Malware Analysis Report

2024-11-15 08:30

Sample ID 240406-fznrvscc78
Target dc341a4899e1a077f128b79dbe296954_JaffaCakes118
SHA256 c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562
Tags
agilenet quasar chrome evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562

Threat Level: Known bad

The file dc341a4899e1a077f128b79dbe296954_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agilenet quasar chrome evasion spyware themida trojan

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Runs ping.exe

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:18

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:18

Reported

2024-04-06 05:21

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 756 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 756 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 756 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2132 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2132 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2484 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2484 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2484 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2484 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1712 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1712 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1712 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1712 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1712 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1712 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1712 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1712 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2856 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2856 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2856 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2856 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2856 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2856 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2856 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2856 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2856 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2204 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2204 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2204 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 336 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 336 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 336 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 336 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 336 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 336 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 336 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 336 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 336 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1860 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\epiiK4DmS1uX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dPWqKvEPozu1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUc6FxExhV9L.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9nDKVVRs8pxU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eteN9VcyOt7S.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaY08meXAlfp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MZdxjiqEXlxr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1RGYrPNTw2F8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVoNILt52t5E.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOhOlQIUlFpL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\l2GeFzntWpPd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\soZntBZL0vRg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp

Files

memory/756-0-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/756-1-0x0000000002880000-0x00000000028C0000-memory.dmp

memory/756-2-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/756-9-0x0000000072B00000-0x0000000073108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/756-11-0x0000000077810000-0x0000000077812000-memory.dmp

memory/756-12-0x0000000072B00000-0x0000000073108000-memory.dmp

memory/756-10-0x0000000072B00000-0x0000000073108000-memory.dmp

memory/756-13-0x00000000747E0000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/756-28-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/756-27-0x0000000072B00000-0x0000000073108000-memory.dmp

memory/2644-29-0x00000000001A0000-0x000000000026C000-memory.dmp

memory/2132-30-0x0000000000E60000-0x0000000000EE4000-memory.dmp

memory/2132-31-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2132-33-0x000000001B220000-0x000000001B2A0000-memory.dmp

memory/2644-32-0x0000000072240000-0x000000007292E000-memory.dmp

memory/2484-39-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2484-38-0x0000000000C10000-0x0000000000C94000-memory.dmp

memory/2132-40-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2484-41-0x000000001B1C0000-0x000000001B240000-memory.dmp

memory/2644-42-0x0000000004B50000-0x0000000004B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epiiK4DmS1uX.bat

MD5 aecf95f2467ca67c980bf88294a830fe
SHA1 aa81e43b6e33e1b438329ad9c92841d351729f65
SHA256 b38966951c33bd0874da50ad35a5bfe094b4ecf28e9687278f6534150172f418
SHA512 24537d4ae8df52a93ff32a32b06dbd850d4183afd0703caf7ea53af866bf6828b41e57c6473b78f449a4b1dbafeb88bfb59486532bb39356b3cb09ea5aaacd3c

memory/2484-52-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2644-53-0x0000000072240000-0x000000007292E000-memory.dmp

memory/2624-56-0x00000000005F0000-0x0000000000670000-memory.dmp

memory/2624-55-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dPWqKvEPozu1.bat

MD5 c2f927abc4f8433831217c1aa252216c
SHA1 bcebc4b4b1cbf59948dd0f418dbed6262c8293a1
SHA256 9ad556dd7fae605fc4f32afb62c4cf75dd77dbdf4fd69cdacbc522f7ee6b0e82
SHA512 1feca5f9e70bf60fd91b02b18a828d8be16d83423659b5b0e4a3aca3165be329bc9a2c99d427db5cef0d7460e3b250cb628a796b9df2d367bbccecfd7051127c

memory/2624-66-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2204-69-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2204-68-0x0000000000C80000-0x0000000000D04000-memory.dmp

memory/2204-70-0x000000001B240000-0x000000001B2C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rUc6FxExhV9L.bat

