Analysis Overview
SHA256
4862536534ea3f44daaffceb5facaeb873eee8c386e6b13b3ba31f89702a6ce6
Threat Level: Known bad
The file JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-08 19:41
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 19:41
Reported
2025-01-08 19:44
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\327663578.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\327663578.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"
C:\Users\Admin\AppData\Local\Temp\327663578.exe
"C:\Users\Admin\AppData\Local\Temp\327663578.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES585E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58AB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A21.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/2544-0-0x0000000074361000-0x0000000074362000-memory.dmp
memory/2544-1-0x0000000074360000-0x000000007490B000-memory.dmp
memory/2544-2-0x0000000074360000-0x000000007490B000-memory.dmp
memory/2544-3-0x0000000074360000-0x000000007490B000-memory.dmp
\Users\Admin\AppData\Local\Temp\327663578.exe
| MD5 | 31488a2de66a4e13f6b88f27072ed4dd |
| SHA1 | 1b06b0400bffcb1a25b0bf2c697c521c21be14cc |
| SHA256 | 13974ab8091e52b1838bb55a5843f8113e7b8eeb867b112b6506b3cd2fc40ee2 |
| SHA512 | ed14a9299dd532b3f9d25640ea69bda993ebd0d22eb426bb15ae1aeba56684b81c65d413463b568e048ce502c7c838da0eea0ff22def08c81d46fb8184e8e442 |
memory/2784-15-0x0000000070D2E000-0x0000000070D2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline
| MD5 | 713269ab34761bae44337fcbeba4aee4 |
| SHA1 | 0d8be0372d190ebc940280cd85c3ae5399336164 |
| SHA256 | eb8505674037b0e9ddc5cefeac82a7244121054ab3e22eab70ef91db4682f0ba |
| SHA512 | 81b847192870aa385ac8f3d1ca749b5b266f5d7b4a639ad2e0507d314da93fd93bf5ece8c5dcf8e82c5179fa5da1879d1765458a9f5e7ace069b1fa2877adabd |
memory/2784-18-0x0000000000DF0000-0x0000000000E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d0av2anl.0.vb
| MD5 | fd62ee9dd4c3e902ea3996365664382a |
| SHA1 | d9ce8e5ff69c2448c9535f59f5ffcdc594d4cba0 |
| SHA256 | 19c1a96b2821de22d3a2c57a21b42bb9445b24d7bf6e2f82f8e6b0c1849c914a |
| SHA512 | 068ef59d35ed956db8cc241b958c22617e6e7cc1a6003f95f77560f900f3b5e52172cae8d9820d83ef3876d4c85c8e43f1bd7354a02683bf930c8f9f951efea2 |
C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RES5735.tmp
| MD5 | 83974377c93a0016408b2ff30de6c735 |
| SHA1 | 435a55f79229aad6ff23ee1ed99475daf3196ef2 |
| SHA256 | 41efbed56634320cd726e390a5744230507f9b8a182d15a0984a0c1467f79c69 |
| SHA512 | 56a0b1babd56933320d2eed3169066244bb4520fb3890a9ff5c8baeac2ea8d0c047b94557c6c2cdd061e3c8ac34b4f5e03764625348b4a7946ac65ee960d708d |
C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline
| MD5 | f1966247c089d8c7c71205465feb3493 |
| SHA1 | 36323e63f0b62398c746f59943f5c100638e4c2a |
| SHA256 | f65c358ef54f5473d789425a3d2737bd8830758809279df3678a7f51e4e3f4d8 |
| SHA512 | 8c9df8dd62a8445f9e565facef3310c6220497e7db6724fa51a42feef491d2c63268db1560b2b52e53182e49d697649804b80e018bc7724eafd8f46d270609e2 |
C:\Users\Admin\AppData\Local\Temp\vk4jufop.0.vb
| MD5 | da17ec9882e37de89b39410bbd36f99b |
| SHA1 | 5a5e1d090e2926b2c2b2b1694cf39820adac1c40 |
| SHA256 | 19a034b7779c9cf15010eceebbfdc1059da28c0aca92ef4bb50a3062e09ccb71 |
| SHA512 | 502c4f476891da04ba5ed681b664670994d642a0c4949ed3777ac39b6952157f4179c117004f1477d4554feaff4abe12deea98724ce9a8b7ed4e9a3a19717a2d |
C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp
| MD5 | 1c10cc6ab916f976588698d1a359c9b5 |
| SHA1 | 79f13a41ecae55d0769e6c34ddb0f9e57a4fb883 |
| SHA256 | 78ffea1ccc37658c6ef82ef62be2159beafa4d3d68b965bace50e62294aeb835 |
