Malware Analysis Report

2024-08-06 11:27

Sample ID 240611-thbb4asfke
Target 9ebcb8183363c51b636912e7070546b0_JaffaCakes118
SHA256 8cd9aff6f3cbd5ff56e9ca5437058ce36be17f4527d353ca0afa806a6f056390
Tags
a quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cd9aff6f3cbd5ff56e9ca5437058ce36be17f4527d353ca0afa806a6f056390

Threat Level: Known bad

The file 9ebcb8183363c51b636912e7070546b0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

a quasar spyware trojan

Quasar payload

Quasar RAT

Quasar family

Checks computer location settings

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 16:03

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 16:03

Reported

2024-06-11 16:05

Platform

win7-20240419-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2576 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2576 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2576 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2576 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2576 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2576 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2576 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2576 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2576 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2576 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2576 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 1588 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2760 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2760 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2760 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2760 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2760 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2760 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2760 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qZFjB3tIHAjj.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\R65XDU66MCr7.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp

Files

memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/1860-1-0x0000000001300000-0x0000000001346000-memory.dmp

memory/1860-2-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1860-3-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/1860-4-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qZFjB3tIHAjj.bat

MD5 6537ba83910c7202013d0f51b2b11324
SHA1 bf23855f09099f25f4e818b3744f09ca7b24ee89
SHA256 09b84d62c33f4818c443207e132112abd9812bcae002847b5b13f09a9acd1ecf
SHA512 be7f335cba1928864e92f0cd0e6924d8c02fcd30dfa5f446e274a0fe36ae67a22925a7f72517fdfc911a6fde8b4ee595e194e5200cbf4eb76a5fed1954980b7f

memory/1860-14-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1588-15-0x0000000001300000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\R65XDU66MCr7.bat

MD5 2ff685032f408d86466de0d104b83b35
SHA1 81a3d3b46f294de5324e2c932451df43b4db2ee7
SHA256 92c81656992177364f4b8d46ff9a4b197e926e69738ec295b7d55b0e1890e7fc
SHA512 38bedcced42942299b75707bb2373871226cd7d1e735cda4dbe0cab7750170e1d0dd2a80fd3e8c77543cd76c8f70df91bf9c97b2cab80f95ab85ef7c1c09d9b0

memory/2768-25-0x0000000000130000-0x0000000000176000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 16:03

Reported

2024-06-11 16:05

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1164 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1164 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1164 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 1164 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 1164 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3544 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1344 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1344 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1344 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 1344 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 1344 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2144 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3064 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3064 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3064 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3064 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3064 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3568 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2904 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2904 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 2904 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 5044 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3620 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3620 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3620 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3620 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3620 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3620 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3620 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3620 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe
PID 3692 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeiGmgZRV9n7.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGa87YCyOPqy.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kVheaxn5LThe.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZUv4Ad5dhrv.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSr4f6EleZXQ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weE4GIU7BljX.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soVhWMNzpDRv.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OHlBmgvVxxfu.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JvNt1CF9mYZI.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgLaiOFA2fX4.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYu0XZgXYkVf.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K2zEZeOOCIQY.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B7hbAlmBt3mS.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4H9Vd4Uj1gnw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 73.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/4996-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/4996-1-0x0000000000680000-0x00000000006C6000-memory.dmp

memory/4996-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/4996-3-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/4996-4-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/4996-5-0x0000000005060000-0x00000000050C6000-memory.dmp

memory/4996-6-0x00000000054F0000-0x0000000005502000-memory.dmp

memory/4996-7-0x00000000062E0000-0x000000000631C000-memory.dmp

memory/4996-12-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zeiGmgZRV9n7.bat

MD5 4524efd62983a64049e6f521b8d8873c
SHA1 85f935897a0de690a7cbcce2eefa266c5117482a
SHA256 a34e31df4736346dd3814cd2d7827b241fe61c9423600096d8a08ae40f2626c1
SHA512 a311fe14258965e92796b3b3a7eab3f8e0043b8a551e419afb0acc2f53bc7c7bd672f021e3e91ebbf7ea9e4da3403597129a00c61f90ed5530b00ba6fd1248ff

memory/3544-15-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9ebcb8183363c51b636912e7070546b0_JaffaCakes118.exe.log

