | f7414480c14ed927b96983a454b45ad4 |
| SHA1 | f0b9701777b2643e03165a5e3932fab15fa054bf |
| SHA256 | 21344d6b94d6f9460b875f7120934f8a230418719f6b6951baf423c6244e6fd8 |
| SHA512 | 645a18383cea2f1107b2d0dda0c04b059f0385fc77a6da837a9bd180df410fc34534df4f595d766b030cfae3c9c696e2400a6d4abd0852e6a2120e1859876145 |
C:\Users\Admin\AppData\Local\Temp\vbcEB49.tmp
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp
| MD5 | 244e708dcd01befab155c558c2eb0c9c |
| SHA1 | 0fa7da1e87ef322dd26221396c77fed0ad571105 |
| SHA256 | 19aaf894d474dd6b83912da857811996c8b54c47709caac1e71b200a060c0547 |
| SHA512 | b22f0244717cb6f98efde95fdf9a70808b1e5649e834611b98d53b417fe0af7d6d1e02f82820e8c6f6a855b99c39298af675fd7f2d60a579dc6e72885ac80a71 |
C:\Users\Admin\AppData\Local\Temp\pje008ld.cmdline
| MD5 | adb7a114e8fa71a3034e159c6ac3ff11 |
| SHA1 | 7ad03f85c4c5fd7388375492cd1d8dc677d58099 |
| SHA256 | 4af212e664800b050aadcffb84d02bc742dca0a76b8e7a55e78f6115a4a88aad |
| SHA512 | c8e44adb9c92a7386348e8bc6a63fd709e35723846a91a24aeac3bf82edc664a840b630ac5e08328e24ca43a24db8afb1ffbcfad786273aab64cec9909be042e |
C:\Users\Admin\AppData\Local\Temp\pje008ld.0.vb
| MD5 | 36dec6c894af5ba982846e27dce1da21 |
| SHA1 | 553bf67b97d9150b99ccd8e950c381f21dd4a43c |
| SHA256 | 7a9414b12f9628abf0a42999e4c954ec5151f719ec34812a7b18824e7994ffec |
| SHA512 | 821d6c5f565761f837bc97b94830a7d55bb6796ba531078195ebaaeee6b050d88a8e97fb45138277ae3d09da3c8ae36d28a80643425c57e69afc28222b01b1fe |
C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp
| MD5 | f406640de589bfe860bdb474a04af94e |
| SHA1 | 11be41f18bb133a03bd5aca526cd1a97b1abbd72 |
| SHA256 | 01a6b471b9b5e9157e476911167d610044773303b88c0f5a51072d532aa9dc82 |
| SHA512 | 583b8bcaed632c21a0d94407e38121b5d2a602a2236bc8725fc6c8800126ef5f12b85b374d85f0234c9132dae9f97b401e5efd531afad6fb4940122a47a613bd |
C:\Users\Admin\AppData\Local\Temp\qqfelodm.cmdline
| MD5 | 95e3f6dd8eb79a6a65bf5bd73198c44d |
| SHA1 | 90bab222aabeccb541d8b0e36b29aaafc4247d75 |
| SHA256 | df93424d56a4030b8745db441838e58d24b74179db2108e195b600eadf7936e2 |
| SHA512 | 022d886e0087b037093cb4ae7c5fb93259fd928e412774345cc8937e581f688df293373ae299d106f78d44c6189833d2ca2fa9a17506ad475f2559cfda7328e8 |
C:\Users\Admin\AppData\Local\Temp\qqfelodm.0.vb
| MD5 | d2bbf198a5efe2d0c53eb7302c6b2a25 |
| SHA1 | adf8a6092bcde5738aea72861cbdd90409c6f3ee |
| SHA256 | 44a8b749b445cbf5e18647d40d430113341c37c5ab943f3287dd9660e5052a62 |
| SHA512 | bcecf3e7ae6c12e412136b740024824a8f8d13c5e897822b7a8ba5ea7171a6336f1e3621d6e1c35cf341c849523ac7f008c50093614369d610fbde1b7739213b |
C:\Users\Admin\AppData\Local\Temp\vbcEBE5.tmp
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RESEBE6.tmp
| MD5 | afdb78a276ac1130430bd261fc9c7a32 |
| SHA1 | 9c9c14ee8b7d09ebf1af06c41fa8837b2bd82c36 |
| SHA256 | bdfb1122c84d3641716986f81386f108b4ee40ba73454a0ec689226a5d29ea2b |
| SHA512 | d2a3408fe7cac5afd37571b537dd54f86acf0dafb993c0fff07fb82bfd79c8702e078f916c74ca65da09669f77f6e37bfc32900fc745b43b22345c26fb1a249c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 18:42