| SHA512 | e4edd2eb6952273523313351e641ef769e924249b3abb01766283fa1c0d7820058a57cb9b5e48ba8ac9471f04b7a7e2b9d361ecc4b69d138c536fc59e095d45b |
C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp
| MD5 | 41857ef7e71c255abd4d5d2a9174e1a6 |
| SHA1 | 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c |
| SHA256 | dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302 |
| SHA512 | ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac |
C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline
| MD5 | 85552a69830a8ee5829e2e5261a1cd06 |
| SHA1 | 434b128e81fad5cbc257d1a715fcccc8ef1ddc42 |
| SHA256 | 8872b036b1443c225885709c4f7f6b17df91e10ca32eefdb00b2a7fc60e613a1 |
| SHA512 | dd6ff5a70e6408a018f8ec6b27febebed41eae9e6870537578550c30cc5c2dde19a315a697f86edc080a25851ad16712faf5a1bfe6d7f4b3e254a64d51fb6f31 |
C:\Users\Admin\AppData\Local\Temp\skt6vsjf.0.vb
| MD5 | 7df77e87c644b2c1871fb2c45358c6a8 |
| SHA1 | b658fe9ebb491c8b596e6f683f4629af6efe4c8e |
| SHA256 | ceb604733e4813f6c446e3240cba6b5118e307d5af4f53e970358db5959706cd |
| SHA512 | 4cb4a2cab3f20c0c9b8b0669291738fad26c2dedb6cce669880ecdad785f32c416f85cee5962e2e4a255acabef1211d387fc7356cb810a4f8222e2e5f56eb20a |
C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp
| MD5 | 453916f7e3952d736a473b0e2eea5430 |
| SHA1 | b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b |
| SHA256 | b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe |
| SHA512 | 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f |
C:\Users\Admin\AppData\Local\Temp\RES5810.tmp
| MD5 | ccb4812836545fd3af6e056f4a2b3d8b |
| SHA1 | 73e1d6048edbae9d87a8a3c67e38d8aed277776f |
| SHA256 | 5cd66757861a7ff91f7e409840bf6bee831cd427eb4edef55d9019d3f7416c87 |
| SHA512 | ff25a7d2e839d6c617c35bac04b95d999be495eda72291e2509e5d00e9d11280ce06e39fa9fc323d450475e51dd94a78e409ccca07f8c7a32e1113c65620ee66 |
C:\Users\Admin\AppData\Local\Temp\kwna6gcn.0.vb
| MD5 | 285105c113cbecb256d3d1293aaed2c9 |
| SHA1 | e3f56380a1bea78c52ae4ea5ff5f03956c77c76c |
| SHA256 | 8c0343815bee6b3a09ea48af9e0c204508885a7535f1a772250331d1e2fe8e9f |
| SHA512 | e4c03023ff9b76b3bffd70d637be79e4500965a8c1e3c9fcefb16a63c44c4e381a2a6862c7eea853848be5ab6e561fb4d9945d02b560958edb391c671797a856 |
C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline
| MD5 | cf46b4108690ee531d766a70b55efd0e |
| SHA1 | 936f9baad2bcc90690335d906a1857f59fe35140 |
| SHA256 | 5ff68ef231b268f13488aadf01cc210cfaeac8962eb21aaafb7dc86f7dada7f5 |
| SHA512 | a1f9beb8f1f6ca5f0eb031636bd43f5fd905ba4f2545e0f36e69a54bbfd7df5d96f1c00c65894dfc7a7b3b62564ecd20f3935f1c14332efce90e849ff9706f65 |
C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp
| MD5 | 6ed26221ebae0c285cdced27b4e4dbac |
| SHA1 | 452e9440a9c5b47a4f54aefdde36c08592e17a38 |
| SHA256 | aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c |
| SHA512 | c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce |
C:\Users\Admin\AppData\Local\Temp\RES585E.tmp
| MD5 | 9ee1de251e8615bb7db0fd4ec9a62aab |
| SHA1 | c0d61aa24ba4eea7e1bfd661f5e1599b508eaea6 |
| SHA256 | 5b31b772f037c0536e4d6e0811a45b9c348bf77df866d5dad7e9d58282883f8d |
| SHA512 | c281ee6c05c4adc23a4ab658bee752ac16499a8570fcb1df41c52ab8c02a4549fbb262db53f47834b0559b9e86a811508074707f3fe551d6b645b35c85e0d2cc |
C:\Users\Admin\AppData\Local\Temp\g3hslql2.0.vb
| MD5 | 91db9d749b80b7bfd07524563f046ecb |
| SHA1 | 780d0d3185057fadb121e0a526a89260a7367d5b |
| SHA256 | 0d13e734ccd1fd940caa9526bc3459ccf5420189dfec2287e3818660cb029c18 |
| SHA512 | 11c01940e1d88d5cef7c6d701102f7ee8eb1a3489ded2f412d648e07801f6cb6d9b2c4fde773b8453eaf92797814d7043d96c9b9fd06e037d42a7cc3eed6d45b |
C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline
| MD5 | b4f0167598becf2c92cd7fdaa115e0e1 |
