Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2024 05:18

General

  • Target

    dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe

  • Size

    6.0MB

  • MD5

    dc341a4899e1a077f128b79dbe296954

  • SHA1

    e1f1e167595b85784a78f2c3902a4e57082daff9

  • SHA256

    c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562

  • SHA512

    978acecbb0cc55a3e8ede7ef78572e3c09ae42553a01de3e82ac8a5f085a937a43f90f0acabf2cfa80e05b1a570c05c41191cc5f76b03492cdfc9c6a2445f949

  • SSDEEP

    196608:HS35uBog53HRVu7vHDpS1IqBRU7kCs2q:HS3YBr53xVu7vHhqBa4Cs

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

C2

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes
  • encryption_key

    8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D

  • install_name

    chrome.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    System

  • subdirectory

    chrome

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Users\Admin\AppData\Roaming\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:5088
      • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1292
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:1912
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              5⤵
              • Runs ping.exe
              PID:4660
            • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
              "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:516
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                6⤵
                • Creates scheduled task(s)
                PID:2348
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2324
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:4288
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • Runs ping.exe
                    PID:1252
                  • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                    7⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4732
                    • C:\Windows\SYSTEM32\schtasks.exe
                      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                      8⤵
                      • Creates scheduled task(s)
                      PID:3008
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat" "
                      8⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4580
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        9⤵
                          PID:3548
                        • C:\Windows\system32\PING.EXE
                          ping -n 10 localhost
                          9⤵
                          • Runs ping.exe
                          PID:2972
                        • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                          "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                          9⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3900
                          • C:\Windows\SYSTEM32\schtasks.exe
                            "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                            10⤵
                            • Creates scheduled task(s)
                            PID:5088
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat" "
                            10⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5064
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              11⤵
                                PID:4404
                              • C:\Windows\system32\PING.EXE
                                ping -n 10 localhost
                                11⤵
                                • Runs ping.exe
                                PID:3116
                              • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                11⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:1156
                                • C:\Windows\SYSTEM32\schtasks.exe
                                  "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                  12⤵
                                  • Creates scheduled task(s)
                                  PID:2360
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat" "
                                  12⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2912
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    13⤵
                                      PID:1348
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      13⤵
                                      • Runs ping.exe
                                      PID:2976
                                    • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                      13⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:1516
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                        14⤵
                                        • Creates scheduled task(s)
                                        PID:748
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat" "
                                        14⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2444
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          15⤵
                                            PID:1232
                                          • C:\Windows\system32\PING.EXE
                                            ping -n 10 localhost
                                            15⤵
                                            • Runs ping.exe
                                            PID:4060
                                          • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                            "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                            15⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2480
                                            • C:\Windows\SYSTEM32\schtasks.exe
                                              "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                              16⤵
                                              • Creates scheduled task(s)
                                              PID:4616
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat" "
                                              16⤵
                                                PID:2412
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  17⤵
                                                    PID:5068
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 10 localhost
                                                    17⤵
                                                    • Runs ping.exe
                                                    PID:2472
                                                  • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                    17⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1096
                                                    • C:\Windows\SYSTEM32\schtasks.exe
                                                      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                      18⤵
                                                      • Creates scheduled task(s)
                                                      PID:3648
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat" "
                                                      18⤵
                                                        PID:4772
                                                        • C:\Windows\system32\chcp.com
                                                          chcp 65001
                                                          19⤵
                                                            PID:2932
                                                          • C:\Windows\system32\PING.EXE
                                                            ping -n 10 localhost
                                                            19⤵
                                                            • Runs ping.exe
                                                            PID:796
                                                          • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                            "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                            19⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3500
                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                              "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                              20⤵
                                                              • Creates scheduled task(s)
                                                              PID:4580
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat" "
                                                              20⤵
                                                                PID:400
                                                                • C:\Windows\system32\chcp.com
                                                                  chcp 65001
                                                                  21⤵
                                                                    PID:5032
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping -n 10 localhost
                                                                    21⤵
                                                                    • Runs ping.exe
                                                                    PID:4388
                                                                  • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                    21⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2300
                                                                    • C:\Windows\SYSTEM32\schtasks.exe
                                                                      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                      22⤵
                                                                      • Creates scheduled task(s)
                                                                      PID:3436
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat" "
