Analysis Overview
SHA256
c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562
Threat Level: Known bad
The file dc341a4899e1a077f128b79dbe296954_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Runs ping.exe
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 05:18
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 05:18
Reported
2024-04-06 05:21
Platform
win7-20240221-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\epiiK4DmS1uX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dPWqKvEPozu1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUc6FxExhV9L.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9nDKVVRs8pxU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eteN9VcyOt7S.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaY08meXAlfp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MZdxjiqEXlxr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1RGYrPNTw2F8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVoNILt52t5E.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOhOlQIUlFpL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\l2GeFzntWpPd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\soZntBZL0vRg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
Files
memory/756-0-0x0000000074960000-0x0000000074F0B000-memory.dmp
memory/756-1-0x0000000002880000-0x00000000028C0000-memory.dmp
memory/756-2-0x0000000074960000-0x0000000074F0B000-memory.dmp
memory/756-9-0x0000000072B00000-0x0000000073108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/756-11-0x0000000077810000-0x0000000077812000-memory.dmp
memory/756-12-0x0000000072B00000-0x0000000073108000-memory.dmp
memory/756-10-0x0000000072B00000-0x0000000073108000-memory.dmp
memory/756-13-0x00000000747E0000-0x000000007483B000-memory.dmp
\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/756-28-0x0000000074960000-0x0000000074F0B000-memory.dmp
memory/756-27-0x0000000072B00000-0x0000000073108000-memory.dmp
memory/2644-29-0x00000000001A0000-0x000000000026C000-memory.dmp
memory/2132-30-0x0000000000E60000-0x0000000000EE4000-memory.dmp
memory/2132-31-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2132-33-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2644-32-0x0000000072240000-0x000000007292E000-memory.dmp
memory/2484-39-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2484-38-0x0000000000C10000-0x0000000000C94000-memory.dmp
memory/2132-40-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2484-41-0x000000001B1C0000-0x000000001B240000-memory.dmp
memory/2644-42-0x0000000004B50000-0x0000000004B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epiiK4DmS1uX.bat
| MD5 | aecf95f2467ca67c980bf88294a830fe |
| SHA1 | aa81e43b6e33e1b438329ad9c92841d351729f65 |
| SHA256 | b38966951c33bd0874da50ad35a5bfe094b4ecf28e9687278f6534150172f418 |
| SHA512 | 24537d4ae8df52a93ff32a32b06dbd850d4183afd0703caf7ea53af866bf6828b41e57c6473b78f449a4b1dbafeb88bfb59486532bb39356b3cb09ea5aaacd3c |
memory/2484-52-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2644-53-0x0000000072240000-0x000000007292E000-memory.dmp
memory/2624-56-0x00000000005F0000-0x0000000000670000-memory.dmp
memory/2624-55-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dPWqKvEPozu1.bat
| MD5 | c2f927abc4f8433831217c1aa252216c |
| SHA1 | bcebc4b4b1cbf59948dd0f418dbed6262c8293a1 |
| SHA256 | 9ad556dd7fae605fc4f32afb62c4cf75dd77dbdf4fd69cdacbc522f7ee6b0e82 |
| SHA512 | 1feca5f9e70bf60fd91b02b18a828d8be16d83423659b5b0e4a3aca3165be329bc9a2c99d427db5cef0d7460e3b250cb628a796b9df2d367bbccecfd7051127c |
memory/2624-66-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2204-69-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2204-68-0x0000000000C80000-0x0000000000D04000-memory.dmp
