Malware Analysis Report

2025-04-14 05:12

Sample ID 250108-yek5cazqhv
Target JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05
SHA256 4862536534ea3f44daaffceb5facaeb873eee8c386e6b13b3ba31f89702a6ce6
Tags
stealer revengerat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4862536534ea3f44daaffceb5facaeb873eee8c386e6b13b3ba31f89702a6ce6

Threat Level: Known bad

The file JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat discovery

RevengeRat Executable

Revengerat family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 19:41

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 19:41

Reported

2025-01-08 19:44

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\327663578.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\327663578.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 2544 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 2544 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 2544 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 2544 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2584 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2584 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1692 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2932 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1724 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1724 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1724 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1724 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2676 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2676 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2676 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2676 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2912 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2912 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2912 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2912 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"

C:\Users\Admin\AppData\Local\Temp\327663578.exe

"C:\Users\Admin\AppData\Local\Temp\327663578.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES585E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58AB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A21.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/2544-0-0x0000000074361000-0x0000000074362000-memory.dmp

memory/2544-1-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2544-2-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2544-3-0x0000000074360000-0x000000007490B000-memory.dmp

\Users\Admin\AppData\Local\Temp\327663578.exe

MD5 31488a2de66a4e13f6b88f27072ed4dd
SHA1 1b06b0400bffcb1a25b0bf2c697c521c21be14cc
SHA256 13974ab8091e52b1838bb55a5843f8113e7b8eeb867b112b6506b3cd2fc40ee2
SHA512 ed14a9299dd532b3f9d25640ea69bda993ebd0d22eb426bb15ae1aeba56684b81c65d413463b568e048ce502c7c838da0eea0ff22def08c81d46fb8184e8e442

memory/2784-15-0x0000000070D2E000-0x0000000070D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline

MD5 713269ab34761bae44337fcbeba4aee4
SHA1 0d8be0372d190ebc940280cd85c3ae5399336164
SHA256 eb8505674037b0e9ddc5cefeac82a7244121054ab3e22eab70ef91db4682f0ba
SHA512 81b847192870aa385ac8f3d1ca749b5b266f5d7b4a639ad2e0507d314da93fd93bf5ece8c5dcf8e82c5179fa5da1879d1765458a9f5e7ace069b1fa2877adabd

memory/2784-18-0x0000000000DF0000-0x0000000000E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0av2anl.0.vb

MD5 fd62ee9dd4c3e902ea3996365664382a
SHA1 d9ce8e5ff69c2448c9535f59f5ffcdc594d4cba0
SHA256 19c1a96b2821de22d3a2c57a21b42bb9445b24d7bf6e2f82f8e6b0c1849c914a
SHA512 068ef59d35ed956db8cc241b958c22617e6e7cc1a6003f95f77560f900f3b5e52172cae8d9820d83ef3876d4c85c8e43f1bd7354a02683bf930c8f9f951efea2

C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RES5735.tmp

MD5 83974377c93a0016408b2ff30de6c735
SHA1 435a55f79229aad6ff23ee1ed99475daf3196ef2
SHA256 41efbed56634320cd726e390a5744230507f9b8a182d15a0984a0c1467f79c69
SHA512 56a0b1babd56933320d2eed3169066244bb4520fb3890a9ff5c8baeac2ea8d0c047b94557c6c2cdd061e3c8ac34b4f5e03764625348b4a7946ac65ee960d708d

C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline

MD5 f1966247c089d8c7c71205465feb3493
SHA1 36323e63f0b62398c746f59943f5c100638e4c2a
SHA256 f65c358ef54f5473d789425a3d2737bd8830758809279df3678a7f51e4e3f4d8
SHA512 8c9df8dd62a8445f9e565facef3310c6220497e7db6724fa51a42feef491d2c63268db1560b2b52e53182e49d697649804b80e018bc7724eafd8f46d270609e2

C:\Users\Admin\AppData\Local\Temp\vk4jufop.0.vb

MD5 da17ec9882e37de89b39410bbd36f99b
SHA1 5a5e1d090e2926b2c2b2b1694cf39820adac1c40
SHA256 19a034b7779c9cf15010eceebbfdc1059da28c0aca92ef4bb50a3062e09ccb71
SHA512 502c4f476891da04ba5ed681b664670994d642a0c4949ed3777ac39b6952157f4179c117004f1477d4554feaff4abe12deea98724ce9a8b7ed4e9a3a19717a2d

C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp

MD5 1c10cc6ab916f976588698d1a359c9b5
SHA1 79f13a41ecae55d0769e6c34ddb0f9e57a4fb883
SHA256 78ffea1ccc37658c6ef82ef62be2159beafa4d3d68b965bace50e62294aeb835
SHA512 e4edd2eb6952273523313351e641ef769e924249b3abb01766283fa1c0d7820058a57cb9b5e48ba8ac9471f04b7a7e2b9d361ecc4b69d138c536fc59e095d45b

