Malware Analysis Report

2025-04-14 05:11

Sample ID 250111-ch1hjsykev
Target JaffaCakes118_f41dd24943f187032c28c2065c2e1150
SHA256 877c20737b066f465e7fc9bdfebf63fe7290569cb8bc6487fbc7309cde2a71eb
Tags
stealer revengerat discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

877c20737b066f465e7fc9bdfebf63fe7290569cb8bc6487fbc7309cde2a71eb

Threat Level: Known bad

The file JaffaCakes118_f41dd24943f187032c28c2065c2e1150 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat discovery persistence trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Loads dropped DLL

Uses the VBS compiler for execution

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-11 02:05

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-11 02:05

Reported

2025-01-11 02:07

Platform

win7-20240903-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.js C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.URL C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\svchost.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 2664 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2664 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2664 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2664 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 344 wrote to memory of 1684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 344 wrote to memory of 1684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 344 wrote to memory of 1684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 344 wrote to memory of 1684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 1932 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 1932 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 1932 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\walrj8m4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8B.tmp"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BFF1F425-1888-49E7-B785-2AA1EEA75A4D} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 applezm15.ddns.net udp

Files

memory/2124-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

memory/2124-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2124-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2124-3-0x0000000074F50000-0x00000000754FB000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

MD5 f41dd24943f187032c28c2065c2e1150
SHA1 a6b0d8ba4e0f78fb5ed746b3046fad5a41caa01b
SHA256 877c20737b066f465e7fc9bdfebf63fe7290569cb8bc6487fbc7309cde2a71eb
SHA512 a366418c29077612f7b06bea12c9fee5f9a65570caa40a522720c69285e47c0ea69d755a519702d5a00d4fe88a1dacb3f5247f1d12a2430469d411be008e305a

memory/2664-14-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2664-15-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2124-16-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2664-17-0x0000000074F50000-0x00000000754FB000-memory.dmp

memory/2664-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\walrj8m4.cmdline

MD5 11ae467a74d70efca2e35015747a6d09
SHA1 7981076d3d178e9fd403b4fdcc72db99f94e54b1
SHA256 e989b82cd9cbf44737a20182914a93184b5d5a7d8afec16cfe45f3e3efc8bc3e
SHA512 9f3cbd691e3cd9e3d6f32236f6deebb468b4cde58639ae96ca4762a4fd0f13960e4e1d4b0af2003249a801439515fe7ed63e018e33abee58dcba0dc3fe36017c

C:\Users\Admin\AppData\Local\Temp\walrj8m4.0.vb

MD5 926bad7c6f2ddbd75807351fd5c20585
SHA1 1fc89b5d7d40ff92832a29da8c3fc2dcea6baeab
SHA256 87e2f6e2b61abdb0b4b63243f060c8376503ef544d24726f0098f6d38ef85f91
SHA512 6684eb60afac6258299d6c8406ea3a6ccda603a60d3a780d6d397c0ae27b62191ed0abd3cefb107aad55cf17d3c4fee0cbac8a96027d2086828c3ca6221a81ed

C:\Users\Admin\AppData\Local\Temp\vbcF8B.tmp

MD5 6c51e75b6e74d5d4c93ad5da8b15790e
SHA1 0f2f268d354c03fb11ac6b5548650de793583535
SHA256 a646a41cad107940e782bd4ccc785772521bd03851e65684defcc70bcab85995
SHA512 b9451ce5d60f4ce3b898cc9f5696d4a2146de5805f4fa36f055eb6a3d2176ec7818c8736712e51f64a4b02af0584ceac5c3f3bcb84918b01e4df0244ff42cbda

C:\Users\Admin\AppData\Local\Temp\RESF8C.tmp

MD5 8c48e4c9e40cb5cc3db3295f88217936
SHA1 864077e5f1ec4d18fb87242ed0bd0a06ce192cb3
SHA256 c2ed9412ea76d69e5348cb7dc11e1db0aaa62a5cebad2bb747203d8f79aaf8db
SHA512 111d05fc770246486e0d2936f79fa0fdf024ff1f09afcb182cd119cd129300cdec04d4b4bfc895eb51983ed1f5d8117822b5ec1d7c4cbd6344bc4e04fb90a570

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-11 02:05

Reported

2025-01-11 02:07

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.js C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.URL C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\svchost.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 3148 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 3148 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
PID 3856 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3856 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3856 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4452 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4452 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4452 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3856 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3856 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3856 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f41dd24943f187032c28c2065c2e1150.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lejap92z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB180F71FAB54CA0BEC7DC971A8DF0BE.TMP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp
US 8.8.8.8:53 applezm15.ddns.net udp

Files

memory/3148-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

memory/3148-1-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3148-2-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3148-3-0x00000000750D2000-0x00000000750D3000-memory.dmp

memory/3148-4-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3148-5-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe

MD5 f41dd24943f187032c28c2065c2e1150
SHA1 a6b0d8ba4e0f78fb5ed746b3046fad5a41caa01b
SHA256 877c20737b066f465e7fc9bdfebf63fe7290569cb8bc6487fbc7309cde2a71eb
SHA512 a366418c29077612f7b06bea12c9fee5f9a65570caa40a522720c69285e47c0ea69d755a519702d5a00d4fe88a1dacb3f5247f1d12a2430469d411be008e305a

memory/3856-17-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3856-18-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3148-20-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/3856-21-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lejap92z.cmdline

MD5 90264f58382e587bab6c7d20d6bc8044
SHA1 2fc9b78f823712c13e0667bfa7325e0d6fe2922a
SHA256 7e6b4ac16880b594f9f9f27f28a47d8089a711a763b3a20ec12f99faab649136
SHA512 ca5e0187fe728c673cd5e502e06b1ef1594e31d2cb35105d08eb099180076471ed086e2273d06055d9d53af9d8ce595185551c9701de119ad654b5d97a442c39

memory/4452-36-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lejap92z.0.vb

MD5 926bad7c6f2ddbd75807351fd5c20585
SHA1 1fc89b5d7d40ff92832a29da8c3fc2dcea6baeab
SHA256 87e2f6e2b61abdb0b4b63243f060c8376503ef544d24726f0098f6d38ef85f91
SHA512 6684eb60afac6258299d6c8406ea3a6ccda603a60d3a780d6d397c0ae27b62191ed0abd3cefb107aad55cf17d3c4fee0cbac8a96027d2086828c3ca6221a81ed

C:\Users\Admin\AppData\Local\Temp\vbcB180F71FAB54CA0BEC7DC971A8DF0BE.TMP

MD5 6c51e75b6e74d5d4c93ad5da8b15790e
SHA1 0f2f268d354c03fb11ac6b5548650de793583535
SHA256 a646a41cad107940e782bd4ccc785772521bd03851e65684defcc70bcab85995
SHA512 b9451ce5d60f4ce3b898cc9f5696d4a2146de5805f4fa36f055eb6a3d2176ec7818c8736712e51f64a4b02af0584ceac5c3f3bcb84918b01e4df0244ff42cbda

C:\Users\Admin\AppData\Local\Temp\RES95D2.tmp

MD5 9cfa39a696eb06cc2fb0d967fc55078b
SHA1 f4e5d863971fa9ee080396aadfe79e895a539e3e
SHA256 77090d5b66d343c41c3cd147eef929383cb72f5ff183c0a6e4a905acb30643a8
SHA512 e9b61e13b28298a3aff2221351eb83a7f9215f2b396cb70f15a617c3bb9d889034add1a67df98acf908fac9061df3fc00a43e8372e239e160f56b3724543be10

memory/4452-45-0x00000000750D0000-0x0000000075681000-memory.dmp