| SHA1 | 612f79115b72c55709bc77629216dff843e5b1a3 |
| SHA256 | a5cfc2a9b1554cf075fd265eddadc0da3593141ac49e314ce119a66b641cca83 |
| SHA512 | 2f5e5430bcf0f9ee98205534e6d0c09ae218ca4cb5b294a5b01db0c73f9c74435d9af512db927d9641529e5fd132b631c5374a75851f14bd0b3e0e7ea68997c3 |
C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp
| MD5 | 70abaeec478074ed3d929a357efe9d95 |
| SHA1 | edbc59440a28644acb88492f242e26ad45df4272 |
| SHA256 | e587588bd775bec61282e4ad9fc1396a17c5910e878e4e44aa91a844a215fdd5 |
| SHA512 | 84613453293facf5e4fff98a8b1c141360b19046d917731c25b80f5118468cc2578ec6ede635df74d474c9be93e6fa449e15a975198e56a3a7570d66f4b2e6b6 |
C:\Users\Admin\AppData\Local\Temp\lk4njgml.0.vb
| MD5 | bc90625349b8ddff681a2854a1f40611 |
| SHA1 | ca0239d34f80409d509c5e096cfd6ae4e0e905eb |
| SHA256 | 8ed6ade2ff68614c34d8bbdaa0b7eac43e5787b4831211afff08045c580e4355 |
| SHA512 | 54b8e76338471b80ba8e6f6e4692b76c06fa3c5329a9a153288c6d442ca9f51dcd5077289c3f9ca75ffd85901bb6a4010512fac411c1fa2d95562d42329df45c |
C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline
| MD5 | c585416441f00bcf0816f91091546d8c |
| SHA1 | 4df0f256b1d2ab04d54d1341a48bcd141f20fd37 |
| SHA256 | cd58eed2a6b2b6d6ac7a48b63228656558135942913ee1ef9101529558664fd3 |
| SHA512 | 4b129f68387c96f7d3fc8809152819f9537841686a93c3501ca95209041251bf4242ab1e13eb7ff84cc8c8e1a1bc2a7b777f098bb28de7817c3c2fddbf130f3b |
C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp
| MD5 | 972e0fc6ba1c69fb5a2aad7aa53f9d63 |
| SHA1 | ff5a32fc06347c34f3f9c697f548f5d061e5e9d5 |
| SHA256 | 55ea5c2c2a7274223a2c308d6665cbb83022533562a5801db166ac1bbbbb141e |
| SHA512 | 8697407220de7c8044f1a0d8c17ef0b4fb9fe031c54505b316fbf5d8f1ef91e55d8f9fa998a9ba013394875b14a6b3f96820e31c9cc4001a081baaadaa7d7a48 |
C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp
| MD5 | b548259248343e12d417d6c938cf8968 |
| SHA1 | 19703c388a51a7ff81a3deb6a665212be2e6589a |
| SHA256 | ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366 |
| SHA512 | 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81 |
C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline
| MD5 | a4ef915f1828ff6efd4faa3a7650951a |
| SHA1 | be730b464386438920fa1d64c0a0761e188bd2d8 |
| SHA256 | 848b139fa47fd25cca39d074572ec1a1f5661aac77892502123ba5630967960a |
| SHA512 | 3c7a59b8c291ca698216bec8fdff2305f87d3fe2b88a1176a81f80c699836e3a765681fe6d72936f104776c441205b1f430adb28a43d64544fc81014136b06ba |
C:\Users\Admin\AppData\Local\Temp\zmcrop_1.0.vb
| MD5 | f053c9fd1bd9f4712b5cd74f2b9d1184 |
| SHA1 | 26bab75f8adb2e618952399b09b8c22b71863fc2 |
| SHA256 | c4454968628ce0aa4fe779a9b36653f098300f54ccb606551d8bd3ebb57f473a |
| SHA512 | 0eda15da77cd58c1f49ff960ba89db9bab4a9a3d875e48f9666b396913d5168b399f31a9db7582be487ec76a2874e6a5a0d2bcb5096b6a4f3675738fe1d928ac |
C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp
| MD5 | ba2c43095c1c82b8024e968d16bee036 |
| SHA1 | 41ea006dbc9f0f6e80941d7547a980a1dde868e0 |
| SHA256 | 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72 |
| SHA512 | 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61 |
C:\Users\Admin\AppData\Local\Temp\RES5986.tmp
| MD5 | 9c2a8b195c4c95f0bee7214fd1b1b3b7 |
| SHA1 | 6e27d138dfc3008ad01c4862a7cbb67b3111f086 |
| SHA256 | 9a040d757e9e556ea0334db87518988af2174de92689987242e2ca41ba70779f |
| SHA512 | fa24d5ff3908bd7f289c51d5677993c4dabfd80826e9788db9328b29c884ac7e6953de51580817fee98507ba2052d25725da87e673d8a95ded32543d64523aec |
C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline
| MD5 | 2f94b623f4da1cc19436f98cf39d65ab |
| SHA1 | e14c37942519e52b3ee8f7183bbd38df46891f16 |
| SHA256 | 7458cb8c9f8eaff12835095aaaa20ab9927e8cb10ace94f04c329b5041f15d3a |