MD5 c740d5064f000a5976ca47a390ca7b72
SHA1 045078d9a4a967c20d539fcc51787af4d0beadc1
SHA256 5eb90627a5a4403287afd170b02f24a2605c8cf334c3025ff6cb7b887e21f7e9
SHA512 cb13b34bfad58a80ea69c5a6dce9131055db8e0fe897fb4bdd95900c00e7e11be6344686c140ed0baccfc255736a96ed8a5eb3f57f6f2cc01fa809a0ff4e4b30

memory/2204-80-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/1860-82-0x00000000001A0000-0x0000000000224000-memory.dmp

memory/1860-83-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/1860-84-0x000000001AF20000-0x000000001AFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9nDKVVRs8pxU.bat

MD5 49dec89c1cd5361e4cd59a52d540ce26
SHA1 268feeed015ebe0877478af77d20775036f37d6a
SHA256 d08ed8101b4491e6083a62603b2be5313c49017787c8b41ba402d22ad7e0f225
SHA512 45deb2affaa1729def9de523973438722033964ab3b9d811cbc16b08e1655ab9be0356199ca6372eff21995d808a9dac50358cb59394a523373e114154c28468

memory/1860-94-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2180-97-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2180-96-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2180-98-0x000000001AE80000-0x000000001AF00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eteN9VcyOt7S.bat

MD5 e65cadcf4464205bae64b52da827f170
SHA1 e22b9340993f972a16d74ba3966e06843ae35898
SHA256 b0deb962f48f25a81cec93e7c25d2d0d27357c904ab9bd1560029285ff24d7da
SHA512 2d8b1cb01186345e083bf32273192a86bf38333615adda51d33f55be8e5a6e958ca95669bc06880b4f731ee24a6e43f44a7f4cf17580ef7b6db3dfee66d6013a

memory/2180-108-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2572-111-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2572-110-0x0000000000360000-0x00000000003E4000-memory.dmp

memory/2572-112-0x000000001B1D0000-0x000000001B250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uaY08meXAlfp.bat

MD5 d12358bc7eeea6eeef15d6c99bd8aed6
SHA1 cebf5e2e474da208d00788d0841557318b4751fb
SHA256 49179ca03657b0d2c08eeab8d3cf474f33f1ae9e8a0ab693b6d2d2e32a815aeb
SHA512 61399d843c57f7bb4df2a382ad303d61fde7e2ce2815e0d9a50a36d4c6ab1cc452c0165e2454f78601494364c606496af71fd333174e3d442bdd4a95adc08786

memory/2572-122-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2852-125-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2852-124-0x0000000000270000-0x00000000002F4000-memory.dmp

memory/2852-126-0x0000000002070000-0x00000000020F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MZdxjiqEXlxr.bat

MD5 218be4464c6b1279cc8e59207bb739c8
SHA1 1fbdfd2ced62ad7ce2243dabb8684d66f234a1cc
SHA256 1fc0f194d425f3a88374e29eeb0ae7ecafaccb9766929523ec4ad0d898c6c81d
SHA512 dd2924e8a91ca369317d0113fb06b30dfacbe6d8ce7fab2bfbc45e0c19f547c720f7dcccb9504550395c09d3ee9b7c38448528d1d5c15a464f65c38e8e34dc26

memory/2852-135-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2644-139-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/2644-138-0x0000000001350000-0x00000000013D4000-memory.dmp

memory/2644-140-0x000000001AD60000-0x000000001ADE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1RGYrPNTw2F8.bat

MD5 24a4c6a3c98b6bbd12f0b62b77ed2eac
SHA1 caa6f4a952ef6879b7b8c107596b3c950f23a9c1
SHA256 b972c96927196e099edbf220a9b8ace13578f1cacf6b6af40ad34bdff04a40c8
SHA512 d66c11d37464cfbb2bc0f9f6c60a1de4ea27ac2587439c78f46adaf5279c671f8763b2fc4586a983f6eb2b6fc3a6bfbeb2e4c370e619a2de86f0f589919c16e8

memory/2644-150-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/1292-152-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BVoNILt52t5E.bat

MD5 a7612c5846249d33640989628bb18b26
SHA1 4033e6dbe12898b472922feab3250a791ee38be8
SHA256 0c507445575ddf5a5f08b80e2df51827d5909f0e4be8847b13fac4af9d5a8ee0
SHA512 569868764f73364428e388c1ba6b05bb52d8059f62c469b8dc7cf082f70dbb4464e691f33fd9a965ac602370e21d1d4dcdafcfe1084b415973bf3d96c1eb0339

memory/1292-162-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/544-164-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uOhOlQIUlFpL.bat

