Malware Analysis Report

2025-01-18 04:48

Sample ID 241018-v7jkfazbqa
Target 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118
SHA256 8f3cda27b0be3d97f13087516187fc0f0c629804f629f048da096a182d3b1751
Tags
discovery evasion stealer revengerat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f3cda27b0be3d97f13087516187fc0f0c629804f629f048da096a182d3b1751

Threat Level: Known bad

The file 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery evasion stealer revengerat

RevengeRat Executable

Revengerat family

Modifies firewall policy service

Uses the VBS compiler for execution

Loads dropped DLL

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 17:37

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 17:37

Reported

2024-10-18 17:40

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2536 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 803.no-ip.org udp
ID 212.117.53.118:3080 803.no-ip.org tcp
ID 212.117.53.118:3080 803.no-ip.org tcp
US 8.8.8.8:53 1803.no-ip.org udp
US 8.8.8.8:53 2803.no-ip.org udp
ID 212.117.53.118:3080 2803.no-ip.org tcp
US 8.8.8.8:53 3803.no-ip.org udp
US 8.8.8.8:53 4803.no-ip.org udp
US 8.8.8.8:53 5803.no-ip.org udp
US 8.8.8.8:53 6803.no-ip.org udp
US 8.8.8.8:53 7803.no-ip.org udp
US 8.8.8.8:53 8803.no-ip.org udp

Files

memory/2536-0-0x0000000074661000-0x0000000074662000-memory.dmp

memory/2536-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2536-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

\Users\Admin\AppData\Local\Temp\CACAO.dll

MD5 533cc8ec927f6d014a8fb880c25c16a9
SHA1 0e32857bb7a8da6be1741dd4b126db189041422c
SHA256 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07
SHA512 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d

memory/2876-10-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-11-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEL.BAT

MD5 0eb1ce469214ebc99409fa2c14eb1a4f
SHA1 a502e9f691f253ddaac1dd129aad2397b5d536b1
SHA256 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f
SHA512 ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5

memory/2876-15-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2876-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2536-28-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2876-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-37-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-38-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-40-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-46-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2876-50-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 17:37

Reported

2024-10-18 17:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 216 set thread context of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 31 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 32 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4620 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4620 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 436 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 116 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 116 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 116 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 803.no-ip.org udp
ID 212.117.53.118:3080 803.no-ip.org tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
ID 212.117.53.118:3080 803.no-ip.org tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 1803.no-ip.org udp
US 8.8.8.8:53 2803.no-ip.org udp
ID 212.117.53.118:3080 2803.no-ip.org tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 3803.no-ip.org udp
US 8.8.8.8:53 4803.no-ip.org udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5803.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 6803.no-ip.org udp
US 8.8.8.8:53 7803.no-ip.org udp
US 8.8.8.8:53 8803.no-ip.org udp

Files

memory/216-0-0x0000000075292000-0x0000000075293000-memory.dmp

memory/216-1-0x0000000075290000-0x0000000075841000-memory.dmp

memory/216-2-0x0000000075290000-0x0000000075841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CACAO.dll

MD5 533cc8ec927f6d014a8fb880c25c16a9
SHA1 0e32857bb7a8da6be1741dd4b126db189041422c
SHA256 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07
SHA512 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d

memory/2452-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-16-0x0000000000400000-0x0000000000478000-memory.dmp

memory/216-21-0x0000000075290000-0x0000000075841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEL.BAT

MD5 0eb1ce469214ebc99409fa2c14eb1a4f
SHA1 a502e9f691f253ddaac1dd129aad2397b5d536b1
SHA256 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f
SHA512 ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5

memory/2452-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-27-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-31-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-37-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-39-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2452-42-0x0000000000400000-0x0000000000478000-memory.dmp