Reported
2025-01-08 18:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\taskngr.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft IntelliPoint.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6993793.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\taskngr.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaintResource = "C:\\Users\\Admin\\Documents\\taskngr.exe" | C:\Users\Admin\Documents\taskngr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a58db880f0af54721064fd5848573a72.exe"
C:\Users\Admin\Documents\taskngr.exe
"C:\Users\Admin\Documents\taskngr.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s7gth_cx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES912F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC119ABC10AB4A92B3141C3A7C1B565B.TMP"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "WindowsTable" /tr "C:\Users\Admin\Documents\taskngr.exe"
C:\Users\Admin\AppData\Local\Temp\6993793.exe
"C:\Users\Admin\AppData\Local\Temp\6993793.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugjblhvq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE17FA493A14B4754A0447BF0696D6A.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES945B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc360FF46F43964119AD2FBE16E8C9713.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e4xug7tx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD03318FC13704F13B89F3BDFA8ECA72.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e86ec0lf.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81BBA62494E842AA943257233D803AAA.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F734BF59DE94DD98669284BCF33E5EE.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qlwnihg7.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9788.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA080CC3B7F4240E1A03C25EF2F6CFF6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CC42A094504E5992B2ACF02B618EA4.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lurpxany.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3775F296D9C45DDAF807844DB24E929.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\suocmaei.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AFB58614AE47B2B734D21E2D86BA24.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyv47xjd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc669807EC9932404D91F79EDF878EDFBB.TMP"
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
C:\Users\Admin\Documents\taskngr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp | |
| US | 8.8.8.8:53 | day2281.ddns.net | udp |
| RU | 31.134.133.122:1604 | tcp |
Files
memory/5020-0-0x00007FFAB1DE5000-0x00007FFAB1DE6000-memory.dmp
memory/5020-1-0x000000001C3D0000-0x000000001C89E000-memory.dmp
memory/5020-3-0x000000001C8A0000-0x000000001C946000-memory.dmp
memory/5020-2-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5020-4-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5020-5-0x000000001CAA0000-0x000000001CB02000-memory.dmp
