Malware Analysis Report

2024-11-15 08:30

Sample ID 240405-lrtwsshb96
Target d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118
SHA256 40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8
Tags
quasar chrome evasion spyware themida trojan agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8

Threat Level: Known bad

The file d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

quasar chrome evasion spyware themida trojan agilenet

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 09:46

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 09:46

Reported

2024-04-05 09:49

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1724 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1724 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1724 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1724 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2688 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp

Files

memory/1724-0-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1724-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1724-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/1724-9-0x00000000729E0000-0x0000000072FE8000-memory.dmp

memory/1724-11-0x00000000776F0000-0x00000000776F2000-memory.dmp

memory/1724-10-0x00000000729E0000-0x0000000072FE8000-memory.dmp

memory/1724-12-0x00000000729E0000-0x0000000072FE8000-memory.dmp

memory/1724-13-0x00000000746C0000-0x000000007471B000-memory.dmp

\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/1724-27-0x00000000729E0000-0x0000000072FE8000-memory.dmp

memory/1724-28-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2688-29-0x0000000000C90000-0x0000000000D14000-memory.dmp

memory/2848-30-0x0000000000800000-0x00000000008CC000-memory.dmp

memory/2688-31-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2848-32-0x0000000072120000-0x000000007280E000-memory.dmp

memory/2688-33-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2848-34-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/2848-36-0x0000000072120000-0x000000007280E000-memory.dmp

memory/2688-37-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 09:46

Reported

2024-04-05 09:49

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4104 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4104 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4104 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4104 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4564 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4564 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4564 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4564 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1856 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1856 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1856 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2760 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2760 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2760 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2760 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2760 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1312 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1312 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1312 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1312 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4348 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4348 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4348 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4348 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4348 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4992 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4992 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3068 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3068 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3068 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3068 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3068 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4564 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4564 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4564 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1128 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1128 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1128 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1128 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1128 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1128 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5096 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5096 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5096 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4432 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4432 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4432 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4432 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4432 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4432 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4288 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4288 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4288 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4288 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2772 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebJgwbDB6XH3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hx2WKEygDu8s.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYG7Nicgm3qh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcCdLwaLGUaV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8WV6rw0wtRnt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWPNcA3pyFow.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YnSDGTCVUhJf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\utC17BAm9Ug7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zxvxjt5vT6a3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BexeV3zdPd2o.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxkcaaR1WBmk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zp3cv1V33DWA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 163.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4104-0-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/4104-1-0x0000000001350000-0x0000000001360000-memory.dmp

memory/4104-2-0x0000000074A10000-0x0000000074FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/4104-10-0x0000000072940000-0x0000000072F48000-memory.dmp

memory/4104-12-0x0000000077334000-0x0000000077336000-memory.dmp

memory/4104-11-0x0000000072940000-0x0000000072F48000-memory.dmp

memory/4104-13-0x0000000072940000-0x0000000072F48000-memory.dmp

memory/4104-14-0x0000000073730000-0x000000007378B000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/4564-34-0x0000000000EE0000-0x0000000000F64000-memory.dmp

memory/4564-40-0x00007FFE2C7F0000-0x00007FFE2D2B1000-memory.dmp

memory/4104-39-0x0000000072940000-0x0000000072F48000-memory.dmp

memory/4104-42-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/4564-41-0x000000001BC70000-0x000000001BC80000-memory.dmp

memory/880-43-0x0000000000DD0000-0x0000000000E9C000-memory.dmp

memory/880-44-0x0000000071540000-0x0000000071CF0000-memory.dmp

memory/880-45-0x0000000006060000-0x0000000006604000-memory.dmp

memory/880-46-0x0000000005930000-0x00000000059C2000-memory.dmp

memory/4564-53-0x00007FFE2C7F0000-0x00007FFE2D2B1000-memory.dmp

memory/1856-54-0x000000001B240000-0x000000001B250000-memory.dmp

memory/1856-52-0x00007FFE2C7F0000-0x00007FFE2D2B1000-memory.dmp

memory/880-55-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/1856-56-0x000000001BA10000-0x000000001BA60000-memory.dmp

memory/1856-57-0x000000001BB20000-0x000000001BBD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1856-62-0x00007FFE2C7F0000-0x00007FFE2D2B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ebJgwbDB6XH3.bat

MD5 754a5abe1fc2eb7ae1417d8ffe9c3564
SHA1 970be84bd2726bd198c08ba07bb5d78c7d41ba0f
SHA256 cebe9738f8b54e22053aeadf7598a33a997e34175d9491498590e4630b00405d
SHA512 16ee215dfa74a4c000f542371c0fc2828011365b7361b60a6ff2126357a34a6fc602bf782a2dc5b5aa9a24e4e00502e0455998bc7f7f3718365ef8cf95cbbfec

memory/880-65-0x0000000071540000-0x0000000071CF0000-memory.dmp

memory/1312-68-0x0000000001060000-0x0000000001070000-memory.dmp

memory/1312-67-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hx2WKEygDu8s.bat

MD5 e9933e9799ae14cf8758c16037001676
SHA1 b52b4a5eb26a4cfdf045d340e313abc988ba5c17
SHA256 83d9f3a44cbda7a58a7e78a03ce7b00fe2603b587d104d7d8224134f4e9bd917
SHA512 a07b3ea5162efa9c56ae0724cae0b39133f3dde8700299e8e381b4a98b85aeda5691c605e46808ff106f87ed361fe1a0bf0cd2b04542d32df9c139f0709599da

memory/1312-73-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/4992-75-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/4992-76-0x0000000002F10000-0x0000000002F20000-memory.dmp

memory/4992-80-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYG7Nicgm3qh.bat