                                                                      22⤵
                                                                        PID:2504
                                                                        • C:\Windows\system32\chcp.com
                                                                          chcp 65001
                                                                          23⤵
                                                                            PID:3204
                                                                          • C:\Windows\system32\PING.EXE
                                                                            ping -n 10 localhost
                                                                            23⤵
                                                                            • Runs ping.exe
                                                                            PID:1312
                                                                          • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                            "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                            23⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2092
                                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                                              "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                              24⤵
                                                                              • Creates scheduled task(s)
                                                                              PID:3212
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat" "
                                                                              24⤵
                                                                                PID:2912
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  25⤵
                                                                                    PID:628
                                                                                  • C:\Windows\system32\PING.EXE
                                                                                    ping -n 10 localhost
                                                                                    25⤵
                                                                                    • Runs ping.exe
                                                                                    PID:4532
                                                                                  • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                                    25⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1232
                                                                                    • C:\Windows\SYSTEM32\schtasks.exe
                                                                                      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                                      26⤵
                                                                                      • Creates scheduled task(s)
                                                                                      PID:2152
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat" "
                                                                                      26⤵
                                                                                        PID:3340
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          27⤵
                                                                                            PID:4332
                                                                                          • C:\Windows\system32\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            27⤵
                                                                                            • Runs ping.exe
                                                                                            PID:1336
                                                                                          • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                                            27⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1448
                                                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                                                              "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                                              28⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:3740
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat" "
                                                                                              28⤵
                                                                                                PID:384
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  29⤵
                                                                                                    PID:1584
                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                    ping -n 10 localhost
                                                                                                    29⤵
                                                                                                    • Runs ping.exe
                                                                                                    PID:4448
                                                                                                  • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                                                    29⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:4196
                                                                                                    • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                                                      30⤵
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:4084
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat" "
                                                                                                      30⤵
                                                                                                        PID:4764
                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                          chcp 65001
                                                                                                          31⤵
                                                                                                            PID:3544
                                                                                                          • C:\Windows\system32\PING.EXE
                                                                                                            ping -n 10 localhost
                                                                                                            31⤵
                                                                                                            • Runs ping.exe
                                                                                                            PID:2904
                                                                                                          • C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
                                                                                                            31⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4792
                                                                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                              "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
                                                                                                              32⤵
                                                                                                              • Creates scheduled task(s)
                                                                                                              PID:1044
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat" "
                                                                                                              32⤵
                                                                                                                PID:4952
                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                  chcp 65001
                                                                                                                  33⤵
                                                                                                                    PID:2176
                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                    ping -n 10 localhost
                                                                                                                    33⤵
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:1184
                                                    • C:\Users\Admin\AppData\Local\Temp\S^X.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1596

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    92fec5188f6e67afce12291087eaa289

                                                    SHA1

                                                    8627f55f4e7aba9df1228c3bc41475981cb46aa7

                                                    SHA256

                                                    7c761f36b98cfdfcbd48a18204698214125bcd339fe14fc897bdf6d0301bfecd

                                                    SHA512

                                                    e2937145b393f751a9fac90d2c1d7f7532d3a23cd8504ce6a4cbe7f41b03e3d4d1cbbd339b0508df6b84d412d09a5d9ebbb0039aea4b8d185e472c1fd34d660d

                                                  • C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    1a2a8a665116ad9185d423129e59760c