memory/5020-6-0x00007FFAB1DE5000-0x00007FFAB1DE6000-memory.dmp
memory/5020-7-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
C:\Users\Admin\Documents\taskngr.exe
| MD5 | a58db880f0af54721064fd5848573a72 |
| SHA1 | 4db954acd4feebbb49918211e83c0cbdf1cb4a10 |
| SHA256 | a61f292250032a413af6305b8258cc6d1a50f04083063e3034ad7400db92be56 |
| SHA512 | 26e5034b2aed4b03115464f86b456f786fc246cbaef839776f1d14c5f56e4608da921015e4e6b31bf1a375c754285a98fd09935b0f80e677f3a387c1c5a04f76 |
memory/5004-21-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5020-20-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5004-22-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5004-23-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
memory/5004-24-0x00007FFAB1B30000-0x00007FFAB24D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s7gth_cx.cmdline
| MD5 | 58dc2c017875cb66d23ad9b6651191c6 |
| SHA1 | 4e6f6e6553bccf9a8358fac8ce1c125c5810b3d9 |
| SHA256 | 1f8aedcc50fa188d52967d7f39661b880b64cf38e69f9b16dc13c7d66b47a4a9 |
| SHA512 | 3b5f9702fe5b5548fed5017135655eb78c0c15d51e7e8c0e8a629893bd0ef4da357a86ee5f5ce3295ba498aeffa7e92fa0aa8a658b174c69097f13f7c7075a80 |
C:\Users\Admin\AppData\Local\Temp\s7gth_cx.0.vb
| MD5 | cdaa26fe88bf2e9296843cac186f0f8a |
| SHA1 | a8f9769fe277bfc5e2dd2f9c3db2921020cafe10 |
| SHA256 | 5e610bb330f79e0ebfa2078f9d408db2e4f4e8c4e644057183419f40ab7736ed |
| SHA512 | df18dd6e421bd9f18445b1c50aacd651956f44939249aaee9a1078855329ca0e7e92965da9b059555f55901c49e81b400e755111bc7d360e75dbf658872a4d6a |
C:\Users\Admin\AppData\Local\Temp\vbcFC119ABC10AB4A92B3141C3A7C1B565B.TMP
| MD5 | 253ac3eb8d80354190d7be9278727b6b |
| SHA1 | bba447681cb11f36c316a2ae223fc94e056e66bb |
| SHA256 | 2cff523b286303dd0773ace801595a2bdca962861d59b620bdd953f966655251 |
| SHA512 | eb5bc537fcd1fb4713d51662d75993646fb8c2684f1bb0078fee3697c271650d1498fd1c201f2bd9759b0e18239627d72e1a46c141655fe7b4919e0cbe871bf5 |
C:\Users\Admin\AppData\Local\Temp\RES912F.tmp
| MD5 | 5f4e9dab81d78c7f1333233eef396c94 |
| SHA1 | 5a4bef92e6069ae2d807f1a74d798934b839489b |
| SHA256 | f9c8572931fd23860ca419ac028d37d9a9a06a93f1121534c6af6b99d3ba8297 |
| SHA512 | dd9ab5c2aeaf54b53f65217f64861d7f9c9bf8c7db52fc1c26482b875a874da2a021d741b3b3f8236d86808badd20dd2b86969bdae53e680ba9a265e49edc9dc |
C:\Users\Admin\AppData\Local\Temp\6993793.exe
| MD5 | c4394fb4daaf350cdbf5303d812e917e |
| SHA1 | 6a780c9f1c15e555b72640299b9c10e7927252f6 |
| SHA256 | 0ac3387b6e0283c972722c2a6664ee23ac5ba10640d18b827e8732f5c57e7d2c |
| SHA512 | 585664a31ac2131efde439468f98c53423588348019edb3c767ffc9bb6a8a881959fd1f4a30d623a0e6a4cc02d180a146b37bef8679b55b111f46d2fb8fb82e1 |
memory/3788-50-0x00000000004F0000-0x00000000006DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ugjblhvq.cmdline
| MD5 | 430af3d42e44352312a811a0a3f5f024 |
| SHA1 | 54f2f248c2ee37ee084285d19df0ca781cd7f114 |
| SHA256 | e892848400baff2bcd517962813a52dbdf412015c0395b3aae8c6ab9157c893b |