memory/2204-70-0x000000001B240000-0x000000001B2C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rUc6FxExhV9L.bat
| MD5 | c740d5064f000a5976ca47a390ca7b72 |
| SHA1 | 045078d9a4a967c20d539fcc51787af4d0beadc1 |
| SHA256 | 5eb90627a5a4403287afd170b02f24a2605c8cf334c3025ff6cb7b887e21f7e9 |
| SHA512 | cb13b34bfad58a80ea69c5a6dce9131055db8e0fe897fb4bdd95900c00e7e11be6344686c140ed0baccfc255736a96ed8a5eb3f57f6f2cc01fa809a0ff4e4b30 |
memory/2204-80-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/1860-82-0x00000000001A0000-0x0000000000224000-memory.dmp
memory/1860-83-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/1860-84-0x000000001AF20000-0x000000001AFA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9nDKVVRs8pxU.bat
| MD5 | 49dec89c1cd5361e4cd59a52d540ce26 |
| SHA1 | 268feeed015ebe0877478af77d20775036f37d6a |
| SHA256 | d08ed8101b4491e6083a62603b2be5313c49017787c8b41ba402d22ad7e0f225 |
| SHA512 | 45deb2affaa1729def9de523973438722033964ab3b9d811cbc16b08e1655ab9be0356199ca6372eff21995d808a9dac50358cb59394a523373e114154c28468 |
memory/1860-94-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2180-97-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2180-96-0x00000000001C0000-0x0000000000244000-memory.dmp
memory/2180-98-0x000000001AE80000-0x000000001AF00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eteN9VcyOt7S.bat
| MD5 | e65cadcf4464205bae64b52da827f170 |
| SHA1 | e22b9340993f972a16d74ba3966e06843ae35898 |
| SHA256 | b0deb962f48f25a81cec93e7c25d2d0d27357c904ab9bd1560029285ff24d7da |
| SHA512 | 2d8b1cb01186345e083bf32273192a86bf38333615adda51d33f55be8e5a6e958ca95669bc06880b4f731ee24a6e43f44a7f4cf17580ef7b6db3dfee66d6013a |
memory/2180-108-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2572-111-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2572-110-0x0000000000360000-0x00000000003E4000-memory.dmp
memory/2572-112-0x000000001B1D0000-0x000000001B250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uaY08meXAlfp.bat
| MD5 | d12358bc7eeea6eeef15d6c99bd8aed6 |
| SHA1 | cebf5e2e474da208d00788d0841557318b4751fb |
| SHA256 | 49179ca03657b0d2c08eeab8d3cf474f33f1ae9e8a0ab693b6d2d2e32a815aeb |
| SHA512 | 61399d843c57f7bb4df2a382ad303d61fde7e2ce2815e0d9a50a36d4c6ab1cc452c0165e2454f78601494364c606496af71fd333174e3d442bdd4a95adc08786 |
memory/2572-122-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2852-125-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2852-124-0x0000000000270000-0x00000000002F4000-memory.dmp
memory/2852-126-0x0000000002070000-0x00000000020F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MZdxjiqEXlxr.bat
| MD5 | 218be4464c6b1279cc8e59207bb739c8 |
| SHA1 | 1fbdfd2ced62ad7ce2243dabb8684d66f234a1cc |
| SHA256 | 1fc0f194d425f3a88374e29eeb0ae7ecafaccb9766929523ec4ad0d898c6c81d |
| SHA512 | dd2924e8a91ca369317d0113fb06b30dfacbe6d8ce7fab2bfbc45e0c19f547c720f7dcccb9504550395c09d3ee9b7c38448528d1d5c15a464f65c38e8e34dc26 |
memory/2852-135-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2644-139-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2644-138-0x0000000001350000-0x00000000013D4000-memory.dmp
memory/2644-140-0x000000001AD60000-0x000000001ADE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1RGYrPNTw2F8.bat
| MD5 | 24a4c6a3c98b6bbd12f0b62b77ed2eac |
| SHA1 | caa6f4a952ef6879b7b8c107596b3c950f23a9c1 |
| SHA256 | b972c96927196e099edbf220a9b8ace13578f1cacf6b6af40ad34bdff04a40c8 |
| SHA512 | d66c11d37464cfbb2bc0f9f6c60a1de4ea27ac2587439c78f46adaf5279c671f8763b2fc4586a983f6eb2b6fc3a6bfbeb2e4c370e619a2de86f0f589919c16e8 |
memory/2644-150-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/1292-152-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BVoNILt52t5E.bat