| SHA512 | 223ef67424f3e596d870b5ed4d6ad6af8bb95428187bffa497957c2ceab9e863bb60287db1cf18fe2260a9576c8ceaefcf423604b2a6f67429d632a8847f0199 |
C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.0.vb
| MD5 | d23be0f25aad85f020361539d7d898e0 |
| SHA1 | d9162a4dd7e37e788d85327c2d15b536d096d7c3 |
| SHA256 | d8f028262f2ed59041f19809dfe9d6e718f02a596618ec83756b07c5ddef11ab |
| SHA512 | 129b34a6384cd82c4de6747b28e65aea21d753b62cddd6c50ec1f5f7638c0c3086607aaedbd47a9bdc93974daf168f0967485e135577c30d44c20dd52fe930d1 |
C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp
| MD5 | 84e15f96751ae7fbfdb7aea445e0c735 |
| SHA1 | a00945dc5cd6cc2923f857c4b58da196be813bdb |
| SHA256 | 0b6f068b0ca9a1668001f7487096a78b9d3407a28939961d7572a4bc513797c1 |
| SHA512 | d703497ace00b84de4cb8002a5f652945da101cc1810c9c6f36756fc788fba4957a2b7af5c8f6a258bf43160378f0ac94c1393395834b944d7ecd4657684354e |
C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline
| MD5 | fa87736d9c30dd9a2336995b9857b6b5 |
| SHA1 | 3c61d976b3280cece4dce7e7e501dff7fe1286bd |
| SHA256 | 6063a0a8b8035c46e7333b3c0881492a1a70e98fd35c110e5065bc0fc60c8d89 |
| SHA512 | f4ac9d07cac446b7b1dc6a22eac002f04157fc63b13a2c074455a45e2b2ec396fe63f843d5750dd004929d087fa103c800a53a589222c7b51601caf2a3e116d2 |
C:\Users\Admin\AppData\Local\Temp\hauhxasc.0.vb
| MD5 | f905a83710cb30c3315fe9fffeb17b4c |
| SHA1 | 235f602eabdf656d1cf8e968178dfaface7b27a2 |
| SHA256 | 06dcc5134188595e8d4dc0747cfa06491a7cc8e74b0bc117aadb185561811290 |
| SHA512 | 233c0b9c860d84d22ccd184c14b0e74aa4a6f0bac81f163ccefb16b82f71ec2aa210e8a2d77295622dc384ecb677be08e50aeb3e646a8a911a15af841f77242e |
C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp
| MD5 | d405e19c038f19b72d94be20749c5d39 |
| SHA1 | 19511144ee83d0314cd911dfbe3eeece3831c3a0 |
| SHA256 | 17fc51788670834df067c5c7070a77532ee819d87507f839f7cbc01b5e511d75 |
| SHA512 | 21160197877082cd25e07ea6700dcb60d90c843d1a0a726419050ef91755410d25d617726f804b7275d3e1475ef3b1797a39fff0b675b72e2c73eec70c10e4b9 |
C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline
| MD5 | 052f0c90c670e62566801f9762e027db |
| SHA1 | dc09bc2115abf09206cadff65f364c08e1147183 |
| SHA256 | c0384e40771e35cde0c78832c3908a915deafd38f837aa867c0ad2c97da57499 |
| SHA512 | 7aaecb70baaa1acbe1e03e287b2240886a99f71c317ff3d7215ed16049e19f2ff36089f82714b42ca8cb7e52bd3ca22e8ab9882d63dd9512387191487419b7da |
C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.0.vb
| MD5 | f6c95993c10d7f52846cccad3a0d0f3b |
| SHA1 | a9930d22cbff97abd49a10da9f1c24a9effd0f65 |
| SHA256 | 1d045334b0f37519c01cd1bfe03d381ba7282d6646f7a71f66c4c499b6a936bd |
| SHA512 | 19c4951721e5d1247b850632517aacaaf6bcf4cf9a901c429342f9856347f29303da0141ec6761d42e24a3b445877c28376cb1ec4d1e14c6e83d728c198e1a05 |
C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp
| MD5 | 5ad8213407ebc0ee4d2464991002ca4c |
| SHA1 | 6dd1e532dadde57f4ebe32da417ac261cf71688a |
| SHA256 | 6c5af448ef55ea55951cd06f87564e6525a18de65e2c7966aaf69eb2a2788712 |
| SHA512 | 8a280cb9274a515b9ba14af26081265b77b7dd2072f7df5bdc25f42ca4f0f690416ed5b7c99e3bec6e14270581cf7b202ec2deb88cacd028c05a9a8e41ced1c3 |
memory/2784-154-0x0000000070D2E000-0x0000000070D2F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 19:41
Reported
2025-01-08 19:44
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
139s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\327663578.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\327663578.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"
C:\Users\Admin\AppData\Local\Temp\327663578.exe