| SHA512 | 9b9b0a8d69e0224a7d72eff5a6c861a6d99aecdf18b327cbe71e7738d65c53fb24082e258f896d2afc4ecf84b2cffadb6e0e5340e27393bbdf1a55983be98c3d |
C:\Users\Admin\AppData\Local\Temp\ugjblhvq.0.vb
| MD5 | f4df20e7a7eab798062c060b3af91607 |
| SHA1 | 3c503186d0aaa6c5307d8c0757efc75d84a74051 |
| SHA256 | 11c8faa798c33d98f1d85092cc52ffe7c6779ac9514573ab5ee8f693ddd7a2ce |
| SHA512 | c5741e1e170ad450b763bfb715709579abf216ff920db4b0004502c7207ec4f97940e8a9a4ccb5850a90dad89315fde80b9674792cb7e0f4b5e4b48cf7f9023f |
C:\Users\Admin\AppData\Local\Temp\vbcE17FA493A14B4754A0447BF0696D6A.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RES93CF.tmp
| MD5 | 6d6b22a580c1afad409c2dc74e5c31cf |
| SHA1 | a7027521c281f7f3b3434b7fc272f73182da6feb |
| SHA256 | ed430cbb581a82e1c36985e982deb4845bdf8afe7a6aad5354e603e923a61e43 |
| SHA512 | 0a4d1c120257fc12b891989da10ce2cf74a6e362b4bec7e64a2f4ffaf8a12819241ea3c361deca81955dcfdde8a1361c9455a89cc700d0986b8113eee9e598b5 |
C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.cmdline
| MD5 | 275143cf4c2efade49eb5befcce8baff |
| SHA1 | 4d47d55d7b9677c09718203e8f892a43e2c91f9d |
| SHA256 | cef79f14bea9f6d8c825a32e35b86fae4fe68f05da985b92ff209d63892fd2f0 |
| SHA512 | e3aaf4eff356eae39c79907f576b47cd8954eca9f2be0bc5c9e88c12333c9a65455e0f9ea1e9165adc03c6ff39bc4fdad4600e8d24d316773cacb38cb2a65111 |
C:\Users\Admin\AppData\Local\Temp\z9hxvk6h.0.vb
| MD5 | e5761189550be412d3d6f7251a2b5da4 |
| SHA1 | 14667e3906bd1f52416e5d3b0857a7fc3bdeabad |
| SHA256 | eb3bb3a3e609603c7391d28e05a6c2c63a7b863730cc1a577cae7a6d46a31eb4 |
| SHA512 | 1c4f974158a5536b862d5cda56079001626809fd1655cb74daccd93edf2bb83becc69d92737732c893fb8541350896e1642f98355359622af17c9562c7f77355 |
C:\Users\Admin\AppData\Local\Temp\vbc360FF46F43964119AD2FBE16E8C9713.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RES945B.tmp
| MD5 | 0ade6390de6674674c6c217c30cba5bc |
| SHA1 | 14afd6374f274401d058738eb5275abac3f70261 |
| SHA256 | 6e6bbe2eabcca643e07cc1a2fb91e0cf52ca628ca8097e79acfed78b30709a7f |
| SHA512 | 50cd3d08d90154111308c7d38c0f1e0861b3d6bd1c19745e183332088f2e482c1095dbfc6208cb5bd4b7890f5d67c111e4605adf091ab2e03c9ee5dd0bdedaa0 |
C:\Users\Admin\AppData\Local\Temp\e4xug7tx.cmdline
| MD5 | ac483223a329b9d5d3c5e179d18367e6 |
| SHA1 | 4a0994802524b61b526162280f7ea15dc8f010f1 |
| SHA256 | 1730d587b28f6e64852716ef84a24b4731ad9013008f71c7f5983ddc6cd7afc7 |
| SHA512 | 25421cb205c9d3d14d80312dd7fda4ec2b5c4dbdf8f860809bba2693bbdfdf34eaaf43805d39fe0fc4b2adfd408df43f3896023b7108a83a68267cc8876ba410 |
C:\Users\Admin\AppData\Local\Temp\e4xug7tx.0.vb
| MD5 | 11b3e4db71f1d3b4dbe885207d37d4f9 |
| SHA1 | 0327e0916daf2feac8163a6e85a91577c26614d2 |
| SHA256 | 0398a89f8df4b496ee06b6f34c4608cca0ac29fa7adf7d20db57f3d3d60754f1 |
| SHA512 | b56f4b83fff06bd2f8437aa89679850dc9b9ac257cf78e7c0cc33651dda5589ce221945abf8cc705e739633a420e5cc7941393847d72d22b171a1cbefa12eadd |
C:\Users\Admin\AppData\Local\Temp\vbcD03318FC13704F13B89F3BDFA8ECA72.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\RES9527.tmp