                                                    SHA1

                                                    e92708350f21b1dd661593b2a15f7e363d925f4e

                                                    SHA256

                                                    e977de57f39a585a22303b405c7d63b90308a6b1dc093d6067c7facdcee5fd50

                                                    SHA512

                                                    99f9ecd469732d730a4109df33c94e50f94aec07e83807fc698316ec1b7ef56a31b30c319d8c14157881881361fe24f39f5b217f19f4e3b492bbec175d845167

                                                  • C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    770f3b27a95145b0c561bd6472277315

                                                    SHA1

                                                    3ff334094e77ea7449fef9feeb0f51c546e7c133

                                                    SHA256

                                                    1daace35a740495077761f54f0d2853957a2f0000c041e1c5ee37a1822d7c66d

                                                    SHA512

                                                    9389483d7723caf0331f15ae0c6da4f898f12c462f6d3938c43011155518de86b83baecbedfd26acd81a3ceb0fd6b08602f91d7f31da66e3db75b82acb6352af

                                                  • C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    91b69137e6f4fc243d5dbca34f6ee100

                                                    SHA1

                                                    ee8a9cd7891387daee7a8c795f4240d403abb502

                                                    SHA256

                                                    82ca9e90ee799f1a7f0417e625d0a9b8f99a786d3dd944a67cee76d9e5459b3f

                                                    SHA512

                                                    dad82a2203e7736c57c5bb1e7e6581fcecda09f2f2657674afd1adbd34edfbe767107a72a6766355425041c476ab50e5f02c9280748173121cc5dfd5d092218b

                                                  • C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    1447c776d72760585242dd58b89d3cca

                                                    SHA1

                                                    33cf6f9876c7884e907c29713466743f306238d9

                                                    SHA256

                                                    c0902a17887ff4893b01129ef07353d51de282400a6a88fb1cd84b73779987e2

                                                    SHA512

                                                    52ef932df7bd30adc88f5e99bde0ef62b8415bfe8198d875bced3f1b8d4a4f46761ab3e7ce0e403746aed0a774ef46c13ae26a912696c446c517e6884ee528bf

                                                  • C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    2bc77f935c8ee6edb041d77a5ef3fa63

                                                    SHA1

                                                    891fea378e481ac7d6189bd4e3d4b224a5a163e0

                                                    SHA256

                                                    4738fe0868c8e32910a1a86cd6c8497f0d9a9c7f366370f57b9156a72b54181c

                                                    SHA512

                                                    42271c0db6e229e12f4e505548932082f40dc05d936bc76658db93882d038fba7d0559fc68990dbb849e06c1b5f3cae2015f33537e05921904a3daff43043062

                                                  • C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    1913d9f0457f07587bc4244b51e0837b

                                                    SHA1

                                                    20583f0d319db9ef96f5bd524c83891789a790e5

                                                    SHA256

                                                    5c443dea8a3a2af544ae70d26d32ceb4066de95559fde11598efcbef1d537545

                                                    SHA512

                                                    45dfd9f90631955cd6d989ba38943eb8578e31eb5812a691d5d1f0334f19474469456ebf4f865a9567dc10c37411c3a3f006bb97790aa4f90c2e32025e892f04

                                                  • C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    8b4ab5f8755f9e90199346cb179e9dce

                                                    SHA1

                                                    5b84cbdc15f1b33309166900adeeaf30ca4835b2

                                                    SHA256

                                                    c2504610a745bffe16033ae851f559135bdf6d8a336229d11e8b4f3c280a7f35

                                                    SHA512

                                                    6d29fb43000ff53c5d77867cf0805983b2cd5ff9743cff8a93991175c0ecefc832c345d6c8bcc53dac7939f970b3d2b8440097c1cdfc2c9f63945d63e349f2a0

                                                  • C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    6a0420a096a0ba23554cfc81bb376f6b