MD5 79433b974f9edf89764d359c209d4cf3
SHA1 930dae2645535e15bb387195f909ac6a70b91615
SHA256 80b0f895b01eaefc8e4fd5408c96a8c7fc66673652a2c1adf3b8c615742c3c3e
SHA512 bd35ae8ac6dbbb300951780fd229c072e716898333cb91a1494a106b02e8a22c63b8728d3bd02921b607367dea48017abaff4590b6433efe5db602e1abdaa0f6

memory/544-174-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/1552-176-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/1552-177-0x000000001B0E0000-0x000000001B160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l2GeFzntWpPd.bat

MD5 471b604f9186d1d592fa9d461a451a02
SHA1 119b3df8ebf6c6f3f54a3083ed50a681eb464026
SHA256 e48c09380a745484152168cc79fe67177c332d813904913a7fc4bb76e355e95b
SHA512 4dc61190ae22789b5eb5a931c9ef3cb11ef292e08f3e7d4033870331b0fd7b818903ad4d803eef87a49b2d719b8843e6d1383482ae0dd923f14333e9e30e697b

memory/1552-187-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/1700-189-0x00000000013A0000-0x0000000001424000-memory.dmp

memory/1700-190-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

memory/1700-191-0x000000001B250000-0x000000001B2D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soZntBZL0vRg.bat

MD5 875554688f30810ca3bc538d67bb1a07
SHA1 2788c3cfd384acee4383eed4ae0cac12eb67b7b3
SHA256 15935066ab8e44e496280090c39f4f7afee9cdf3a76c57a0040f199ee9e35a44
SHA512 8abaf3d1fccc240d4c301419b633451428176d9122b527a8419c70d8a262d1d6585ab4bd9f3752baa9bfc97f5abf4f42f7c154dac068e92017346bb80f283ba5

memory/1700-201-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:18

Reported

2024-04-06 05:21

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4084 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4084 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4084 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4084 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2088 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2088 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2088 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2088 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1156 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1156 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1156 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1292 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1292 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1292 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1292 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1292 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1292 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 516 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 516 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 516 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2324 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2324 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2324 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2324 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2324 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4732 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4732 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4732 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4580 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4580 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4580 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4580 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4580 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4580 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3900 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3900 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3900 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3900 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5064 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5064 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5064 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5064 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5064 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1156 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1156 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1156 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2912 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2912 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2912 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2912 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2912 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1516 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1516 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp
US 8.8.8.8:53 89.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/4084-0-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/4084-1-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/4084-2-0x0000000001040000-0x0000000001050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/4084-11-0x00000000726B0000-0x0000000072CB8000-memory.dmp

memory/4084-10-0x00000000726B0000-0x0000000072CB8000-memory.dmp

memory/4084-13-0x00000000726B0000-0x0000000072CB8000-memory.dmp

memory/4084-12-0x00000000770A4000-0x00000000770A6000-memory.dmp

memory/4084-14-0x00000000734A0000-0x00000000734FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/4084-38-0x00000000726B0000-0x0000000072CB8000-memory.dmp

memory/2088-40-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

memory/1596-41-0x0000000000D80000-0x0000000000E4C000-memory.dmp

memory/2088-43-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

memory/1596-45-0x00000000712B0000-0x0000000071A60000-memory.dmp

memory/1596-44-0x0000000005C00000-0x00000000061A4000-memory.dmp

memory/4084-42-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/2088-39-0x0000000000DB0000-0x0000000000E34000-memory.dmp

memory/1596-46-0x0000000005730000-0x00000000057C2000-memory.dmp

memory/1156-52-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

memory/2088-54-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

memory/1156-53-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

memory/1156-55-0x000000001AF90000-0x000000001AFE0000-memory.dmp

memory/1156-56-0x000000001B6B0000-0x000000001B762000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1156-61-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat

MD5 92fec5188f6e67afce12291087eaa289
SHA1 8627f55f4e7aba9df1228c3bc41475981cb46aa7
SHA256 7c761f36b98cfdfcbd48a18204698214125bcd339fe14fc897bdf6d0301bfecd
SHA512 e2937145b393f751a9fac90d2c1d7f7532d3a23cd8504ce6a4cbe7f41b03e3d4d1cbbd339b0508df6b84d412d09a5d9ebbb0039aea4b8d185e472c1fd34d660d

memory/1596-63-0x0000000005640000-0x0000000005650000-memory.dmp

memory/1596-65-0x00000000712B0000-0x0000000071A60000-memory.dmp

memory/516-67-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/516-68-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat

MD5 ea1ae957c155be6ad17b5540c33cf9b9
SHA1 9876ad36fec3e9fb1b60ea950a5661e04624ee82
SHA256 d74c876b38f453b0095728f806ffe6dadd2d440debac119be9e595f5baf8879e
SHA512 45fff98b6c21fe803fce8793935dc94495983c928aef11b19cbc0ab774e6d9b8eba0736c0b66dc0927fe3d7430f00873ca830e7900cc36607865c6931be832d8

memory/516-73-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/4732-75-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/4732-76-0x000000001B360000-0x000000001B370000-memory.dmp

memory/4732-80-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat

MD5 1447c776d72760585242dd58b89d3cca
SHA1 33cf6f9876c7884e907c29713466743f306238d9
SHA256 c0902a17887ff4893b01129ef07353d51de282400a6a88fb1cd84b73779987e2
SHA512 52ef932df7bd30adc88f5e99bde0ef62b8415bfe8198d875bced3f1b8d4a4f46761ab3e7ce0e403746aed0a774ef46c13ae26a912696c446c517e6884ee528bf

memory/3900-83-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/3900-84-0x000000001AF30000-0x000000001AF40000-memory.dmp

memory/3900-88-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat

MD5 0d4c4af3e82b6bd405815cd8a0ab302b
SHA1 1b1a4677142f31f6b8465a46bb31265eb8fb2d42
SHA256 85173ba129cd7158bbfe0f70ba4734c6b1aa9e053db1ada5f98d68ccfb867048
SHA512 cebc5638d5f94775fd978cc4c2bc5ebeb80fd9d45b75e35f755b9a2a4670144fc49c51ef778487b37111a5f2cb1387e72afce189a3b8a784c2273fe1a856fb80

memory/1156-91-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/1156-95-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat

MD5 1913d9f0457f07587bc4244b51e0837b
SHA1 20583f0d319db9ef96f5bd524c83891789a790e5
SHA256 5c443dea8a3a2af544ae70d26d32ceb4066de95559fde11598efcbef1d537545
SHA512 45dfd9f90631955cd6d989ba38943eb8578e31eb5812a691d5d1f0334f19474469456ebf4f865a9567dc10c37411c3a3f006bb97790aa4f90c2e32025e892f04

memory/1516-98-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/1516-102-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat

MD5 9873d097b4deb8d8cb5066beea826b24
SHA1 33cb8cae1c2de070d19373dfa757798cc541023f
SHA256 55d4dfe5f55861ec6ad919563480e6792b6abdd1a3e5731c4f99d986ce036003
SHA512 35f8d54ed6135299229500095a668f677abb92087f12c39146b299d447ddb1bcaf670db83e9566946622166c45aa4b6494ba6cae64bdf9501fd61cee22567d48

memory/2480-105-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/2480-109-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat

MD5 25894067ad5713fcd689c1176cd8de1b
SHA1 c1d949a2dc6aa75b3c8e1b14d88ae3f2e9cc8e51
SHA256 eda0e213809ad0bec49e2f0f28331213ac97dd53e16efb08f868af8c03aa3574
SHA512 2317bdf78ddc41f6392f49440c1689c71cfe443e9c439cbf778cb9adc16bbbca136e97dfd1684e73c4b794f034ab35e6f86f48b73152ed6da1b7fce595aaa244

memory/1096-112-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/1096-116-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat

MD5 91b69137e6f4fc243d5dbca34f6ee100
SHA1 ee8a9cd7891387daee7a8c795f4240d403abb502
SHA256 82ca9e90ee799f1a7f0417e625d0a9b8f99a786d3dd944a67cee76d9e5459b3f
SHA512 dad82a2203e7736c57c5bb1e7e6581fcecda09f2f2657674afd1adbd34edfbe767107a72a6766355425041c476ab50e5f02c9280748173121cc5dfd5d092218b

memory/3500-119-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/3500-123-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat

MD5 8b4ab5f8755f9e90199346cb179e9dce
SHA1 5b84cbdc15f1b33309166900adeeaf30ca4835b2
SHA256 c2504610a745bffe16033ae851f559135bdf6d8a336229d11e8b4f3c280a7f35
SHA512 6d29fb43000ff53c5d77867cf0805983b2cd5ff9743cff8a93991175c0ecefc832c345d6c8bcc53dac7939f970b3d2b8440097c1cdfc2c9f63945d63e349f2a0

memory/2300-126-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/2300-130-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat

MD5 ba967b24e5079d8b2ff705ae2a80ee0d
SHA1 087ef2b06c520a0401f5c3e749e65dc58f3f4d86
SHA256 ffc97d8ace996a3224b611f7de3a8682485b76d91ff1a33e099f14bc2c5b03c5
SHA512 c8e1ab7c628c82b350c97cc901ecf3a6166ae4376084c3cf2c0dd02e9a33a0bcfa68c74681a177bbef6dd2d6fd677cfc76e9385dc98ba7ca29ea4c353e2a2133

memory/2092-133-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/2092-134-0x0000000003050000-0x0000000003060000-memory.dmp

memory/2092-138-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat

MD5 6a0420a096a0ba23554cfc81bb376f6b
SHA1 94e26c6c58c843c089a01f228dcce6415157bbfd
SHA256 9b852e79d099f0bf3de1dd714efdd7771e60026b7e8fa9e68b8429db903a6455
SHA512 45d05f148c45cc4e91ec454b88d3cb361f618bdf6783c930a690fbe20478e9af61749deb2fc179f79922b81f4caf24c2448d400f948ca485932c5cf58e05f49e

memory/1232-141-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/1232-145-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat

MD5 1a2a8a665116ad9185d423129e59760c
SHA1 e92708350f21b1dd661593b2a15f7e363d925f4e
SHA256 e977de57f39a585a22303b405c7d63b90308a6b1dc093d6067c7facdcee5fd50
SHA512 99f9ecd469732d730a4109df33c94e50f94aec07e83807fc698316ec1b7ef56a31b30c319d8c14157881881361fe24f39f5b217f19f4e3b492bbec175d845167

memory/1448-148-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/1448-152-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat

MD5 842d9c8f1ee4d03e00acc4f6748d83d5
SHA1 6cf86d0ed8ca5dd1d58d15e88e3d47dbdd8ebac1
SHA256 5fc394f777919c55601145ef21803cd96d732265e05cd88f8833a551fcbe2378
SHA512 0de9cf42b9c0816f1e99c36222046044699fbf123c2a00df42c519c24d3ea1ea4bc4cdd165f30f2a192ae0edf2adc02b83703c51555c30709a8d1abf1222180f

memory/4196-155-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/4196-159-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat

MD5 2bc77f935c8ee6edb041d77a5ef3fa63
SHA1 891fea378e481ac7d6189bd4e3d4b224a5a163e0
SHA256 4738fe0868c8e32910a1a86cd6c8497f0d9a9c7f366370f57b9156a72b54181c
SHA512 42271c0db6e229e12f4e505548932082f40dc05d936bc76658db93882d038fba7d0559fc68990dbb849e06c1b5f3cae2015f33537e05921904a3daff43043062

memory/4792-162-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

memory/4792-163-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

memory/4792-167-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat

MD5 770f3b27a95145b0c561bd6472277315
SHA1 3ff334094e77ea7449fef9feeb0f51c546e7c133
SHA256 1daace35a740495077761f54f0d2853957a2f0000c041e1c5ee37a1822d7c66d
SHA512 9389483d7723caf0331f15ae0c6da4f898f12c462f6d3938c43011155518de86b83baecbedfd26acd81a3ceb0fd6b08602f91d7f31da66e3db75b82acb6352af