C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp

MD5 41857ef7e71c255abd4d5d2a9174e1a6
SHA1 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c
SHA256 dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302
SHA512 ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline

MD5 85552a69830a8ee5829e2e5261a1cd06
SHA1 434b128e81fad5cbc257d1a715fcccc8ef1ddc42
SHA256 8872b036b1443c225885709c4f7f6b17df91e10ca32eefdb00b2a7fc60e613a1
SHA512 dd6ff5a70e6408a018f8ec6b27febebed41eae9e6870537578550c30cc5c2dde19a315a697f86edc080a25851ad16712faf5a1bfe6d7f4b3e254a64d51fb6f31

C:\Users\Admin\AppData\Local\Temp\skt6vsjf.0.vb

MD5 7df77e87c644b2c1871fb2c45358c6a8
SHA1 b658fe9ebb491c8b596e6f683f4629af6efe4c8e
SHA256 ceb604733e4813f6c446e3240cba6b5118e307d5af4f53e970358db5959706cd
SHA512 4cb4a2cab3f20c0c9b8b0669291738fad26c2dedb6cce669880ecdad785f32c416f85cee5962e2e4a255acabef1211d387fc7356cb810a4f8222e2e5f56eb20a

C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp

MD5 453916f7e3952d736a473b0e2eea5430
SHA1 b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b
SHA256 b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe
SHA512 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

C:\Users\Admin\AppData\Local\Temp\RES5810.tmp

MD5 ccb4812836545fd3af6e056f4a2b3d8b
SHA1 73e1d6048edbae9d87a8a3c67e38d8aed277776f
SHA256 5cd66757861a7ff91f7e409840bf6bee831cd427eb4edef55d9019d3f7416c87
SHA512 ff25a7d2e839d6c617c35bac04b95d999be495eda72291e2509e5d00e9d11280ce06e39fa9fc323d450475e51dd94a78e409ccca07f8c7a32e1113c65620ee66

C:\Users\Admin\AppData\Local\Temp\kwna6gcn.0.vb

MD5 285105c113cbecb256d3d1293aaed2c9
SHA1 e3f56380a1bea78c52ae4ea5ff5f03956c77c76c
SHA256 8c0343815bee6b3a09ea48af9e0c204508885a7535f1a772250331d1e2fe8e9f
SHA512 e4c03023ff9b76b3bffd70d637be79e4500965a8c1e3c9fcefb16a63c44c4e381a2a6862c7eea853848be5ab6e561fb4d9945d02b560958edb391c671797a856

C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline

MD5 cf46b4108690ee531d766a70b55efd0e
SHA1 936f9baad2bcc90690335d906a1857f59fe35140
SHA256 5ff68ef231b268f13488aadf01cc210cfaeac8962eb21aaafb7dc86f7dada7f5
SHA512 a1f9beb8f1f6ca5f0eb031636bd43f5fd905ba4f2545e0f36e69a54bbfd7df5d96f1c00c65894dfc7a7b3b62564ecd20f3935f1c14332efce90e849ff9706f65

C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp

MD5 6ed26221ebae0c285cdced27b4e4dbac
SHA1 452e9440a9c5b47a4f54aefdde36c08592e17a38
SHA256 aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c
SHA512 c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

C:\Users\Admin\AppData\Local\Temp\RES585E.tmp

MD5 9ee1de251e8615bb7db0fd4ec9a62aab
SHA1 c0d61aa24ba4eea7e1bfd661f5e1599b508eaea6
SHA256 5b31b772f037c0536e4d6e0811a45b9c348bf77df866d5dad7e9d58282883f8d
SHA512 c281ee6c05c4adc23a4ab658bee752ac16499a8570fcb1df41c52ab8c02a4549fbb262db53f47834b0559b9e86a811508074707f3fe551d6b645b35c85e0d2cc

C:\Users\Admin\AppData\Local\Temp\g3hslql2.0.vb

MD5 91db9d749b80b7bfd07524563f046ecb
SHA1 780d0d3185057fadb121e0a526a89260a7367d5b
SHA256 0d13e734ccd1fd940caa9526bc3459ccf5420189dfec2287e3818660cb029c18
SHA512 11c01940e1d88d5cef7c6d701102f7ee8eb1a3489ded2f412d648e07801f6cb6d9b2c4fde773b8453eaf92797814d7043d96c9b9fd06e037d42a7cc3eed6d45b

C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline

MD5 b4f0167598becf2c92cd7fdaa115e0e1
SHA1 612f79115b72c55709bc77629216dff843e5b1a3
SHA256 a5cfc2a9b1554cf075fd265eddadc0da3593141ac49e314ce119a66b641cca83
SHA512 2f5e5430bcf0f9ee98205534e6d0c09ae218ca4cb5b294a5b01db0c73f9c74435d9af512db927d9641529e5fd132b631c5374a75851f14bd0b3e0e7ea68997c3