| MD5 | 3472231adb827cd095e823ce8adc917b |
| SHA1 | d00ff868cdbeda3212fce41906e029eea317b0fc |
| SHA256 | 05de04ff06630667681e64054530b96e9941ff7edf5575fbc9cb35e3bc01e43c |
| SHA512 | 7b2c668e7c8453da942f0ef7545599cb3fb856e31505186af06ebb2c6c23aba8dca9b21bb1719e46927bd40e50f035a069d966e3fe226dce933c6c4d145ae4d3 |
memory/3788-97-0x000000001C220000-0x000000001C232000-memory.dmp
memory/3788-98-0x000000001C560000-0x000000001C59C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e86ec0lf.cmdline
| MD5 | 513c18f01e28fc452329efc9cb5a8a5a |
| SHA1 | 5399c8d4a1a3818080e11e4534f6ffcb804b5e83 |
| SHA256 | 1d4137d64667d417c899259703811c93f9c430df4f330eb82519d1462679f327 |
| SHA512 | 109a6c2ee57ad6694c4cc248c35d9a473448451430cc78736b7311de47f303209ee637065874db882eb1fadc8882fbe33c3e901749d07ab3adffb8c921c91c04 |
C:\Users\Admin\AppData\Local\Temp\e86ec0lf.0.vb
| MD5 | d7e819e5c304049739e7f2a9e6b58c70 |
| SHA1 | fda2f4074c92a643c5784d3f1f873e95e08aad94 |
| SHA256 | 9203d9523aa99b6d117664d6dd5e7400b9db5d0b637d961687ed5cefba4585b5 |
| SHA512 | c86b23c403736baaa8158dad0fb2b60d04632a5a293518a0f99c1c9c548aac20dea0791082b477f2eedbd89ca10257347794b3236ba24c08628535ef79776389 |
C:\Users\Admin\AppData\Local\Temp\RES95C3.tmp
| MD5 | cc17e098061041a0f499ea2f61177ac9 |
| SHA1 | b8d9c3ea62d0bf076dd776f61a7f4f5bc368c59b |
| SHA256 | 41ac52b0d2e9dba50ccd6a98332eaee3ebd77b8acccff95f255cce117df1bbf5 |
| SHA512 | 4c7fd521c61fb15d78dcfa92488be0a469822708015a092372b94ba5c6769e0041084cafc23a21a8da2ebc0fc3da4b00fcd95f93b7d07cffa25f0502a8514f84 |
C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.cmdline
| MD5 | 6f58d98b2bb698e9fb750dcf7d06b841 |
| SHA1 | 79341ab478ca354846c0b89945b04c83d74d9656 |
| SHA256 | ce4b9bfc3d943e560a1b05be650180f20c2f6faf954de36a2d9c28f408c8582d |
| SHA512 | 7fd3415e575705b1b6fbbe29d8e8d832d7a237819bc007c063e057d1ad53195d2f44b34526cf0abae44a866e398497713973548592c74221eabd4a2e74a616c8 |
C:\Users\Admin\AppData\Local\Temp\3fhbwqwo.0.vb
| MD5 | f2a05fa49c8095ff3f83411bb53ae404 |
| SHA1 | c10cb9190ba92948f8ea2d1ae451e4636ceaae71 |
| SHA256 | c85d0c3445ba49732c88da6e6bc80c5fd63e7a5b4c809e38d46dfa091c223dbf |
| SHA512 | edabc2a63a332b835c39b6523e7ecf633d752f4f08fa8fd1603a72f17aa05438c483af25fed6e388f1372ac61bdc0271856c7d7d3c46730f1e776b1e4f016171 |
C:\Users\Admin\AppData\Local\Temp\RES96AD.tmp
| MD5 | 59be2702b7cbc53d23433e53154e7b22 |
| SHA1 | 17680f3ede7428b1323f94c4e6839b657193b874 |
| SHA256 | 3b896a4ece73f695742ef2e2f7db410307bf6b1a5b20cd0fd2310138eb6cca6a |
| SHA512 | 20b83f60891c28c59e541c43797dffb7fe4bfd1730d756f9d6150b74563798a086433666db46a0dc8909caed79ceb1b3056faf6bb3126c82527edfbbb90eb541 |
C:\Users\Admin\AppData\Local\Temp\qlwnihg7.cmdline
| MD5 | 1309a5fbc62784ed7d4acef6573b9d78 |
| SHA1 | 104e91b6b3415feed9286e8632c585c4be0ae489 |
| SHA256 | a3f1b673fe1feea5c2ff78cab289012ecfcc2b703b6c50470c5a5b9b9ca9be62 |