MD5 67cbf0a6be8989ffa3f6b2b05ed34333
SHA1 ea56d88851947ae90bff5ebfb4bc684b566a692e
SHA256 713f720655a407b26c226a2c2707c74bb9ad09ce7afdc67387170f87d79f4f75
SHA512 7f7c8097365eb6af0de6588e2f6c0104894a1d64fc04c5c2d565816c57c7ae00c09bba7762f4031523b808d5fe44d85cad58f13ff8379f1a53d41e9d275af6c0

memory/4564-83-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/4564-87-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EcCdLwaLGUaV.bat

MD5 15f1ff39164cb9b3f4703bbed55e743c
SHA1 4c5b85910ff3304cf85e0ea629df108c3479d78f
SHA256 2ec3199065222917b9cdbba2e9a643fde5d7392ac088c72ecadab6e817bbd773
SHA512 3990d18569ff9b0cd5f61e33b8ee1757d777b106f2836e3fe2de5b97c2823a9b9214c7dd3827ce1d9d4e2b3a7db2bcf2f41fe676caf60ee4f6e7ad3f28ebf645

memory/5096-90-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8WV6rw0wtRnt.bat

MD5 31d8f300ad9e800d062a5146aeb8bd07
SHA1 3570d5e782bac76d7b62b27f19169b9b81831482
SHA256 517cb5fad924fd85d9715b03bef3ac2e9476eb783ba5e65176b2864897248c60
SHA512 1ca25afeff55f0d0e421317865134c9b6a7ad096820f4529fdd32efd54e19ba491f8243a17872f85e77735c8871ef3dfae53ff5e04ed2d30c82de21230639a40

memory/5096-95-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/4288-97-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/4288-101-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MWPNcA3pyFow.bat

MD5 e3eb8ab57a2a40bbdef9c33bf549ba38
SHA1 5dcc9ac9182450b2d88d916e0f6aa6cd9171570f
SHA256 b718a2b6978215cd0098965030ca70e2a835420d5c3b002dbc395bae6149e7c7
SHA512 a3fe0211a0de1f49519038a8c71c6cf460c8de2f155bd859f3218182687e353e41f8e46fec7779ac81a1b007536631e3f1484b58592a1e2bd4ed61b50ee244bb

memory/2372-104-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/2372-108-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YnSDGTCVUhJf.bat

MD5 414f4325e4e796c231c29c48f0d5b0ed
SHA1 989efa13d76886d292aaaa14c3b446540f44dafc
SHA256 1d1aeb02ef775f8feec3c735ceb3bd01a053bfe459bf6fe4497215d7c5f7451e
SHA512 ef829a7ba5f44ea1b9011cc790a06eb6502413f30462ac2c2c83a21e91bfe64144d073ac21d4671f5d4671552256fd83aaa83ca697effed437a23464f9dbd649

memory/4852-111-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\utC17BAm9Ug7.bat

MD5 c14892ef1c8843a7c8dd6d15ea0b65c3
SHA1 d78952a4f89e69605e0ac71b2eb6552a505e9c7f
SHA256 cd1fef69695d8e1b70be877cbc6bb59eff737dab736a9592532310c43b165848
SHA512 054a8d199b27ee72974334678455426583a99c49ab4436238c7e217933f4892264c9e9b60890c35152c7e59f0379e5890426a683844bc015083294fa3ec6fff0

memory/4852-116-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/2328-118-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

memory/2328-122-0x00007FFE2C2A0000-0x00007FFE2CD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zxvxjt5vT6a3.bat

MD5 e1d0ead320cc3ae17a85ef42aedf483a
SHA1 313524a09221fca349461c721acea2fa073d6a3a
SHA256 b427157ddb422513d4eb7a18f1ac19c77eb13cc75e9e1c84abe614a76e3627ae
SHA512 4c14fc68a421fee939fbabe8209e7572a19561dc23a0a585bf209e233ffe9d9946214cf38d7d2936c235fb4a64eb91f04845aabb67d48d311614b705c2cb59b5

memory/4824-125-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

memory/4824-129-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BexeV3zdPd2o.bat

MD5 c1a7f6d29c7995b027b25763c94d1133
SHA1 36214e3ff9549c1de66e562c25942991268b4a6c
SHA256 740df59483e37a35d975d4f26e13357a3c699c24ffc75925112056d7f19f3805
SHA512 25f6f3f7d9fca27d4dd28676148a3110854f91de9bf215ae394d409efaf2232b62d605c22215deb83dbf5624c30f67b7887df66985867876071e0337cc511b16

memory/3344-132-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

memory/3344-136-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pxkcaaR1WBmk.bat

MD5 da37be42ec03b459fd428b769a48cc82
SHA1 58997d73d9fb05e2d10c401e4a961b173ae7ac6f
SHA256 467b2d0b6318388108dbcd026e8ee6f7f46b49cdf68e3fa1274a4a7f25baaac6
SHA512 0f867f1ad93db4803c83625a39968e9ebe17fe3a8c98009d30243dc9e2d3697bf3fb07a093593afe07dc5ced5e5d96fcf220dd418cbb21fe404c03ef45a300b2

memory/1828-139-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

memory/1828-143-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Zp3cv1V33DWA.bat

MD5 0bfeba66d022cb806c5b662132f50cf8
SHA1 697d0977017fd5fd7ecb7a8844c8040219a02c52
SHA256 4385e64a481a6342868d41a886408ff1d4671867f0787e90f34f02da3a126800
SHA512 8cfc58fc58ed292aa34ac953a0b0993a0e5ab5d38ba7c648dcaf38dcea3401f0f59dac2ec29b285f5569313689266e43f3197b7cff3d2da0eb29a878e2fee5f7

memory/3088-146-0x00007FFE2C4A0000-0x00007FFE2CF61000-memory.dmp