Analysis Overview
SHA256
5304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5
Threat Level: Known bad
The file 70d30b23348309c31e6428730d77012f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 04:13
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 04:13
Reported
2024-05-25 04:15
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7HWu6u3vO0Pv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1444
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
Files
memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp
memory/1860-1-0x0000000001300000-0x000000000135E000-memory.dmp
memory/1860-2-0x0000000074B80000-0x000000007526E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 70d30b23348309c31e6428730d77012f |
| SHA1 | 2d3e3669099989d1bcbbf59170eaf0e66d82aef7 |
| SHA256 | 5304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5 |
| SHA512 | 9cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1 |
memory/2652-10-0x0000000000C70000-0x0000000000CCE000-memory.dmp
memory/2652-12-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/1860-11-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2652-9-0x0000000074B80000-0x000000007526E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7HWu6u3vO0Pv.bat
| MD5 | 36bee66c6c9652c4d4418a73181fdddd |
| SHA1 | 8dbecc4fe48cdf0902e26e844c7b78961a3ceac5 |
| SHA256 | 27a64579bb2c01df2a77d2fc6edb5f5f3eeee9e95034db65c39760175b230d93 |
| SHA512 | f412910125d37b87247234fd051be9a12e8f7992e91922f15d9712f1cbb930002a6185d836a1d1dcf4072152950229710cb98ff07d1318d0a86fe2ef5bdaf2ef |
memory/2652-30-0x0000000074B80000-0x000000007526E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 04:13
Reported
2024-05-25 04:15
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bNDnxddwaPjR.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4672 -ip 4672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 2248
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1KWje1P5WNNb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 532 -ip 532
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 2192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmmCuLxbf7bb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4684 -ip 4684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 2204
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbn229WYj30l.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1048 -ip 1048
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 932
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4sG4EEPObve.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 2212
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkIi6TjLi1Xw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3336 -ip 3336
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCYBMoHsrllv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2004 -ip 2004
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x3CU36ASxIYt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 840 -ip 840
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bp5IsCiHdxhI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2516 -ip 2516
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1184
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RBsQLgDwQSOB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3784 -ip 3784
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGaovnaj7Cj5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1048 -ip 1048