C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp

MD5 70abaeec478074ed3d929a357efe9d95
SHA1 edbc59440a28644acb88492f242e26ad45df4272
SHA256 e587588bd775bec61282e4ad9fc1396a17c5910e878e4e44aa91a844a215fdd5
SHA512 84613453293facf5e4fff98a8b1c141360b19046d917731c25b80f5118468cc2578ec6ede635df74d474c9be93e6fa449e15a975198e56a3a7570d66f4b2e6b6

C:\Users\Admin\AppData\Local\Temp\lk4njgml.0.vb

MD5 bc90625349b8ddff681a2854a1f40611
SHA1 ca0239d34f80409d509c5e096cfd6ae4e0e905eb
SHA256 8ed6ade2ff68614c34d8bbdaa0b7eac43e5787b4831211afff08045c580e4355
SHA512 54b8e76338471b80ba8e6f6e4692b76c06fa3c5329a9a153288c6d442ca9f51dcd5077289c3f9ca75ffd85901bb6a4010512fac411c1fa2d95562d42329df45c

C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline

MD5 c585416441f00bcf0816f91091546d8c
SHA1 4df0f256b1d2ab04d54d1341a48bcd141f20fd37
SHA256 cd58eed2a6b2b6d6ac7a48b63228656558135942913ee1ef9101529558664fd3
SHA512 4b129f68387c96f7d3fc8809152819f9537841686a93c3501ca95209041251bf4242ab1e13eb7ff84cc8c8e1a1bc2a7b777f098bb28de7817c3c2fddbf130f3b

C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp

MD5 972e0fc6ba1c69fb5a2aad7aa53f9d63
SHA1 ff5a32fc06347c34f3f9c697f548f5d061e5e9d5
SHA256 55ea5c2c2a7274223a2c308d6665cbb83022533562a5801db166ac1bbbbb141e
SHA512 8697407220de7c8044f1a0d8c17ef0b4fb9fe031c54505b316fbf5d8f1ef91e55d8f9fa998a9ba013394875b14a6b3f96820e31c9cc4001a081baaadaa7d7a48

C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp

MD5 b548259248343e12d417d6c938cf8968
SHA1 19703c388a51a7ff81a3deb6a665212be2e6589a
SHA256 ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366
SHA512 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline

MD5 a4ef915f1828ff6efd4faa3a7650951a
SHA1 be730b464386438920fa1d64c0a0761e188bd2d8
SHA256 848b139fa47fd25cca39d074572ec1a1f5661aac77892502123ba5630967960a
SHA512 3c7a59b8c291ca698216bec8fdff2305f87d3fe2b88a1176a81f80c699836e3a765681fe6d72936f104776c441205b1f430adb28a43d64544fc81014136b06ba

C:\Users\Admin\AppData\Local\Temp\zmcrop_1.0.vb

MD5 f053c9fd1bd9f4712b5cd74f2b9d1184
SHA1 26bab75f8adb2e618952399b09b8c22b71863fc2
SHA256 c4454968628ce0aa4fe779a9b36653f098300f54ccb606551d8bd3ebb57f473a
SHA512 0eda15da77cd58c1f49ff960ba89db9bab4a9a3d875e48f9666b396913d5168b399f31a9db7582be487ec76a2874e6a5a0d2bcb5096b6a4f3675738fe1d928ac

C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp

MD5 ba2c43095c1c82b8024e968d16bee036
SHA1 41ea006dbc9f0f6e80941d7547a980a1dde868e0
SHA256 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72
SHA512 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

C:\Users\Admin\AppData\Local\Temp\RES5986.tmp

MD5 9c2a8b195c4c95f0bee7214fd1b1b3b7
SHA1 6e27d138dfc3008ad01c4862a7cbb67b3111f086
SHA256 9a040d757e9e556ea0334db87518988af2174de92689987242e2ca41ba70779f
SHA512 fa24d5ff3908bd7f289c51d5677993c4dabfd80826e9788db9328b29c884ac7e6953de51580817fee98507ba2052d25725da87e673d8a95ded32543d64523aec

C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline

MD5 2f94b623f4da1cc19436f98cf39d65ab
SHA1 e14c37942519e52b3ee8f7183bbd38df46891f16
SHA256 7458cb8c9f8eaff12835095aaaa20ab9927e8cb10ace94f04c329b5041f15d3a
SHA512 223ef67424f3e596d870b5ed4d6ad6af8bb95428187bffa497957c2ceab9e863bb60287db1cf18fe2260a9576c8ceaefcf423604b2a6f67429d632a8847f0199