"C:\Users\Admin\AppData\Local\Temp\327663578.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rvub_lqf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D42BFBED29840848C6119A675D61E86.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1279.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2600C157DB2E4032B72A7A15662660AA.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdgxogny.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1345.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFB1D82A57844BC2BC1542585FDA651E.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fngyhapx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9CE5BA3E5944FAB9D2DB0B7A099861A.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvpwha4r.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES145E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB23038D2F68145EEBFE5B25E891ABFF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B032AC595E447CBAB52B97CF4952611.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF792F846C6594356A281CA9F459A9A9F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0m8auy3x.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC470A923FBBE49FCBC3C3B367D703023.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5bn9soh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES177B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46BB0CDF88FF4711A465212691DBF7F5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5crfcgg6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1807.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C4E3E81329D4DF0AF1BBD691D80BDEC.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp | |
| N/A | 127.0.0.1:5552 | tcp |
Files
memory/1764-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp
memory/1764-1-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/1764-2-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/1764-3-0x0000000074BB2000-0x0000000074BB3000-memory.dmp
memory/1764-4-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\327663578.exe
| MD5 | 31488a2de66a4e13f6b88f27072ed4dd |
| SHA1 | 1b06b0400bffcb1a25b0bf2c697c521c21be14cc |
| SHA256 | 13974ab8091e52b1838bb55a5843f8113e7b8eeb867b112b6506b3cd2fc40ee2 |
| SHA512 | ed14a9299dd532b3f9d25640ea69bda993ebd0d22eb426bb15ae1aeba56684b81c65d413463b568e048ce502c7c838da0eea0ff22def08c81d46fb8184e8e442 |
memory/4220-17-0x0000000071CDE000-0x0000000071CDF000-memory.dmp
memory/4220-18-0x0000000000310000-0x0000000000360000-memory.dmp
memory/4220-19-0x0000000004D80000-0x0000000004E1C000-memory.dmp
memory/4220-24-0x00000000053D0000-0x0000000005974000-memory.dmp
memory/4220-25-0x0000000004E20000-0x0000000004EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rvub_lqf.cmdline
| MD5 | 46ff0f586218c7e108221a30e9030508 |
| SHA1 | 30792f08083510e01e0dc7b7ad15742f25d68e2c |
| SHA256 | ae016e404f08aac495b006b4394e8832373445a91dc6c1686e22a07a0e408bdb |
| SHA512 | 6cf0c88f547def37a3e2c187cbe508ac3467fb9d13e10827ee9bb738ce800490fcfcdfb8445afb2ac9da147cffee7446489f01370aaccf2a2232c74c2ea346d9 |
memory/4452-27-0x0000000000BA0000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rvub_lqf.0.vb
| MD5 | 6dda5d27248c2f11546e1a197f4f48b7 |
| SHA1 | 9c78a26464b2c5c1cde55fb2078a4f8fa302a6b1 |
| SHA256 | 15d2312982d2182c5911a43d6f334dcb93ef6b3d5804bcd250491a01cbae7621 |
| SHA512 | 97e8dc35383252d1d4f667b722fc988aec4b1557629eb248258104a0c9be3e036ac62f4bc9a48f5799d923e3518484f8dbe736bd9185902bfa7c0582a03fc014 |
memory/4220-29-0x0000000005040000-0x0000000005050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc1D42BFBED29840848C6119A675D61E86.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp
| MD5 | 45f0804a06e8dd7e201896248cdf998a |