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 2192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2LBpClZ3uEbG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 2192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgyxfF4hhjI9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 1424
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sA3AhKnYMHD2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1936
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rat25565.ddns.net | udp |
Files
memory/3508-0-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/3508-1-0x0000000000190000-0x00000000001EE000-memory.dmp
memory/3508-2-0x00000000050B0000-0x0000000005654000-memory.dmp
memory/3508-3-0x0000000004C40000-0x0000000004CD2000-memory.dmp
memory/3508-4-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3508-5-0x0000000004CE0000-0x0000000004D46000-memory.dmp
memory/3508-6-0x00000000058C0000-0x00000000058D2000-memory.dmp
memory/3508-7-0x0000000005E00000-0x0000000005E3C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 70d30b23348309c31e6428730d77012f |
| SHA1 | 2d3e3669099989d1bcbbf59170eaf0e66d82aef7 |
| SHA256 | 5304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5 |
| SHA512 | 9cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1 |
memory/3508-14-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/4672-13-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/4672-15-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/4672-17-0x0000000006260000-0x000000000626A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bNDnxddwaPjR.bat
| MD5 | 078ab88f98b78a53229cc66e51606ed6 |
| SHA1 | 4ee495b9d080e8f5fa5004ddbaca028a4d1cb268 |
| SHA256 | 58c7ec45e351cb24b0b0bfe035f3e47169badbb01213654b4a1fdc60aafa2400 |
| SHA512 | c477c8b2e73afc3c67cc203c6c5e3ae55fb4e1c666fc33f389cdeebd09ae57f4c45a070bcd59ce1a71cd56cf9f3f350f294b6615cb40fc14bbecbf8e90eb5911 |
memory/4672-22-0x00000000744A0000-0x0000000074C50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | f02de948611385a2e29ea14f32c9c3c0 |
| SHA1 | 9eaccf47fc03401ffe8e58f34bc29aa563724a35 |
| SHA256 | 21aeae66235e48d4c83991e06318b9558d5f2253fdcf1de0d62cb0ddd3715bc8 |
| SHA512 | a0975f3bd264904263cf39f026ddee054c401597da2e0cc6eb6084572cf5bdc9395026f9476fafc0ec4a69872645aecfa00e65d88f1286b6291e5e6c57669c08 |
C:\Users\Admin\AppData\Local\Temp\1KWje1P5WNNb.bat
| MD5 | 1e2fce82b00d25555d3ad8645799c2d8 |
| SHA1 | 50c37b87f8508b921bf713bc2a0eb457ebc7cd63 |
| SHA256 | 716ac041c59b71b8c9e0714850a0c319e64848b33d3e9b83199c0a773a4c8e1a |
| SHA512 | 7be63413300f7ff3f42fa63bc47bf1e78137b8a8405a2d362adcecffc03c2ec53018b811f252d4be6ea7bbae42f9f4311cbdaff32a88df02e1c4ee5886ddacdc |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | f793f2f7a71167ed8dd87d2d25d572e6 |
| SHA1 | c6723d52c1861a9268900b8f31d53e40b95c40fe |
| SHA256 | 1daf38bc3255864590c8725d051130d7ab7c03d9f3d339477cd428e8ffb00e7f |
| SHA512 | c5cf39305fa64ef3ea4172a406d5e773d9befbbbca8239ef9a267b5e680e06238aca6e71f585b524fecb1919c7f4aada092fea66d9101bd9bc08354dc62d43e6 |
C:\Users\Admin\AppData\Local\Temp\XmmCuLxbf7bb.bat
| MD5 | ac9f8b8b5f35d087c136330351a3c1b7 |
| SHA1 | 5b238fcd2363903cd649e8c736233a36e7877d1c |
| SHA256 | ca3cbb79a1e2cf8e47fc9d1abf30b3df791190c153c86bae6ad8bfd062b161be |
| SHA512 | 410ed54f290cf50ee10fbb7b6d74cf961813638c7287eefb2695d7d5792d39bd4b0444467b3c57d5fc399ffb6270567456942f757325fcbf59df10202e13ccf7 |
C:\Users\Admin\AppData\Local\Temp\fbn229WYj30l.bat