C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.0.vb

MD5 d23be0f25aad85f020361539d7d898e0
SHA1 d9162a4dd7e37e788d85327c2d15b536d096d7c3
SHA256 d8f028262f2ed59041f19809dfe9d6e718f02a596618ec83756b07c5ddef11ab
SHA512 129b34a6384cd82c4de6747b28e65aea21d753b62cddd6c50ec1f5f7638c0c3086607aaedbd47a9bdc93974daf168f0967485e135577c30d44c20dd52fe930d1

C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp

MD5 84e15f96751ae7fbfdb7aea445e0c735
SHA1 a00945dc5cd6cc2923f857c4b58da196be813bdb
SHA256 0b6f068b0ca9a1668001f7487096a78b9d3407a28939961d7572a4bc513797c1
SHA512 d703497ace00b84de4cb8002a5f652945da101cc1810c9c6f36756fc788fba4957a2b7af5c8f6a258bf43160378f0ac94c1393395834b944d7ecd4657684354e

C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline

MD5 fa87736d9c30dd9a2336995b9857b6b5
SHA1 3c61d976b3280cece4dce7e7e501dff7fe1286bd
SHA256 6063a0a8b8035c46e7333b3c0881492a1a70e98fd35c110e5065bc0fc60c8d89
SHA512 f4ac9d07cac446b7b1dc6a22eac002f04157fc63b13a2c074455a45e2b2ec396fe63f843d5750dd004929d087fa103c800a53a589222c7b51601caf2a3e116d2

C:\Users\Admin\AppData\Local\Temp\hauhxasc.0.vb

MD5 f905a83710cb30c3315fe9fffeb17b4c
SHA1 235f602eabdf656d1cf8e968178dfaface7b27a2
SHA256 06dcc5134188595e8d4dc0747cfa06491a7cc8e74b0bc117aadb185561811290
SHA512 233c0b9c860d84d22ccd184c14b0e74aa4a6f0bac81f163ccefb16b82f71ec2aa210e8a2d77295622dc384ecb677be08e50aeb3e646a8a911a15af841f77242e

C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp

MD5 d405e19c038f19b72d94be20749c5d39
SHA1 19511144ee83d0314cd911dfbe3eeece3831c3a0
SHA256 17fc51788670834df067c5c7070a77532ee819d87507f839f7cbc01b5e511d75
SHA512 21160197877082cd25e07ea6700dcb60d90c843d1a0a726419050ef91755410d25d617726f804b7275d3e1475ef3b1797a39fff0b675b72e2c73eec70c10e4b9

C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline

MD5 052f0c90c670e62566801f9762e027db
SHA1 dc09bc2115abf09206cadff65f364c08e1147183
SHA256 c0384e40771e35cde0c78832c3908a915deafd38f837aa867c0ad2c97da57499
SHA512 7aaecb70baaa1acbe1e03e287b2240886a99f71c317ff3d7215ed16049e19f2ff36089f82714b42ca8cb7e52bd3ca22e8ab9882d63dd9512387191487419b7da

C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.0.vb

MD5 f6c95993c10d7f52846cccad3a0d0f3b
SHA1 a9930d22cbff97abd49a10da9f1c24a9effd0f65
SHA256 1d045334b0f37519c01cd1bfe03d381ba7282d6646f7a71f66c4c499b6a936bd
SHA512 19c4951721e5d1247b850632517aacaaf6bcf4cf9a901c429342f9856347f29303da0141ec6761d42e24a3b445877c28376cb1ec4d1e14c6e83d728c198e1a05

C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp

MD5 5ad8213407ebc0ee4d2464991002ca4c
SHA1 6dd1e532dadde57f4ebe32da417ac261cf71688a
SHA256 6c5af448ef55ea55951cd06f87564e6525a18de65e2c7966aaf69eb2a2788712
SHA512 8a280cb9274a515b9ba14af26081265b77b7dd2072f7df5bdc25f42ca4f0f690416ed5b7c99e3bec6e14270581cf7b202ec2deb88cacd028c05a9a8e41ced1c3

memory/2784-154-0x0000000070D2E000-0x0000000070D2F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 19:41

Reported

2025-01-08 19:44

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\327663578.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\327663578.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 1764 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 1764 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Users\Admin\AppData\Local\Temp\327663578.exe
PID 1764 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4452 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4452 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4452 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3600 wrote to memory of 4468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3600 wrote to memory of 4468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3600 wrote to memory of 4468 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4344 wrote to memory of 3844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4344 wrote to memory of 3844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4344 wrote to memory of 3844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3712 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3712 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3712 wrote to memory of 3280 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4088 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4088 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4088 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3108 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3108 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3108 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 508 wrote to memory of 4300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 508 wrote to memory of 4300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 508 wrote to memory of 4300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1764 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1764 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 4164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4660 wrote to memory of 4164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4660 wrote to memory of 4164 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"