MD5 10eab9c2684febb5327b6976f2047587
SHA1 a12ed54146a7f5c4c580416aecb899549712449e
SHA256 f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA512 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

memory/3544-16-0x00000000745D0000-0x0000000074D80000-memory.dmp

memory/3544-20-0x00000000745D0000-0x0000000074D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fGa87YCyOPqy.bat

MD5 29af144016a0a4c38686984a769bf716
SHA1 d361556853d54bf7b4fe04828b4a7ff686688117
SHA256 d5ce6ba2a6507f128a031f0a2322260800e89f61345d60acd4714cd23aa45129
SHA512 0a802e6fb61479ff6e7a88eb3086410045949cf133143afabcc256f0ddd4cb34be8873244061f9e99799a7eced58cf0d679b570b69e3226d5c062e7af8e60076

C:\Users\Admin\AppData\Local\Temp\kVheaxn5LThe.bat

MD5 e6c60ec0be6725d994882ddfdf772bc6
SHA1 51a3b98ce04de9fd7af79c2b1cd01ae276aacfe1
SHA256 c9b20886a0ddc8731fd4aadfad6eddcd592e13fa71aeb57129e59e5d7c15ce65
SHA512 74893109e278a6f9023a1b98f5aa346b13f4c306ad82b66a2620258b68b01b2495542e02cd074c77cf049a015d837a03ed9f18bf852880ad2a6555d3495e5c57

C:\Users\Admin\AppData\Local\Temp\QZUv4Ad5dhrv.bat

MD5 b640ea7059e3dbb00b2e8d83be36d932
SHA1 4e04f4922b5038d531dec265d6a089770d08defb
SHA256 9cafade71aaa636fde8037813f54e3eca98bc489b61b74c679476eec75cdeb47
SHA512 49f6b6577e35fed255f80a0189f4c22b2d989ee0a0ea1bb6d0ab34f499818a49b00c564691c17eb5143fcc06c41593b12b8c5e501b108b9b871e70910f961886

C:\Users\Admin\AppData\Local\Temp\tSr4f6EleZXQ.bat

MD5 41a1a16f3a33f4cc32ab0100096b84b6
SHA1 ea552c287c513d3330e435a3f70f9d84f168a071
SHA256 cad765b2641a28b67cd937da0685c286bbab75a2238cc791c658a54f185da0bd
SHA512 144ab50af67426814c543092ae5845dc6392e3945ca5e3e5272c5fa14491051db94331dc28d3f7401fe9b834d2203e35081038740f2a7cd1f7fe339eaeae55a6

C:\Users\Admin\AppData\Local\Temp\weE4GIU7BljX.bat

MD5 0b6ae2ec8fb5017f78a2d1f1cb904256
SHA1 2e0a21c07709681c455694bae7f937a15e394ac0
SHA256 d6fb2073035a7a5f83630e35851475307c9cdcf4bfc9838d6e9a0590a31ae67b
SHA512 aeec524037711ae4e47c795d75122356935d4acfee20c8e4068348fa68c99bc9b7f9ac1fb8861310c277e11d186c2de0421075de8391c66b41b1aaac13e20878

C:\Users\Admin\AppData\Local\Temp\soVhWMNzpDRv.bat

MD5 4c957c7039d4de8171d37db0907ac820
SHA1 6644aa86c97c6f36da977c1597a7c8302c4153bd
SHA256 b0b5433a7a690ef55ee3b7af29d73d5713552437f044d257a2cba7d1970e9b48
SHA512 713404c64bee2130e4201feaf1890bfad24ae9bfbfbdaa87c8cf460824c7c0dba66380cc45d3771175c1bd618019a058e279ded1c0652f44732e1dae0c234576