| SHA1 | 467656937e21f0429678817033b6845ca185684b |
| SHA256 | 247357569b5c6724a57f9dd82860251b08d82fddc5d1ab28c1f167660ec0b114 |
| SHA512 | b1ef6ca1b32150a4ba5ed8d1d03ced6a4f2cbc639c1953f3effa3fe2fbe65f40340adc2b7cecb9757f94e6629c65da0bd260278f4f40f914ee7a77c8301b5a46 |
memory/4220-37-0x0000000004D40000-0x0000000004D4A000-memory.dmp
memory/4220-39-0x0000000005050000-0x00000000050A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.cmdline
| MD5 | 7306c9cac1a28c46690d2257def50bf7 |
| SHA1 | 48bce8dd724fbd05c59506c9d57db84c8de823a6 |
| SHA256 | 02e03825ed6bcc45f970f208e4bf2ccc6efb055389bcf3ea24061b732ab546fe |
| SHA512 | 2ad01fa0239e41f3aed5b3318500c59a9b4d3bde53b408985c0f31fdd60bdcbbc867ee4e16741f8e5d3af6291b221a4c378bbb5bb6fe8aa274adc6c246cb8239 |
C:\Users\Admin\AppData\Local\Temp\pwkhj9bl.0.vb
| MD5 | fd62ee9dd4c3e902ea3996365664382a |
| SHA1 | d9ce8e5ff69c2448c9535f59f5ffcdc594d4cba0 |
| SHA256 | 19c1a96b2821de22d3a2c57a21b42bb9445b24d7bf6e2f82f8e6b0c1849c914a |
| SHA512 | 068ef59d35ed956db8cc241b958c22617e6e7cc1a6003f95f77560f900f3b5e52172cae8d9820d83ef3876d4c85c8e43f1bd7354a02683bf930c8f9f951efea2 |
C:\Users\Admin\AppData\Local\Temp\vbc2600C157DB2E4032B72A7A15662660AA.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RES1279.tmp
| MD5 | 1965c8378ca32402074c9a868617b770 |
| SHA1 | 6a49ee4031872b8404528b4d5083987338ebfdd7 |
| SHA256 | a245930a09fc71ea478118c40137da176656c0704fa42561c5ffbd7b07cd268a |
| SHA512 | 272f1369339e1b9951a425333fc874459aebe74e83326bd831242d16f10ccb162bf146cad4b0a261a21bff1c8ec044c6ee7ea31c1ac32c7fe396c63f4780adee |
C:\Users\Admin\AppData\Local\Temp\rdgxogny.cmdline
| MD5 | 6a1d02c252fea11ef7e8565b5a916220 |
| SHA1 | 2531edb7c264efde9959671b6768a6b71b0c895c |
| SHA256 | c19d1219ce3e2005e0a61e66314ad531fd708a0f4004df13863a4021a4f9465f |
| SHA512 | 141a999c6610408d43892a0ea40fa96696283c27625db98bd54555c42ee9fb3e28b7e53ed87e4f10992f1cd984e0a2889c927aef4c8c8781b64b8feaceff3e27 |
C:\Users\Admin\AppData\Local\Temp\rdgxogny.0.vb
| MD5 | c3ad4f4d1c3bc6e1450865f88a981bcb |
| SHA1 | 6567a759bbf5b7a3a9e2f1d0c0c1638888b4f260 |
| SHA256 | cf2ea29f85ec60ee9a59ed84c2b225968d79990e6061649400c688985e6fb51f |
| SHA512 | 9f1bb0daac4783a25e3bd4b7db458ca85c064a042465ef2c627427492e508397b8f13fa24ede55598efc79df4b0e26bea2a8c5c1ec21d3b829143eb43d66ff08 |
C:\Users\Admin\AppData\Local\Temp\vbcAFB1D82A57844BC2BC1542585FDA651E.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\RES1345.tmp
| MD5 | f8800161090b6d91ed19bd3fb61fe1c7 |
| SHA1 | 43853a19b50b37ee0a6292fde1e4dc7f3a6e27cd |
| SHA256 | 4602dc0b046e0b201ee99e8afe1aa2af24b0fea249a80504051c6b7e54018a1b |
| SHA512 | 6920368d69f8c683bcc1e7d36bfd5e65f0e12ca55f4fe7d9e72b115c493cc6df5e41400251dd37b9451851cfafe09ddecb4a97ade6d0c66239e7f7717422d2f1 |
C:\Users\Admin\AppData\Local\Temp\fngyhapx.cmdline
| MD5 | cd8f7542b4889cb17b9e3bd4fc0f8f96 |
| SHA1 | 8d7fd8b396bd67efd57684268d6520441f06b24e |
| SHA256 | bdc3b63396108e73ac1121137e928a919a6a3b2ca5f3fed766d7056cc6849829 |
| SHA512 | 6ed2addda01cb9843da3bd51839f0d9902f88cae07bccf17e85c892b1265106d13bed38a5a2f47cdebdc27172bc2640b42cde80d27b7be034fe11cf37ea14d47 |
C:\Users\Admin\AppData\Local\Temp\fngyhapx.0.vb
| MD5 | 91db9d749b80b7bfd07524563f046ecb |
| SHA1 | 780d0d3185057fadb121e0a526a89260a7367d5b |
| SHA256 | 0d13e734ccd1fd940caa9526bc3459ccf5420189dfec2287e3818660cb029c18 |
| SHA512 | 11c01940e1d88d5cef7c6d701102f7ee8eb1a3489ded2f412d648e07801f6cb6d9b2c4fde773b8453eaf92797814d7043d96c9b9fd06e037d42a7cc3eed6d45b |
C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp
| MD5 | d82a918e76e38fdb0c3bdcb48cb5d066 |
| SHA1 | b788b1d6aa912d1f3b9deec0d91ebcefd74593b9 |