                                                    SHA1

                                                    94e26c6c58c843c089a01f228dcce6415157bbfd

                                                    SHA256

                                                    9b852e79d099f0bf3de1dd714efdd7771e60026b7e8fa9e68b8429db903a6455

                                                    SHA512

                                                    45d05f148c45cc4e91ec454b88d3cb361f618bdf6783c930a690fbe20478e9af61749deb2fc179f79922b81f4caf24c2448d400f948ca485932c5cf58e05f49e

                                                  • C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    0d4c4af3e82b6bd405815cd8a0ab302b

                                                    SHA1

                                                    1b1a4677142f31f6b8465a46bb31265eb8fb2d42

                                                    SHA256

                                                    85173ba129cd7158bbfe0f70ba4734c6b1aa9e053db1ada5f98d68ccfb867048

                                                    SHA512

                                                    cebc5638d5f94775fd978cc4c2bc5ebeb80fd9d45b75e35f755b9a2a4670144fc49c51ef778487b37111a5f2cb1387e72afce189a3b8a784c2273fe1a856fb80

                                                  • C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    ea1ae957c155be6ad17b5540c33cf9b9

                                                    SHA1

                                                    9876ad36fec3e9fb1b60ea950a5661e04624ee82

                                                    SHA256

                                                    d74c876b38f453b0095728f806ffe6dadd2d440debac119be9e595f5baf8879e

                                                    SHA512

                                                    45fff98b6c21fe803fce8793935dc94495983c928aef11b19cbc0ab774e6d9b8eba0736c0b66dc0927fe3d7430f00873ca830e7900cc36607865c6931be832d8

                                                  • C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    9873d097b4deb8d8cb5066beea826b24

                                                    SHA1

                                                    33cb8cae1c2de070d19373dfa757798cc541023f

                                                    SHA256

                                                    55d4dfe5f55861ec6ad919563480e6792b6abdd1a3e5731c4f99d986ce036003

                                                    SHA512

                                                    35f8d54ed6135299229500095a668f677abb92087f12c39146b299d447ddb1bcaf670db83e9566946622166c45aa4b6494ba6cae64bdf9501fd61cee22567d48

                                                  • C:\Users\Admin\AppData\Local\Temp\S^X.exe

                                                    Filesize

                                                    789KB

                                                    MD5

                                                    e2437ac017506bbde9a81fb1f618457b

                                                    SHA1

                                                    adef2615312b31e041ccf700b3982dd50b686c7f

                                                    SHA256

                                                    94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

                                                    SHA512

                                                    9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

                                                  • C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    25894067ad5713fcd689c1176cd8de1b

                                                    SHA1

                                                    c1d949a2dc6aa75b3c8e1b14d88ae3f2e9cc8e51

                                                    SHA256

                                                    eda0e213809ad0bec49e2f0f28331213ac97dd53e16efb08f868af8c03aa3574

                                                    SHA512

                                                    2317bdf78ddc41f6392f49440c1689c71cfe443e9c439cbf778cb9adc16bbbca136e97dfd1684e73c4b794f034ab35e6f86f48b73152ed6da1b7fce595aaa244

                                                  • C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    842d9c8f1ee4d03e00acc4f6748d83d5

                                                    SHA1

                                                    6cf86d0ed8ca5dd1d58d15e88e3d47dbdd8ebac1

                                                    SHA256

                                                    5fc394f777919c55601145ef21803cd96d732265e05cd88f8833a551fcbe2378

                                                    SHA512

                                                    0de9cf42b9c0816f1e99c36222046044699fbf123c2a00df42c519c24d3ea1ea4bc4cdd165f30f2a192ae0edf2adc02b83703c51555c30709a8d1abf1222180f

                                                  • C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll

                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    2d86c4ad18524003d56c1cb27c549ba8