C:\Users\Admin\AppData\Local\Temp\OHlBmgvVxxfu.bat

MD5 506b02f463603c70f813d774f1629d30
SHA1 70966cdb0e7465bc232a48d14bea1ac958ecbf00
SHA256 201e808905210a0d3c25a97bf5458c8110681743170b7841972274ca5fa0d752
SHA512 b1b13493621da4ebf76cfaacf27c7f200492aee98d0e9e9cf96f60432c699259c17730d5931a9ba619c67c2796c5965110338a2ea9b3b6dade480212d4937732

C:\Users\Admin\AppData\Local\Temp\JvNt1CF9mYZI.bat

MD5 f3cefae31632b15cca53aa60aad3e7ba
SHA1 f7806927c7e9bb9c39115e8fd0f0a891c22afa06
SHA256 a5368447cd63c242d4f67c92dfc284c6f7dca02080b0264a039392e73953ccbf
SHA512 67a302c2327aab24868e916581da2576dc46825c5190108f2cd1d24cbfe1775200186328266cabed48540dc6576cb3f54dcf9d2e81211bcfab1aa5e89838d406

C:\Users\Admin\AppData\Local\Temp\LgLaiOFA2fX4.bat

MD5 580e77ee7563f1069e053a6c26fbbc9d
SHA1 5c259cde06f51ba1e59cca21db66a0138ef10b9d
SHA256 74b200377cfdb4ae2ecb2a8f5f59a5588c842257667c241830043b28c57dfbef
SHA512 3c4ab98ca845070ff3585be327ee02f958765dac2bdda5567421c9e3524d3499a93bb7ede5641ee80b9d65b179359937dc6e2d868666000b4fc68657d71247a9

C:\Users\Admin\AppData\Local\Temp\kYu0XZgXYkVf.bat

MD5 82f9a196423ffa30b33aba6aa7b66fd0
SHA1 47ed6845e3e8eb7d84335d3467c06547e4a4186f
SHA256 b8b393a252a0dc3b8a9557a41252e1cedacfbe88ed855d183eaea452c4887276
SHA512 966ab6c71020529774468aaf0d00432142e5e217bfddff00ab2ae19964add69eb0064233e151f282441865966ee864d44124668001b315ea7f1aa3b25b0faddc

C:\Users\Admin\AppData\Local\Temp\K2zEZeOOCIQY.bat

MD5 689fbaa890a93c9bf88e56351c965988
SHA1 197c54d3c68e7cff65c0c555aa055a0b1f32ad93
SHA256 14954eb70de88b529d3061ed7eab9b96f1e7f5644efc598fc965e7db7afa29e7
SHA512 39f46af984604f6a787230909f9575e7a3e4c97059c16aaf4f0cabc88bb6f2e16e0f4757c294866d79355eb701c972b93d7ea0a5d5627749b50e009eb9fe6547

C:\Users\Admin\AppData\Local\Temp\B7hbAlmBt3mS.bat

MD5 a1126c8ceb0854564686b1fc184d6fa0
SHA1 2bdfd23540d7c6ee05d9d23261eb65066a029392
SHA256 baae08ca2a90eb43dd261e0876f091dc39bc0fe962e278f62d88bbb81825305a
SHA512 498d3232280c3cefcc41dde3dc4f564c27a65a9fe43682ac69669b8266472d90426cb933ffd6f74b8ad0db490de7929acd29ca6a34d675d9cdfefca51a38de94

C:\Users\Admin\AppData\Local\Temp\4H9Vd4Uj1gnw.bat

MD5 1f4b69ffb4054617244768742f48fc04
SHA1 afbb9c5ce1fc91e2eba297aebfbbd3a055fee0be
SHA256 35f44ca924b79acf06d44d7c386ec955797ff6664b867273d607c1413b144f85
SHA512 3fe8531652e7adc4dd7556ce6838446f0b9d20104ebbb43c1b11726fb3b81660c6dd4c068cb4404202391f420fefb217d50142b6d83a8c88364536d6575e9801