| SHA256 | 4f2a872c12005745b3648ef7b52b0bbf4c1b1dbc40103e0b8f6d2b161fda98b1 |
| SHA512 | 0f275c0cb22b8cb45080a8c627dbe783f781c590b187b340acd5b0f77d7c256a0ed2e6bdd3b38ed475847115aabaaf03c05508b827ba1ed663f9834b60d2d1ee |
C:\Users\Admin\AppData\Local\Temp\tvpwha4r.cmdline
| MD5 | d8a7a3bf4ba6b5eed4e0f53b82fe0d44 |
| SHA1 | d15db71618befdb3e23c063198abdefa250d1e28 |
| SHA256 | bdde12ec780a1782d49fb840006cdc6b193d24abca9e3d0d0f07b0dffbbc2ab4 |
| SHA512 | 4028bb140fb6e1ce30f822dd34cd4e499f9408cbadf7b5a3dd236107fb3e5b12e22d6fd4bac5f69b8c6567f78f29aa1290f94089f1fb8f41fb28aa0c52f368da |
C:\Users\Admin\AppData\Local\Temp\tvpwha4r.0.vb
| MD5 | 77450e5406a20a0c525187d5ec5fa9d4 |
| SHA1 | 0a60106db82bbcdcd35bc420af8b569549908c73 |
| SHA256 | 4f8aacb9feb5f2b071ba2e318225c0ee0624e9d18d65aa86f2bd3891199a586a |
| SHA512 | 81c910b874151bf32a9e257ce5bbd453afb72b365dc5db7b513b5db5ea12d8a47f9fd299b448637bac15ed0ea9b9139e557fec40e608572bda3bf08abc05c060 |
C:\Users\Admin\AppData\Local\Temp\RES145E.tmp
| MD5 | fc958cce0e4af5bc095db19fe1fcd21d |
| SHA1 | 905f02456bdf8c60c85afdb3616d3e5a4e18744a |
| SHA256 | 1a75e337ec18b6fbc55a73476c3846419f328c180ba7697e26a7f3fd4cf29792 |
| SHA512 | 39997ba1f8c65a80c331dcccf403d33a390fd93b2796c94422ca4bd2b8ce50e4f6cb0ef5c8483247985cb64f9752a26439586b0f538d62b540532687f5c7b72c |
C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.cmdline
| MD5 | b5e44339acf0120ad82d61bb2015bcf9 |
| SHA1 | 2f84e8b04a245e95398bf8765aa066a5d0acf725 |
| SHA256 | 87e930eb2fb2271a81542f84ad36f5bfaa8274c90422540a95290db3fb7e43a3 |
| SHA512 | bd7a6b74923eeedafc09e47e86f493a746b8a562cceaec6dcb9f2d2e0a0fac61caa93d8aec3a074cae0cbb79ef936fb9d1133db45e9d2bf54069e17d4b55349e |
C:\Users\Admin\AppData\Local\Temp\y_hcpnzc.0.vb
| MD5 | 83494f110e7cfd7c6078a3ca3bc7e163 |
| SHA1 | 46da5443ead90c40141f2863bff76fbe0f460121 |
| SHA256 | d270bef889179c5d2977243a1f0faab48455b76e8f77f4d5dd6b1e44f7d4cc12 |
| SHA512 | bade44a775718a671d850a9167f27f15a736c88ee2a8fade587064c85cf540fe481df78d08b4860b658c3a4a4770a1d0472aaa7b3804b256eb6a7eb9c8e27e7a |
C:\Users\Admin\AppData\Local\Temp\RES15C5.tmp
| MD5 | d25e7d9a89475230ef010f480555e6ff |
| SHA1 | 896674d7a3e3dbd8436c640c9248e56c1bc677c7 |
| SHA256 | 2e410f6311324c73c1fde85f6483209a55458215b9a2fc33f26147442594ca96 |
| SHA512 | b017df105d922106531205e6100afee82219f6ee876050417238eae568d48fb4247de0cebed9255f29302c939e93d373248023b596b9be6ebec3282ddaf7025e |
C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.cmdline
| MD5 | 2cff52e201312bf5b7257402c4b16934 |
| SHA1 | f05d89603d40863bb0ebd6c525848cfb9690c3cf |
| SHA256 | a56866b24865357cc5b824c775c6e2a788439c885b765ca2e2bc69415107303d |
| SHA512 | 3159f5e6427152e838e5d49259d0ba3ea4970d3aca4439369ebd21dcf55df47546d4c16cffadc871758db543791262a1c93d6fe27ca33ba95f624e3effa7520e |
C:\Users\Admin\AppData\Local\Temp\uvlhsjbu.0.vb
| MD5 | de320c20c3d9869600cfff6cd7e7993e |
| SHA1 | c2a8c985234bc98c5e559f83a7510e192aa747f4 |
| SHA256 | 60dcbb1177a26f7da211f3a59b404554eda80edf6a88eb54f32af003becde6ee |
| SHA512 | 4f6fe81181de7ec11edbf37654a8d40dcc446febc82c569723abcabeae6edf9cf5d2842b4f3ef7d138a1de9322c26a6e46feb4b88e6c195ed660beb4b952b95a |
C:\Users\Admin\AppData\Local\Temp\vbcF792F846C6594356A281CA9F459A9A9F.TMP
| MD5 | 8135713eeb0cf1521c80ad8f3e7aad22 |
| SHA1 | 1628969dc6256816b2ab9b1c0163fcff0971c154 |
| SHA256 | e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a |
| SHA512 | a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4 |
C:\Users\Admin\AppData\Local\Temp\RES1661.tmp
| MD5 | f8d04af75f73745f0ce83063b45152e3 |
| SHA1 | 466c9e670237cfa4d775aa4e5c770c7871dd839a |
| SHA256 | 7b8dbfa7e3a734b53030adf985bf3e4c0fef53dccd4b5f7b0a6620370c8b83e0 |