| MD5 | 6aa252370c20a28cdc167a2ed156f44a |
| SHA1 | 19eb58335e68b5748a43b76a6fd40e6bd98a0f65 |
| SHA256 | 4b7038ae7cdb5e69d62853874ba891b8217ac7a647cafb4fb989b2d9f059977e |
| SHA512 | 4970dea62c28c2bc633906d3f653950cc5eb84d56f73fa99672d45cb6bd987a8d567e966e78fb5c9f565ece0519260e884d3088aac668d923e8fe8fd4f5b3fe1 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | 7d7bebef0a84b6a080aca60450005746 |
| SHA1 | 0bbc6b0b3c7646e57dd7b2b09b42f1bb22d78e05 |
| SHA256 | 8d2df6bc1cc817067c66556a0b80dca973b7d22a68b871edf8af0e16d348adb8 |
| SHA512 | 2be4b2196dc0676c016dea004904e911dfe9c0c084eff0362ddfbde803a7890a85060f0313078bb4674797f45ba78d1f4872d3b5be30b646144da11de329f674 |
C:\Users\Admin\AppData\Local\Temp\F4sG4EEPObve.bat
| MD5 | a7d39c60911909b5ee052eddd9278f60 |
| SHA1 | b5e5d2a0fff4b7b13fe569bf201a213a67ca182b |
| SHA256 | b5e9ea30de36f1845edc58307d4a6ee552e0459df430966955c26b819a43c012 |
| SHA512 | 44d74ace61c954f6e5db2573febaa1c522fe8224c84b6890f911bde57ef51b5db532552b739639e7d3e343be73d82587767408377f8800193853c11c4d55329d |
C:\Users\Admin\AppData\Local\Temp\CkIi6TjLi1Xw.bat
| MD5 | 48e5a810c86d8813f9dd0774d6d7d691 |
| SHA1 | 6a9a0e39a9b1d7ff80653ebb6d1e0d6e58c73fdf |
| SHA256 | 3ff9b3094b688ac9b2ed7ca04467d452f66ba95671ee997f9c1abdf3692080ff |
| SHA512 | 0155c90eac3098be06dd94d62104bdc7f57316d8dcd63f2ca732aa2a1287651cb7a164e01768dfec4a53a57959dd3f142235acc08a08991294c772f5b17950de |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | 347573b3a2ef718a545d1d82772c48d9 |
| SHA1 | dc5a4cfd437d725249053ff685102679d2090ed3 |
| SHA256 | 8658ce58d323c735c0661b92fe612f61f4d576f2ed8b0851bb41b9c8269214b2 |
| SHA512 | e403843265f320054f9a1ccdaf0c3afa52aff0a031c7a2e45546c4da7ec2cbaf2f1a45032145b8cced8523d9a4bc14b3c8514d70f4f229a8d46d409e9cd3c1ba |
C:\Users\Admin\AppData\Local\Temp\jCYBMoHsrllv.bat
| MD5 | 2a335e9fe2baeb427061f8c8ca472528 |
| SHA1 | 1e5ef6b76d05b2bcfd858e059330bb2d3d632fd6 |
| SHA256 | 6741dc59a7afed2bc967863f01ef9b77d9ae4feb502656cd4b5086265eedcc47 |
| SHA512 | c5c491e3a8c87716a0cd7e70430ed5f138f7a182ca7d8d3a5b95e133e0e25e4914a590290cb67330e657daa25b261fa07ade75ac02cffc9f27218098d2f5d1fa |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | e2e758eec142bc0c2127572eda3f7990 |
| SHA1 | e221da90d99b9556bdf6369661793f5e48fc3fe9 |
| SHA256 | ec1e7622ef6e0214d07af886f30c541249bc38a92056ef3c67cadb836dd960bb |
| SHA512 | 60660a1b204e9225554636089d9883554d979181887f49dfb86760c9e7890bb0b5f34292fdbd9c18a51fe1d63fcfbe66b5b66128c9b897dd280238fdba082d0f |
C:\Users\Admin\AppData\Local\Temp\x3CU36ASxIYt.bat
| MD5 | 38cad013c15041a34b1e072ef8621377 |
| SHA1 | afa0861117bcc3fe83ad40544b152d64566fd426 |
| SHA256 | 8c2de959ac4aee1f32a0464c07fd2c75a8687575d426757639ae9cdc056659be |
| SHA512 | fbd9bcaab5a9145d2854db32dff1359468c15000945c1265449af9e9c77a22b4318153c5c29dfbf7a7c43a860c1c21f3b6e198c8338c00d104d7dbae35a56992 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | 7a84527a2683c9bb5edacf918742791e |
| SHA1 | 791bd124de6e5bb85c6a95df4eada04fe2246568 |
| SHA256 | 1a993b2f2e2bab99fae584aa8ae6043daf231a1f011131f62280c3bc57858050 |
| SHA512 | e4433309806685203c6227cd63af64dc5886bd4da06a50a11c6656b90846314e32c4bf7b09da2836450828676b13c60f6a4492cc1a7d1ec57ee8a252b08828c5 |
C:\Users\Admin\AppData\Local\Temp\Bp5IsCiHdxhI.bat
| MD5 | 3e54dc7ef5a34f42efd3faf3a69ba693 |
| SHA1 | c2607b2f395aa22fc5c2fc00bf6234fb015bf7ca |
| SHA256 | b7f539b810f991bdf1e37144dbfd74def29ba9e7744f4aaec67f492a41267e41 |