C:\Users\Admin\AppData\Local\Temp\327663578.exe

"C:\Users\Admin\AppData\Local\Temp\327663578.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rvub_lqf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D42BFBED29840848C6119A675D61E86.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1279.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2600C157DB2E4032B72A7A15662660AA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdgxogny.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1345.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFB1D82A57844BC2BC1542585FDA651E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fngyhapx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9CE5BA3E5944FAB9D2DB0B7A099861A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvpwha4r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES145E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB23038D2F68145EEBFE5B25E891ABFF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B032AC595E447CBAB52B97CF4952611.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF792F846C6594356A281CA9F459A9A9F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0m8auy3x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC470A923FBBE49FCBC3C3B367D703023.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5bn9soh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES177B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46BB0CDF88FF4711A465212691DBF7F5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5crfcgg6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C4E3E81329D4DF0AF1BBD691D80BDEC.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/1764-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

memory/1764-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/1764-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/1764-3-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

memory/1764-4-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\327663578.exe

MD5 31488a2de66a4e13f6b88f27072ed4dd
SHA1 1b06b0400bffcb1a25b0bf2c697c521c21be14cc
SHA256 13974ab8091e52b1838bb55a5843f8113e7b8eeb867b112b6506b3cd2fc40ee2
SHA512 ed14a9299dd532b3f9d25640ea69bda993ebd0d22eb426bb15ae1aeba56684b81c65d413463b568e048ce502c7c838da0eea0ff22def08c81d46fb8184e8e442

memory/4220-17-0x0000000071CDE000-0x0000000071CDF000-memory.dmp

memory/4220-18-0x0000000000310000-0x0000000000360000-memory.dmp

memory/4220-19-0x0000000004D80000-0x0000000004E1C000-memory.dmp

memory/4220-24-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/4220-25-0x0000000004E20000-0x0000000004EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rvub_lqf.cmdline

MD5 46ff0f586218c7e108221a30e9030508
SHA1 30792f08083510e01e0dc7b7ad15742f25d68e2c
SHA256 ae016e404f08aac495b006b4394e8832373445a91dc6c1686e22a07a0e408bdb
SHA512 6cf0c88f547def37a3e2c187cbe508ac3467fb9d13e10827ee9bb738ce800490fcfcdfb8445afb2ac9da147cffee7446489f01370aaccf2a2232c74c2ea346d9

memory/4452-27-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rvub_lqf.0.vb

MD5 6dda5d27248c2f11546e1a197f4f48b7
SHA1 9c78a26464b2c5c1cde55fb2078a4f8fa302a6b1
SHA256 15d2312982d2182c5911a43d6f334dcb93ef6b3d5804bcd250491a01cbae7621
SHA512 97e8dc35383252d1d4f667b722fc988aec4b1557629eb248258104a0c9be3e036ac62f4bc9a48f5799d923e3518484f8dbe736bd9185902bfa7c0582a03fc014

memory/4220-29-0x0000000005040000-0x0000000005050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc1D42BFBED29840848C6119A675D61E86.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp

MD5 45f0804a06e8dd7e201896248cdf998a
SHA1 467656937e21f0429678817033b6845ca185684b
SHA256 247357569b5c6724a57f9dd82860251b08d82fddc5d1ab28c1f167660ec0b114
SHA512 b1ef6ca1b32150a4ba5ed8d1d03ced6a4f2cbc639c1953f3effa3fe2fbe65f40340adc2b7cecb9757f94e6629c65da0bd260278f4f40f914ee7a77c8301b5a46

memory/4220-37-0x0000000004D40000-0x0000000004D4A000-memory.dmp

memory/4220-39-0x0000000005050000-0x00000000050A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.cmdline

MD5 7306c9cac1a28c46690d2257def50bf7
SHA1 48bce8dd724fbd05c59506c9d57db84c8de823a6
SHA256 02e03825ed6bcc45f970f208e4bf2ccc6efb055389bcf3ea24061b732ab546fe
SHA512 2ad01fa0239e41f3aed5b3318500c59a9b4d3bde53b408985c0f31fdd60bdcbbc867ee4e16741f8e5d3af6291b221a4c378bbb5bb6fe8aa274adc6c246cb8239

C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.0.vb

MD5 fd62ee9dd4c3e902ea3996365664382a
SHA1 d9ce8e5ff69c2448c9535f59f5ffcdc594d4cba0
SHA256 19c1a96b2821de22d3a2c57a21b42bb9445b24d7bf6e2f82f8e6b0c1849c914a
SHA512 068ef59d35ed956db8cc241b958c22617e6e7cc1a6003f95f77560f900f3b5e52172cae8d9820d83ef3876d4c85c8e43f1bd7354a02683bf930c8f9f951efea2

C:\Users\Admin\AppData\Local\Temp\vbc2600C157DB2E4032B72A7A15662660AA.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RES1279.tmp