| SHA512 | 8b9bb58903b7d0033374652a414ee87a0ca07ca9249a237b4b7a55db6dbe2551fd510047c9a3051c4845fba96b0195dec528ecee47d81b5cb9d8f9fa81904897 |
C:\Users\Admin\AppData\Local\Temp\0m8auy3x.cmdline
| MD5 | b01a91e2d958119e58b462ffa5e28bdc |
| SHA1 | 4d72cc0a4bb069ee7592c56ef63cf107927c2181 |
| SHA256 | 9d4b1e69b7c8cc7a720077729faf1bbcb075ce45015ad91d692e2b73204fa3fd |
| SHA512 | 55a5455eb12e7d4f61a4f3ea2dcd6152ee6010bc290135439b7b787c66341e19f56a6295da70d4388505d0edf19da09e0fbb9b90d394533cd65eabc9303f1077 |
C:\Users\Admin\AppData\Local\Temp\0m8auy3x.0.vb
| MD5 | d23be0f25aad85f020361539d7d898e0 |
| SHA1 | d9162a4dd7e37e788d85327c2d15b536d096d7c3 |
| SHA256 | d8f028262f2ed59041f19809dfe9d6e718f02a596618ec83756b07c5ddef11ab |
| SHA512 | 129b34a6384cd82c4de6747b28e65aea21d753b62cddd6c50ec1f5f7638c0c3086607aaedbd47a9bdc93974daf168f0967485e135577c30d44c20dd52fe930d1 |
C:\Users\Admin\AppData\Local\Temp\RES16DE.tmp
| MD5 | 67239d9c868572f0bcac851b8496584a |
| SHA1 | 95ef7b247cbb5c7289d462e736d76083e51a873c |
| SHA256 | 5c8278f16ed3b22765a52da42fb42309acd03502985b2da5eec14da31c759283 |
| SHA512 | a7d34d0175dc0a4381b57c3da3ba69ef4c553e2b1eea4e2dfcbe2dbb73de08d4235509a72a196f121a024346825206f16f332ab9215b2ab25ca5621c9d78e3f4 |
C:\Users\Admin\AppData\Local\Temp\x5bn9soh.cmdline
| MD5 | e09c18cb17002e8990423a2c7a3d4bf1 |
| SHA1 | c06fd25ed2932759aa16f0b06dea36409d37b4a8 |
| SHA256 | 3783633d09497cc24ad6026cbe04e65a9e0adcb8162ab3d6739046f3aedb83fb |
| SHA512 | ad46a3613279d6c31f7e37999221f40ce472039d360aab99007bb2073998388539ec207c241f9228a4395d81ee4b716e8e3a0014048093598b72c3ce4fe6df66 |
C:\Users\Admin\AppData\Local\Temp\x5bn9soh.0.vb
| MD5 | f905a83710cb30c3315fe9fffeb17b4c |
| SHA1 | 235f602eabdf656d1cf8e968178dfaface7b27a2 |
| SHA256 | 06dcc5134188595e8d4dc0747cfa06491a7cc8e74b0bc117aadb185561811290 |
| SHA512 | 233c0b9c860d84d22ccd184c14b0e74aa4a6f0bac81f163ccefb16b82f71ec2aa210e8a2d77295622dc384ecb677be08e50aeb3e646a8a911a15af841f77242e |
C:\Users\Admin\AppData\Local\Temp\RES177B.tmp
| MD5 | ff89c491c72c254b0bd0b4b298e80e2f |
| SHA1 | 021ec64e308f76aac682912c05a402f324095b7f |
| SHA256 | 2ee36b50c2e7ee392933d7233e80e3fdeff4132cc27f24dc1ef66c1398254a01 |
| SHA512 | 7c0471915658bfa4b1bd7ec0991fe0435fbc2bbd7ad7d931244d668534444f57fc074558b014da4f607af805c75c3bc649ab2d32fefd6e0b9936b1fb0e073774 |
C:\Users\Admin\AppData\Local\Temp\5crfcgg6.cmdline
| MD5 | beed1dbd3ad644fcac7a01b5b43a8960 |
| SHA1 | e7273c0fdd7039e8ff07a23b36cfc00a4abf7b8b |
| SHA256 | 7ed4ce42e503e610c7d587d417dc36d7a6409af910b85e77ff064f58e899632c |
| SHA512 | f62b93f3d153f4c681351a3b640d6830d21ca0bb484f0dcf71ea82f378759830615a8a855aef5ed8572e9822bbf0a50da26b669d3d3de064899554ddbb864597 |
C:\Users\Admin\AppData\Local\Temp\5crfcgg6.0.vb
| MD5 | f6c95993c10d7f52846cccad3a0d0f3b |
| SHA1 | a9930d22cbff97abd49a10da9f1c24a9effd0f65 |
| SHA256 | 1d045334b0f37519c01cd1bfe03d381ba7282d6646f7a71f66c4c499b6a936bd |
| SHA512 | 19c4951721e5d1247b850632517aacaaf6bcf4cf9a901c429342f9856347f29303da0141ec6761d42e24a3b445877c28376cb1ec4d1e14c6e83d728c198e1a05 |
C:\Users\Admin\AppData\Local\Temp\vbc9C4E3E81329D4DF0AF1BBD691D80BDEC.TMP
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RES1807.tmp
| MD5 | 2e2368676df3f735363298fa0d4b98a9 |
| SHA1 | 0e0cd7688d5b2b4eaaeb72257bcbe4e0b508cbac |
| SHA256 | b7183080c29882feb5f6093decdcce58a6d39df85c51b554ac15c1135a279a6a |
| SHA512 | 42599dcc19477f472addd121cc31f9714a6278324c18c406be2bdb6bf4c9b20fab8e539a38ffb702e70d2d6b3e64ccb5c8d0b697486396f74deed5e74ab5a16d |
memory/4220-166-0x0000000071CDE000-0x0000000071CDF000-memory.dmp
memory/4220-167-0x0000000005040000-0x0000000005050000-memory.dmp