| MD5 | a7612c5846249d33640989628bb18b26 |
| SHA1 | 4033e6dbe12898b472922feab3250a791ee38be8 |
| SHA256 | 0c507445575ddf5a5f08b80e2df51827d5909f0e4be8847b13fac4af9d5a8ee0 |
| SHA512 | 569868764f73364428e388c1ba6b05bb52d8059f62c469b8dc7cf082f70dbb4464e691f33fd9a965ac602370e21d1d4dcdafcfe1084b415973bf3d96c1eb0339 |
memory/1292-162-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/544-164-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uOhOlQIUlFpL.bat
| MD5 | 79433b974f9edf89764d359c209d4cf3 |
| SHA1 | 930dae2645535e15bb387195f909ac6a70b91615 |
| SHA256 | 80b0f895b01eaefc8e4fd5408c96a8c7fc66673652a2c1adf3b8c615742c3c3e |
| SHA512 | bd35ae8ac6dbbb300951780fd229c072e716898333cb91a1494a106b02e8a22c63b8728d3bd02921b607367dea48017abaff4590b6433efe5db602e1abdaa0f6 |
memory/544-174-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/1552-176-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/1552-177-0x000000001B0E0000-0x000000001B160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l2GeFzntWpPd.bat
| MD5 | 471b604f9186d1d592fa9d461a451a02 |
| SHA1 | 119b3df8ebf6c6f3f54a3083ed50a681eb464026 |
| SHA256 | e48c09380a745484152168cc79fe67177c332d813904913a7fc4bb76e355e95b |
| SHA512 | 4dc61190ae22789b5eb5a931c9ef3cb11ef292e08f3e7d4033870331b0fd7b818903ad4d803eef87a49b2d719b8843e6d1383482ae0dd923f14333e9e30e697b |
memory/1552-187-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/1700-189-0x00000000013A0000-0x0000000001424000-memory.dmp
memory/1700-190-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/1700-191-0x000000001B250000-0x000000001B2D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\soZntBZL0vRg.bat
| MD5 | 875554688f30810ca3bc538d67bb1a07 |
| SHA1 | 2788c3cfd384acee4383eed4ae0cac12eb67b7b3 |
| SHA256 | 15935066ab8e44e496280090c39f4f7afee9cdf3a76c57a0040f199ee9e35a44 |
| SHA512 | 8abaf3d1fccc240d4c301419b633451428176d9122b527a8419c70d8a262d1d6585ab4bd9f3752baa9bfc97f5abf4f42f7c154dac068e92017346bb80f283ba5 |
memory/1700-201-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 05:18
Reported
2024-04-06 05:21
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 89.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/4084-0-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/4084-1-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/4084-2-0x0000000001040000-0x0000000001050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/4084-11-0x00000000726B0000-0x0000000072CB8000-memory.dmp
memory/4084-10-0x00000000726B0000-0x0000000072CB8000-memory.dmp
memory/4084-13-0x00000000726B0000-0x0000000072CB8000-memory.dmp
memory/4084-12-0x00000000770A4000-0x00000000770A6000-memory.dmp
memory/4084-14-0x00000000734A0000-0x00000000734FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/4084-38-0x00000000726B0000-0x0000000072CB8000-memory.dmp
memory/2088-40-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp
memory/1596-41-0x0000000000D80000-0x0000000000E4C000-memory.dmp
memory/2088-43-0x000000001BAE0000-0x000000001BAF0000-memory.dmp
memory/1596-45-0x00000000712B0000-0x0000000071A60000-memory.dmp
memory/1596-44-0x0000000005C00000-0x00000000061A4000-memory.dmp
memory/4084-42-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/2088-39-0x0000000000DB0000-0x0000000000E34000-memory.dmp
memory/1596-46-0x0000000005730000-0x00000000057C2000-memory.dmp
memory/1156-52-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp
memory/2088-54-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp
memory/1156-53-0x000000001AFE0000-0x000000001AFF0000-memory.dmp
memory/1156-55-0x000000001AF90000-0x000000001AFE0000-memory.dmp