MD5 1965c8378ca32402074c9a868617b770
SHA1 6a49ee4031872b8404528b4d5083987338ebfdd7
SHA256 a245930a09fc71ea478118c40137da176656c0704fa42561c5ffbd7b07cd268a
SHA512 272f1369339e1b9951a425333fc874459aebe74e83326bd831242d16f10ccb162bf146cad4b0a261a21bff1c8ec044c6ee7ea31c1ac32c7fe396c63f4780adee

C:\Users\Admin\AppData\Local\Temp\rdgxogny.cmdline

MD5 6a1d02c252fea11ef7e8565b5a916220
SHA1 2531edb7c264efde9959671b6768a6b71b0c895c
SHA256 c19d1219ce3e2005e0a61e66314ad531fd708a0f4004df13863a4021a4f9465f
SHA512 141a999c6610408d43892a0ea40fa96696283c27625db98bd54555c42ee9fb3e28b7e53ed87e4f10992f1cd984e0a2889c927aef4c8c8781b64b8feaceff3e27

C:\Users\Admin\AppData\Local\Temp\rdgxogny.0.vb

MD5 c3ad4f4d1c3bc6e1450865f88a981bcb
SHA1 6567a759bbf5b7a3a9e2f1d0c0c1638888b4f260
SHA256 cf2ea29f85ec60ee9a59ed84c2b225968d79990e6061649400c688985e6fb51f
SHA512 9f1bb0daac4783a25e3bd4b7db458ca85c064a042465ef2c627427492e508397b8f13fa24ede55598efc79df4b0e26bea2a8c5c1ec21d3b829143eb43d66ff08

C:\Users\Admin\AppData\Local\Temp\vbcAFB1D82A57844BC2BC1542585FDA651E.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\RES1345.tmp

MD5 f8800161090b6d91ed19bd3fb61fe1c7
SHA1 43853a19b50b37ee0a6292fde1e4dc7f3a6e27cd
SHA256 4602dc0b046e0b201ee99e8afe1aa2af24b0fea249a80504051c6b7e54018a1b
SHA512 6920368d69f8c683bcc1e7d36bfd5e65f0e12ca55f4fe7d9e72b115c493cc6df5e41400251dd37b9451851cfafe09ddecb4a97ade6d0c66239e7f7717422d2f1

C:\Users\Admin\AppData\Local\Temp\fngyhapx.cmdline

MD5 cd8f7542b4889cb17b9e3bd4fc0f8f96
SHA1 8d7fd8b396bd67efd57684268d6520441f06b24e
SHA256 bdc3b63396108e73ac1121137e928a919a6a3b2ca5f3fed766d7056cc6849829
SHA512 6ed2addda01cb9843da3bd51839f0d9902f88cae07bccf17e85c892b1265106d13bed38a5a2f47cdebdc27172bc2640b42cde80d27b7be034fe11cf37ea14d47

C:\Users\Admin\AppData\Local\Temp\fngyhapx.0.vb

MD5 91db9d749b80b7bfd07524563f046ecb
SHA1 780d0d3185057fadb121e0a526a89260a7367d5b
SHA256 0d13e734ccd1fd940caa9526bc3459ccf5420189dfec2287e3818660cb029c18
SHA512 11c01940e1d88d5cef7c6d701102f7ee8eb1a3489ded2f412d648e07801f6cb6d9b2c4fde773b8453eaf92797814d7043d96c9b9fd06e037d42a7cc3eed6d45b

C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp

MD5 d82a918e76e38fdb0c3bdcb48cb5d066
SHA1 b788b1d6aa912d1f3b9deec0d91ebcefd74593b9
SHA256 4f2a872c12005745b3648ef7b52b0bbf4c1b1dbc40103e0b8f6d2b161fda98b1
SHA512 0f275c0cb22b8cb45080a8c627dbe783f781c590b187b340acd5b0f77d7c256a0ed2e6bdd3b38ed475847115aabaaf03c05508b827ba1ed663f9834b60d2d1ee

C:\Users\Admin\AppData\Local\Temp\tvpwha4r.cmdline

MD5 d8a7a3bf4ba6b5eed4e0f53b82fe0d44
SHA1 d15db71618befdb3e23c063198abdefa250d1e28
SHA256 bdde12ec780a1782d49fb840006cdc6b193d24abca9e3d0d0f07b0dffbbc2ab4
SHA512 4028bb140fb6e1ce30f822dd34cd4e499f9408cbadf7b5a3dd236107fb3e5b12e22d6fd4bac5f69b8c6567f78f29aa1290f94089f1fb8f41fb28aa0c52f368da

C:\Users\Admin\AppData\Local\Temp\tvpwha4r.0.vb

MD5 77450e5406a20a0c525187d5ec5fa9d4
SHA1 0a60106db82bbcdcd35bc420af8b569549908c73
SHA256 4f8aacb9feb5f2b071ba2e318225c0ee0624e9d18d65aa86f2bd3891199a586a
SHA512 81c910b874151bf32a9e257ce5bbd453afb72b365dc5db7b513b5db5ea12d8a47f9fd299b448637bac15ed0ea9b9139e557fec40e608572bda3bf08abc05c060