                                                    SHA1

                                                    123007f9337364e044b87deacf6793c2027c8f47

                                                    SHA256

                                                    091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

                                                    SHA512

                                                    0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

                                                  • C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat

                                                    Filesize

                                                    207B

                                                    MD5

                                                    ba967b24e5079d8b2ff705ae2a80ee0d

                                                    SHA1

                                                    087ef2b06c520a0401f5c3e749e65dc58f3f4d86

                                                    SHA256

                                                    ffc97d8ace996a3224b611f7de3a8682485b76d91ff1a33e099f14bc2c5b03c5

                                                    SHA512

                                                    c8e1ab7c628c82b350c97cc901ecf3a6166ae4376084c3cf2c0dd02e9a33a0bcfa68c74681a177bbef6dd2d6fd677cfc76e9385dc98ba7ca29ea4c353e2a2133

                                                  • C:\Users\Admin\AppData\Roaming\chrome.exe

                                                    Filesize

                                                    502KB

                                                    MD5

                                                    92479f1615fd4fa1dd3ac7f2e6a1b329

                                                    SHA1

                                                    0a6063d27c9f991be2053b113fcef25e071c57fd

                                                    SHA256

                                                    0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

                                                    SHA512

                                                    9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

                                                  • memory/516-67-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/516-73-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/516-68-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/1096-116-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1096-112-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1156-61-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1156-55-0x000000001AF90000-0x000000001AFE0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1156-91-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1156-56-0x000000001B6B0000-0x000000001B762000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1156-53-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/1156-95-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1156-52-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1232-141-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1232-145-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1448-148-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1448-152-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1516-102-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1516-98-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1596-41-0x0000000000D80000-0x0000000000E4C000-memory.dmp

                                                    Filesize

                                                    816KB

                                                  • memory/1596-65-0x00000000712B0000-0x0000000071A60000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                  • memory/1596-63-0x0000000005640000-0x0000000005650000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/1596-46-0x0000000005730000-0x00000000057C2000-memory.dmp

                                                    Filesize

                                                    584KB

                                                  • memory/1596-44-0x0000000005C00000-0x00000000061A4000-memory.dmp

                                                    Filesize

                                                    5.6MB

                                                  • memory/1596-45-0x00000000712B0000-0x0000000071A60000-memory.dmp

                                                    Filesize

                                                    7.7MB

                                                  • memory/2088-54-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2088-39-0x0000000000DB0000-0x0000000000E34000-memory.dmp

                                                    Filesize

                                                    528KB

                                                  • memory/2088-43-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/2088-40-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2092-133-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2092-134-0x0000000003050000-0x0000000003060000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/2092-138-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2300-126-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2300-130-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2480-105-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/2480-109-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3500-119-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3500-123-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3900-83-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3900-88-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3900-84-0x000000001AF30000-0x000000001AF40000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4084-42-0x0000000074780000-0x0000000074D31000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4084-10-0x00000000726B0000-0x0000000072CB8000-memory.dmp

                                                    Filesize

                                                    6.0MB

                                                  • memory/4084-1-0x0000000074780000-0x0000000074D31000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4084-2-0x0000000001040000-0x0000000001050000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4084-0-0x0000000074780000-0x0000000074D31000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4084-38-0x00000000726B0000-0x0000000072CB8000-memory.dmp

                                                    Filesize

                                                    6.0MB

                                                  • memory/4084-14-0x00000000734A0000-0x00000000734FB000-memory.dmp

                                                    Filesize

                                                    364KB

                                                  • memory/4084-12-0x00000000770A4000-0x00000000770A6000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4084-13-0x00000000726B0000-0x0000000072CB8000-memory.dmp

                                                    Filesize

                                                    6.0MB

                                                  • memory/4084-11-0x00000000726B0000-0x0000000072CB8000-memory.dmp

                                                    Filesize

                                                    6.0MB

                                                  • memory/4196-155-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4196-159-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4732-80-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4732-75-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4732-76-0x000000001B360000-0x000000001B370000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4792-162-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4792-163-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4792-167-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

                                                    Filesize

                                                    10.8MB