memory/1156-56-0x000000001B6B0000-0x000000001B762000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1156-61-0x00007FFE8C650000-0x00007FFE8D111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat
| MD5 | 92fec5188f6e67afce12291087eaa289 |
| SHA1 | 8627f55f4e7aba9df1228c3bc41475981cb46aa7 |
| SHA256 | 7c761f36b98cfdfcbd48a18204698214125bcd339fe14fc897bdf6d0301bfecd |
| SHA512 | e2937145b393f751a9fac90d2c1d7f7532d3a23cd8504ce6a4cbe7f41b03e3d4d1cbbd339b0508df6b84d412d09a5d9ebbb0039aea4b8d185e472c1fd34d660d |
memory/1596-63-0x0000000005640000-0x0000000005650000-memory.dmp
memory/1596-65-0x00000000712B0000-0x0000000071A60000-memory.dmp
memory/516-67-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/516-68-0x000000001BEA0000-0x000000001BEB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat
| MD5 | ea1ae957c155be6ad17b5540c33cf9b9 |
| SHA1 | 9876ad36fec3e9fb1b60ea950a5661e04624ee82 |
| SHA256 | d74c876b38f453b0095728f806ffe6dadd2d440debac119be9e595f5baf8879e |
| SHA512 | 45fff98b6c21fe803fce8793935dc94495983c928aef11b19cbc0ab774e6d9b8eba0736c0b66dc0927fe3d7430f00873ca830e7900cc36607865c6931be832d8 |
memory/516-73-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/4732-75-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/4732-76-0x000000001B360000-0x000000001B370000-memory.dmp
memory/4732-80-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat
| MD5 | 1447c776d72760585242dd58b89d3cca |
| SHA1 | 33cf6f9876c7884e907c29713466743f306238d9 |
| SHA256 | c0902a17887ff4893b01129ef07353d51de282400a6a88fb1cd84b73779987e2 |
| SHA512 | 52ef932df7bd30adc88f5e99bde0ef62b8415bfe8198d875bced3f1b8d4a4f46761ab3e7ce0e403746aed0a774ef46c13ae26a912696c446c517e6884ee528bf |
memory/3900-83-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/3900-84-0x000000001AF30000-0x000000001AF40000-memory.dmp
memory/3900-88-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat
| MD5 | 0d4c4af3e82b6bd405815cd8a0ab302b |
| SHA1 | 1b1a4677142f31f6b8465a46bb31265eb8fb2d42 |
| SHA256 | 85173ba129cd7158bbfe0f70ba4734c6b1aa9e053db1ada5f98d68ccfb867048 |
| SHA512 | cebc5638d5f94775fd978cc4c2bc5ebeb80fd9d45b75e35f755b9a2a4670144fc49c51ef778487b37111a5f2cb1387e72afce189a3b8a784c2273fe1a856fb80 |
memory/1156-91-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/1156-95-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat
| MD5 | 1913d9f0457f07587bc4244b51e0837b |
| SHA1 | 20583f0d319db9ef96f5bd524c83891789a790e5 |
| SHA256 | 5c443dea8a3a2af544ae70d26d32ceb4066de95559fde11598efcbef1d537545 |
| SHA512 | 45dfd9f90631955cd6d989ba38943eb8578e31eb5812a691d5d1f0334f19474469456ebf4f865a9567dc10c37411c3a3f006bb97790aa4f90c2e32025e892f04 |
memory/1516-98-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/1516-102-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat
| MD5 | 9873d097b4deb8d8cb5066beea826b24 |
| SHA1 | 33cb8cae1c2de070d19373dfa757798cc541023f |
| SHA256 | 55d4dfe5f55861ec6ad919563480e6792b6abdd1a3e5731c4f99d986ce036003 |
| SHA512 | 35f8d54ed6135299229500095a668f677abb92087f12c39146b299d447ddb1bcaf670db83e9566946622166c45aa4b6494ba6cae64bdf9501fd61cee22567d48 |
memory/2480-105-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/2480-109-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat
| MD5 | 25894067ad5713fcd689c1176cd8de1b |
| SHA1 | c1d949a2dc6aa75b3c8e1b14d88ae3f2e9cc8e51 |
| SHA256 | eda0e213809ad0bec49e2f0f28331213ac97dd53e16efb08f868af8c03aa3574 |
| SHA512 | 2317bdf78ddc41f6392f49440c1689c71cfe443e9c439cbf778cb9adc16bbbca136e97dfd1684e73c4b794f034ab35e6f86f48b73152ed6da1b7fce595aaa244 |
memory/1096-112-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/1096-116-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat
| MD5 | 91b69137e6f4fc243d5dbca34f6ee100 |
| SHA1 | ee8a9cd7891387daee7a8c795f4240d403abb502 |
| SHA256 | 82ca9e90ee799f1a7f0417e625d0a9b8f99a786d3dd944a67cee76d9e5459b3f |
| SHA512 | dad82a2203e7736c57c5bb1e7e6581fcecda09f2f2657674afd1adbd34edfbe767107a72a6766355425041c476ab50e5f02c9280748173121cc5dfd5d092218b |
memory/3500-119-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/3500-123-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat
| MD5 | 8b4ab5f8755f9e90199346cb179e9dce |
| SHA1 | 5b84cbdc15f1b33309166900adeeaf30ca4835b2 |
| SHA256 | c2504610a745bffe16033ae851f559135bdf6d8a336229d11e8b4f3c280a7f35 |
| SHA512 | 6d29fb43000ff53c5d77867cf0805983b2cd5ff9743cff8a93991175c0ecefc832c345d6c8bcc53dac7939f970b3d2b8440097c1cdfc2c9f63945d63e349f2a0 |
memory/2300-126-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/2300-130-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat
| MD5 | ba967b24e5079d8b2ff705ae2a80ee0d |
| SHA1 | 087ef2b06c520a0401f5c3e749e65dc58f3f4d86 |
| SHA256 | ffc97d8ace996a3224b611f7de3a8682485b76d91ff1a33e099f14bc2c5b03c5 |
| SHA512 | c8e1ab7c628c82b350c97cc901ecf3a6166ae4376084c3cf2c0dd02e9a33a0bcfa68c74681a177bbef6dd2d6fd677cfc76e9385dc98ba7ca29ea4c353e2a2133 |
memory/2092-133-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/2092-134-0x0000000003050000-0x0000000003060000-memory.dmp
memory/2092-138-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat
| MD5 | 6a0420a096a0ba23554cfc81bb376f6b |
| SHA1 | 94e26c6c58c843c089a01f228dcce6415157bbfd |
| SHA256 | 9b852e79d099f0bf3de1dd714efdd7771e60026b7e8fa9e68b8429db903a6455 |
| SHA512 | 45d05f148c45cc4e91ec454b88d3cb361f618bdf6783c930a690fbe20478e9af61749deb2fc179f79922b81f4caf24c2448d400f948ca485932c5cf58e05f49e |
memory/1232-141-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/1232-145-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat
| MD5 | 1a2a8a665116ad9185d423129e59760c |
| SHA1 | e92708350f21b1dd661593b2a15f7e363d925f4e |
| SHA256 | e977de57f39a585a22303b405c7d63b90308a6b1dc093d6067c7facdcee5fd50 |
| SHA512 | 99f9ecd469732d730a4109df33c94e50f94aec07e83807fc698316ec1b7ef56a31b30c319d8c14157881881361fe24f39f5b217f19f4e3b492bbec175d845167 |
memory/1448-148-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/1448-152-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat
| MD5 | 842d9c8f1ee4d03e00acc4f6748d83d5 |
| SHA1 | 6cf86d0ed8ca5dd1d58d15e88e3d47dbdd8ebac1 |
| SHA256 | 5fc394f777919c55601145ef21803cd96d732265e05cd88f8833a551fcbe2378 |
| SHA512 | 0de9cf42b9c0816f1e99c36222046044699fbf123c2a00df42c519c24d3ea1ea4bc4cdd165f30f2a192ae0edf2adc02b83703c51555c30709a8d1abf1222180f |
memory/4196-155-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/4196-159-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat
| MD5 | 2bc77f935c8ee6edb041d77a5ef3fa63 |
| SHA1 | 891fea378e481ac7d6189bd4e3d4b224a5a163e0 |
| SHA256 | 4738fe0868c8e32910a1a86cd6c8497f0d9a9c7f366370f57b9156a72b54181c |
| SHA512 | 42271c0db6e229e12f4e505548932082f40dc05d936bc76658db93882d038fba7d0559fc68990dbb849e06c1b5f3cae2015f33537e05921904a3daff43043062 |
memory/4792-162-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
memory/4792-163-0x000000001BCB0000-0x000000001BCC0000-memory.dmp
memory/4792-167-0x00007FFE8C4D0000-0x00007FFE8CF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat
| MD5 | 770f3b27a95145b0c561bd6472277315 |
| SHA1 | 3ff334094e77ea7449fef9feeb0f51c546e7c133 |
| SHA256 | 1daace35a740495077761f54f0d2853957a2f0000c041e1c5ee37a1822d7c66d |
| SHA512 | 9389483d7723caf0331f15ae0c6da4f898f12c462f6d3938c43011155518de86b83baecbedfd26acd81a3ceb0fd6b08602f91d7f31da66e3db75b82acb6352af |