C:\Users\Admin\AppData\Local\Temp\RES145E.tmp

MD5 fc958cce0e4af5bc095db19fe1fcd21d
SHA1 905f02456bdf8c60c85afdb3616d3e5a4e18744a
SHA256 1a75e337ec18b6fbc55a73476c3846419f328c180ba7697e26a7f3fd4cf29792
SHA512 39997ba1f8c65a80c331dcccf403d33a390fd93b2796c94422ca4bd2b8ce50e4f6cb0ef5c8483247985cb64f9752a26439586b0f538d62b540532687f5c7b72c

C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.cmdline

MD5 b5e44339acf0120ad82d61bb2015bcf9
SHA1 2f84e8b04a245e95398bf8765aa066a5d0acf725
SHA256 87e930eb2fb2271a81542f84ad36f5bfaa8274c90422540a95290db3fb7e43a3
SHA512 bd7a6b74923eeedafc09e47e86f493a746b8a562cceaec6dcb9f2d2e0a0fac61caa93d8aec3a074cae0cbb79ef936fb9d1133db45e9d2bf54069e17d4b55349e

C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.0.vb

MD5 83494f110e7cfd7c6078a3ca3bc7e163
SHA1 46da5443ead90c40141f2863bff76fbe0f460121
SHA256 d270bef889179c5d2977243a1f0faab48455b76e8f77f4d5dd6b1e44f7d4cc12
SHA512 bade44a775718a671d850a9167f27f15a736c88ee2a8fade587064c85cf540fe481df78d08b4860b658c3a4a4770a1d0472aaa7b3804b256eb6a7eb9c8e27e7a

C:\Users\Admin\AppData\Local\Temp\RES15C5.tmp

MD5 d25e7d9a89475230ef010f480555e6ff
SHA1 896674d7a3e3dbd8436c640c9248e56c1bc677c7
SHA256 2e410f6311324c73c1fde85f6483209a55458215b9a2fc33f26147442594ca96
SHA512 b017df105d922106531205e6100afee82219f6ee876050417238eae568d48fb4247de0cebed9255f29302c939e93d373248023b596b9be6ebec3282ddaf7025e

C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.cmdline

MD5 2cff52e201312bf5b7257402c4b16934
SHA1 f05d89603d40863bb0ebd6c525848cfb9690c3cf
SHA256 a56866b24865357cc5b824c775c6e2a788439c885b765ca2e2bc69415107303d
SHA512 3159f5e6427152e838e5d49259d0ba3ea4970d3aca4439369ebd21dcf55df47546d4c16cffadc871758db543791262a1c93d6fe27ca33ba95f624e3effa7520e

C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.0.vb

MD5 de320c20c3d9869600cfff6cd7e7993e
SHA1 c2a8c985234bc98c5e559f83a7510e192aa747f4
SHA256 60dcbb1177a26f7da211f3a59b404554eda80edf6a88eb54f32af003becde6ee
SHA512 4f6fe81181de7ec11edbf37654a8d40dcc446febc82c569723abcabeae6edf9cf5d2842b4f3ef7d138a1de9322c26a6e46feb4b88e6c195ed660beb4b952b95a

C:\Users\Admin\AppData\Local\Temp\vbcF792F846C6594356A281CA9F459A9A9F.TMP

MD5 8135713eeb0cf1521c80ad8f3e7aad22
SHA1 1628969dc6256816b2ab9b1c0163fcff0971c154
SHA256 e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512 a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

C:\Users\Admin\AppData\Local\Temp\RES1661.tmp

MD5 f8d04af75f73745f0ce83063b45152e3
SHA1 466c9e670237cfa4d775aa4e5c770c7871dd839a
SHA256 7b8dbfa7e3a734b53030adf985bf3e4c0fef53dccd4b5f7b0a6620370c8b83e0
SHA512 8b9bb58903b7d0033374652a414ee87a0ca07ca9249a237b4b7a55db6dbe2551fd510047c9a3051c4845fba96b0195dec528ecee47d81b5cb9d8f9fa81904897

C:\Users\Admin\AppData\Local\Temp\0m8auy3x.cmdline

MD5 b01a91e2d958119e58b462ffa5e28bdc
SHA1 4d72cc0a4bb069ee7592c56ef63cf107927c2181
SHA256 9d4b1e69b7c8cc7a720077729faf1bbcb075ce45015ad91d692e2b73204fa3fd
SHA512 55a5455eb12e7d4f61a4f3ea2dcd6152ee6010bc290135439b7b787c66341e19f56a6295da70d4388505d0edf19da09e0fbb9b90d394533cd65eabc9303f1077