| SHA512 | 4449adaff65c760fdcec6bc60079c9270b049b0c3339a6370f3eda6d49a1bfc333544220b9f59aab99150ea9cd63cc9d127df760828fa3b28e8a1fd17c552a9d |
C:\Users\Admin\AppData\Local\Temp\qlwnihg7.0.vb
| MD5 | a3149c23cdfcefa52372f731551ac7ac |
| SHA1 | b033408b73e3986d342c530d3a748e95e7648c78 |
| SHA256 | 3ec44e5500f18ecfda3187c48af050342802dfa950230fbe96cdb6b4b4a0ec3c |
| SHA512 | 3bd71c4b417bc2a6d60f5d858823ae0f72b8983094825c0f09d253d802e6a8dd5de847e70ef1a765824eac2b82b2d73a4855d08dc172fde7fd716e5871d085ed |
C:\Users\Admin\AppData\Local\Temp\RES9788.tmp
| MD5 | 482aca810725ad5ff7ee352cccf2e562 |
| SHA1 | f42292a9e320095a7e76998326473bd9566e0fc1 |
| SHA256 | cd15c15e8e39c41ac3225d8f366fd47bf8ec62cd1a451cbbb4a593a7f0c02cb0 |
| SHA512 | 080ebbdd497b1de7fda1633409eb894ed2fecbfdfb3228fa0c88cb416d0b0e6d3d33a9525379418375937d53cff29651e50228839663c10c2fb1cab773a7cd11 |
C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.cmdline
| MD5 | 712e36a21e7d48f44be8a9b0d763ba8c |
| SHA1 | f2b25440b49c2a2bda3f53fa1364b7da7a4b46ea |
| SHA256 | 55b69703ea4c1c55f892e56ae7209c15707511998780266b8581775f3901d6b8 |
| SHA512 | 765934384474a7ee28ff6b84b558f938a46b91ecab03acbb291260febb8efd25788348426937de6d93bb71be96d9408aabe76e81fc13a712f27e3cc794f4eb16 |
C:\Users\Admin\AppData\Local\Temp\7qsp-m5p.0.vb
| MD5 | c5b9d8d6365919b42a26adea6001fca4 |
| SHA1 | f4d7a2d623be4c22363daffe70e4d1b40b33b775 |
| SHA256 | cbad8217cc2df744da6830c565b2c19993dac461dccadef167af3b62229d95b8 |
| SHA512 | 3bed75479d2beac4d5526cc598d2a7b58c09d1e05212c9705f96913d1100edcc6b46189a6c5a0e615cd73e1cf9751efc11d3598de3db088b8372425c72ec2497 |
C:\Users\Admin\AppData\Local\Temp\vbc90CC42A094504E5992B2ACF02B618EA4.TMP
| MD5 | 8135713eeb0cf1521c80ad8f3e7aad22 |
| SHA1 | 1628969dc6256816b2ab9b1c0163fcff0971c154 |
| SHA256 | e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a |
| SHA512 | a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4 |
C:\Users\Admin\AppData\Local\Temp\RES98C0.tmp
| MD5 | 16dfd4e7a317e6eb1d63fe1f1debefb0 |
| SHA1 | 9ed96ac83275f00b05bfa9e944fc6f03410237a8 |
| SHA256 | d5614da6d5382334a1ca05de999d82bbb7a4dd5df4960636daa2c7f5f44883d8 |
| SHA512 | 214104552ba4bd4b08d6be9e88ba929c992ce23e3d245a99e5e6d37d3f5838fae44c90f8fb30bb4e8c92be2324bd724f8034ec2aae3e22f2f038d7c6cad7c8a2 |
C:\Users\Admin\AppData\Local\Temp\lurpxany.cmdline
| MD5 | 45b3b0b34550da27f77d7434a987234d |
| SHA1 | 11d9ca295ee431e2d93fcf4f76dcbe5fc130e00b |
| SHA256 | eb8f897e891a8039549c8bfa3c7ff65467ee471d906a4b54bc77e593cf396972 |
| SHA512 | 61172c8cd3108df0772ff63317d6b2ff272729fc54b346fefcf3e1ad8878053e308f3cc3923b52c12bcbe086a0c82b5b93b7b06374adcc5b605cc7010a1976ac |
C:\Users\Admin\AppData\Local\Temp\lurpxany.0.vb
| MD5 | f7414480c14ed927b96983a454b45ad4 |
| SHA1 | f0b9701777b2643e03165a5e3932fab15fa054bf |
| SHA256 | 21344d6b94d6f9460b875f7120934f8a230418719f6b6951baf423c6244e6fd8 |
| SHA512 | 645a18383cea2f1107b2d0dda0c04b059f0385fc77a6da837a9bd180df410fc34534df4f595d766b030cfae3c9c696e2400a6d4abd0852e6a2120e1859876145 |
C:\Users\Admin\AppData\Local\Temp\RES9A18.tmp