| SHA512 | d896f062add8fb0c01f7b25c7599ad5b390a53951988056968752f1020815b6b3e09ed47814dd24b5c86067cd16b0f819984331ff0ec3810a628b4cf2ca6c543 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | 20c8ef90d3d3baa1b88a5c4ecc62e3a6 |
| SHA1 | 951f9174dde769e4e06e0efc2a0f65f8560ba8a7 |
| SHA256 | b5afce471b0105e239a1fa3b0bd09cf26d217b6ceed6467a0f3b6550ea78e4ac |
| SHA512 | dd15c64b9274a4560966f57fe48254c5a01a58b178eee318b874f14188c080b9c609571f54df1b984215d9d108b1e4922c6f741dc6e2af0ead802227be297392 |
C:\Users\Admin\AppData\Local\Temp\RBsQLgDwQSOB.bat
| MD5 | 1af36b2f72a370cf6f33670516d4f891 |
| SHA1 | d8cc3f711c02e29db027c589daf6d4ccfd54d124 |
| SHA256 | 70fca4c72f7fca82645028d8464de7ce5d99197b489c58719902eacd9aa74b88 |
| SHA512 | 51bb5f8e86c412cba32c2aab04341fbf3ea13e98fe7d447baa3eda15d75ed42104a55fa46916291095c1d114b1cae6d5adcc8321fc8c71e5c282f02b549ae9e1 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | 5cc7b4cf787c842ba3a445af1647faa7 |
| SHA1 | 9bdd6037561cce8977e5cfb045d051e218ff9292 |
| SHA256 | 110dafa79c50bf34458d124336fa47b1288b1f7b42794746d2ff224e2b08ba52 |
| SHA512 | 1cf9afc997412086f72ae887174b6554bdca74d662f2e79418aa0e4376ed028027bb971314f3901cc53e07dce666326724c6df0d545a63efd2cd924e85575714 |
C:\Users\Admin\AppData\Local\Temp\IGaovnaj7Cj5.bat
| MD5 | 8c4db9579f4c74b9bdb97d2b905a69ec |
| SHA1 | e362455d3df2a651aa968cd94b4250b44c393ef7 |
| SHA256 | 98d99abe6d320754c5079ae60c3054e4c24f05080c881540233dec973e35cbc0 |
| SHA512 | 211e70baebff81d9d885d10b35fbee00ee4779a27adab2f4d58213d1dda3fd287459075aa2e0b3a85637e8aa7420853e0e14242f5fb820eb1aa1968baf4b99f3 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | c88492b3165c800c687eb88cbe301985 |
| SHA1 | b6d00bda6b8464494d4211d98750903816ca35b2 |
| SHA256 | 8ee48d61a004e013be00317c487bf6e79f354791dec7b03e303542004fd4b4df |
| SHA512 | a928bd56f0c2b1269c5b29a4ca23034636478ac9b90120a456e2c7e98109f57b7f0fc7fe7bb83babfd66c04a347abb6bf0a24b3f59d6078604dc40f1fed9202b |
C:\Users\Admin\AppData\Local\Temp\2LBpClZ3uEbG.bat
| MD5 | f9fab44169412cd4a24867fc8d38dde0 |
| SHA1 | 10e87cbd6b1277a647f8289dc730d4712d89e531 |
| SHA256 | 7ed1e02ca5bb4fa8202788a791e5c7affd66f369dd135e2c43a237d045246087 |
| SHA512 | a6286388b4c00f642e0040a21f87c6630d51b6bb8cebd76dddb2ffa57d81105aa4215d9451ac86b9e8a525d96fe3b54b15a6786ac77d4b9fa7c2ddfe6118ac61 |
C:\Users\Admin\AppData\Local\Temp\JgyxfF4hhjI9.bat
| MD5 | 863928c2b3e5007bcac41b79d99eb435 |
| SHA1 | e3866f9e280c190dc20f44c256cef6bbca872d84 |
| SHA256 | bda72a6e9d5910f69a487e4cdca293426c2b963566da02ea810fa821dbf41d92 |
| SHA512 | f5b1408f0f58ad0778957654b1eef108b5980c4b1287b4cb50cb6be4eb6339bed489045b6137ea792aafa0d6583418db2886b7e453359f1c1e0be0c22bfdfe65 |
C:\Users\Admin\AppData\Roaming\Logs\05-25-2024
| MD5 | af43ce6f0f6f1bf5ec56a5c08fb4588d |
| SHA1 | 3829a3d1d0009df8a5090cbeeff96995b3bf69ce |
| SHA256 | 3a48e7b34c4876ee285a2f7476390bd8393149e1d8e9bc932bfc7cbcb7f9a1d1 |
| SHA512 | 44cb325a409414e3c0f7d006265c0ca999af6d65c4db164e1d1395317a1c50bf6a7b27aae6ca2ebcc9fe2a7f5c18e7d0b0bd5b5cd3f71c204a93aa360f4dfa8d |
C:\Users\Admin\AppData\Local\Temp\sA3AhKnYMHD2.bat
| MD5 | c96a279b162ec3b49251dfb1f0dce833 |
| SHA1 | d39dede365758f997a5af09a605108be61842881 |
| SHA256 | 09e4b682e0cd3a6e656479d898ac54e6a2c1c7fad9322a6eb5ecf47bcb76f138 |
| SHA512 | 45b5c71864c53f52c845e9c5bb03121f38a1dfa94c7fdf5c197d6f31620fca266b0dceeb84ecde2159e68083e2312570cc48a68581d739215e9448e7c191f3bc |