C:\Users\Admin\AppData\Local\Temp\0m8auy3x.0.vb

MD5 d23be0f25aad85f020361539d7d898e0
SHA1 d9162a4dd7e37e788d85327c2d15b536d096d7c3
SHA256 d8f028262f2ed59041f19809dfe9d6e718f02a596618ec83756b07c5ddef11ab
SHA512 129b34a6384cd82c4de6747b28e65aea21d753b62cddd6c50ec1f5f7638c0c3086607aaedbd47a9bdc93974daf168f0967485e135577c30d44c20dd52fe930d1

C:\Users\Admin\AppData\Local\Temp\RES16DE.tmp

MD5 67239d9c868572f0bcac851b8496584a
SHA1 95ef7b247cbb5c7289d462e736d76083e51a873c
SHA256 5c8278f16ed3b22765a52da42fb42309acd03502985b2da5eec14da31c759283
SHA512 a7d34d0175dc0a4381b57c3da3ba69ef4c553e2b1eea4e2dfcbe2dbb73de08d4235509a72a196f121a024346825206f16f332ab9215b2ab25ca5621c9d78e3f4

C:\Users\Admin\AppData\Local\Temp\x5bn9soh.cmdline

MD5 e09c18cb17002e8990423a2c7a3d4bf1
SHA1 c06fd25ed2932759aa16f0b06dea36409d37b4a8
SHA256 3783633d09497cc24ad6026cbe04e65a9e0adcb8162ab3d6739046f3aedb83fb
SHA512 ad46a3613279d6c31f7e37999221f40ce472039d360aab99007bb2073998388539ec207c241f9228a4395d81ee4b716e8e3a0014048093598b72c3ce4fe6df66

C:\Users\Admin\AppData\Local\Temp\x5bn9soh.0.vb

MD5 f905a83710cb30c3315fe9fffeb17b4c
SHA1 235f602eabdf656d1cf8e968178dfaface7b27a2
SHA256 06dcc5134188595e8d4dc0747cfa06491a7cc8e74b0bc117aadb185561811290
SHA512 233c0b9c860d84d22ccd184c14b0e74aa4a6f0bac81f163ccefb16b82f71ec2aa210e8a2d77295622dc384ecb677be08e50aeb3e646a8a911a15af841f77242e

C:\Users\Admin\AppData\Local\Temp\RES177B.tmp

MD5 ff89c491c72c254b0bd0b4b298e80e2f
SHA1 021ec64e308f76aac682912c05a402f324095b7f
SHA256 2ee36b50c2e7ee392933d7233e80e3fdeff4132cc27f24dc1ef66c1398254a01
SHA512 7c0471915658bfa4b1bd7ec0991fe0435fbc2bbd7ad7d931244d668534444f57fc074558b014da4f607af805c75c3bc649ab2d32fefd6e0b9936b1fb0e073774

C:\Users\Admin\AppData\Local\Temp\5crfcgg6.cmdline

MD5 beed1dbd3ad644fcac7a01b5b43a8960
SHA1 e7273c0fdd7039e8ff07a23b36cfc00a4abf7b8b
SHA256 7ed4ce42e503e610c7d587d417dc36d7a6409af910b85e77ff064f58e899632c
SHA512 f62b93f3d153f4c681351a3b640d6830d21ca0bb484f0dcf71ea82f378759830615a8a855aef5ed8572e9822bbf0a50da26b669d3d3de064899554ddbb864597

C:\Users\Admin\AppData\Local\Temp\5crfcgg6.0.vb

MD5 f6c95993c10d7f52846cccad3a0d0f3b
SHA1 a9930d22cbff97abd49a10da9f1c24a9effd0f65
SHA256 1d045334b0f37519c01cd1bfe03d381ba7282d6646f7a71f66c4c499b6a936bd
SHA512 19c4951721e5d1247b850632517aacaaf6bcf4cf9a901c429342f9856347f29303da0141ec6761d42e24a3b445877c28376cb1ec4d1e14c6e83d728c198e1a05

C:\Users\Admin\AppData\Local\Temp\vbc9C4E3E81329D4DF0AF1BBD691D80BDEC.TMP

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RES1807.tmp

MD5 2e2368676df3f735363298fa0d4b98a9
SHA1 0e0cd7688d5b2b4eaaeb72257bcbe4e0b508cbac
SHA256 b7183080c29882feb5f6093decdcce58a6d39df85c51b554ac15c1135a279a6a
SHA512 42599dcc19477f472addd121cc31f9714a6278324c18c406be2bdb6bf4c9b20fab8e539a38ffb702e70d2d6b3e64ccb5c8d0b697486396f74deed5e74ab5a16d

memory/4220-166-0x0000000071CDE000-0x0000000071CDF000-memory.dmp

memory/4220-167-0x0000000005040000-0x0000000005050000-memory.dmp