| MD5 | 1e38c51637990e3c3df08ab2941a32e9 |
| SHA1 | c31329875ac8ad8792e0dd7e023558e5eb3b29a4 |
| SHA256 | ba930603eeb8a6bf3b851a4d1cc5a44ff8f485bf4944d55488c722f1c26c4178 |
| SHA512 | 2afc1ff878018930bdd3869767828e53cef77e1c8ac805fb0e24b1b0321a36a77554e525f8681e9b9ca007e340fd118ae5d95d17a03c1782db39c87781cd59cf |
C:\Users\Admin\AppData\Local\Temp\suocmaei.cmdline
| MD5 | f8b3a95589ca0c483e9db1850da1bdf4 |
| SHA1 | c714bc5b22ff018da5fe158c45dab4875cf43346 |
| SHA256 | a63dd09a485f141863ded7b86b6a9c4e19873ac35228114cc95fe92c17c911d3 |
| SHA512 | dce25d83418497fc096ffb8c91ee6e175516786c83f7ad0248d810f467505ee45c6cc9202d1eb0c53896445ed9a970faf48b27d53066de87ce6f064661f62c59 |
C:\Users\Admin\AppData\Local\Temp\suocmaei.0.vb
| MD5 | 36dec6c894af5ba982846e27dce1da21 |
| SHA1 | 553bf67b97d9150b99ccd8e950c381f21dd4a43c |
| SHA256 | 7a9414b12f9628abf0a42999e4c954ec5151f719ec34812a7b18824e7994ffec |
| SHA512 | 821d6c5f565761f837bc97b94830a7d55bb6796ba531078195ebaaeee6b050d88a8e97fb45138277ae3d09da3c8ae36d28a80643425c57e69afc28222b01b1fe |
C:\Users\Admin\AppData\Local\Temp\RES9B8F.tmp
| MD5 | 86dcfdb65c59f38f82d55e723a7e3441 |
| SHA1 | 94fe4769c9eabae859280e49f68728c14d912e88 |
| SHA256 | 99d3ab67590eb6bc8da287405dbbe42e0dfa7aa22c31727ddaa88d574a614c14 |
| SHA512 | 517567647f43f5fd6a39ec152fc30defb3bc03aa522b5af716d42c78f64bc99c61b2c3ce8e076c47f1d53a6e600ade67f6f6376fdfef106aba77369c671dab70 |
C:\Users\Admin\AppData\Local\Temp\kyv47xjd.cmdline
| MD5 | 70aec7733a089a1fc19e7c455a919035 |
| SHA1 | 138a46de438340be8299ed0dc87488cf8dd6c76a |
| SHA256 | 051bbeabc0b0852d5e160d72303cd68de26986b8a870123b1808b9bcc59b81da |
| SHA512 | 1c9f98b6c0f8ce4adfbfeed0d51ed3fa81cbee880ce1a91a14a30a68281301a3e7aea61f85ea5ce97af64232d4de3f7e541aae601bb083ae396638af0a0a9bb2 |
C:\Users\Admin\AppData\Local\Temp\kyv47xjd.0.vb
| MD5 | d2bbf198a5efe2d0c53eb7302c6b2a25 |
| SHA1 | adf8a6092bcde5738aea72861cbdd90409c6f3ee |
| SHA256 | 44a8b749b445cbf5e18647d40d430113341c37c5ab943f3287dd9660e5052a62 |
| SHA512 | bcecf3e7ae6c12e412136b740024824a8f8d13c5e897822b7a8ba5ea7171a6336f1e3621d6e1c35cf341c849523ac7f008c50093614369d610fbde1b7739213b |
C:\Users\Admin\AppData\Local\Temp\vbc669807EC9932404D91F79EDF878EDFBB.TMP
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RES9C99.tmp
| MD5 | fb72241bc0a33c01d0172af50276db17 |
| SHA1 | 7c61d85a792145650a2af11ecdf49a4b78eeabfe |
| SHA256 | 2e8b6623420f16f82dfe6a64661d48fe2143253ad824f98a7b1c3cde873d94df |
| SHA512 | ffba38ace2eb3b8a9f9d6981bfbeaf04f596eff445c7a4b60d69768e3de631324803fa2291081476a0f226b3b9eebfcf30e67715aa1f95fb0cdf779cd2f2a8e6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\taskngr.exe.log
| MD5 | a88f1b9da8d070af429e5805056af97c |
| SHA1 | ae5da96c64a792f70b474233b2d3296dd34c23e7 |
| SHA256 | 8b51a8aaac1d2fe2b1121736465a17887560817fcc8b39fd7a41cba178fa6edc |
| SHA512 | 6500a5e9945bba4e75859602487e6e6c31c8100b508683c807d7e4676ba2032a4e35a9050acb393d5db55e084951e11a6c73eb7cb8113dcddcee9d073352a667 |