Malware Analysis Report

2024-08-06 11:47

Sample ID 240609-sy37dacf53
Target 1.rar
SHA256 137fc43b5d74c425ea805babdbbdbe277a21111c01bf9d2e364d98481e3e95a8
Tags
quasar spyware trojan agenttesla keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

137fc43b5d74c425ea805babdbbdbe277a21111c01bf9d2e364d98481e3e95a8

Threat Level: Known bad

The file 1.rar was found to be: Known bad.

Malicious Activity Summary

quasar spyware trojan agenttesla keylogger stealer

Quasar family

Agenttesla family

AgentTesla payload

Quasar RAT

Quasar payload

AgentTesla

AgentTesla payload

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs ping.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:32

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

273s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Vestris.ResourceLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Vestris.ResourceLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240508-en

Max time kernel

297s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\client.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3156 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3156 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3156 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3156 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 3156 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 3156 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 1828 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4112 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4112 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4112 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 4112 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 4112 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 2456 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5024 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5024 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5024 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5024 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5024 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5024 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 5024 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 5024 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 432 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 4288 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 4288 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 1360 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3632 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3632 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3632 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3632 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3632 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3632 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 3632 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 3632 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\client.exe
PID 4316 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Release\client.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvuEVlgmmIrt.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hVe4YvHBGHcy.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEc5GYeY1pmi.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rn3cmlO8dLyw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3x8JrznfI2aB.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VFgMi3F3IzjW.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46vT0Hpcva7G.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYtdjdVKBrlN.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S1eYFkMMxv7O.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2N4TJ9YzHVP3.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqpNqGP13Zk4.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ab8LevhLwbh.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GlgpPsKEzeDw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X0Im93Fqa3Be.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ohK1mEQlRWOi.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I2caWVDvsMCd.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cb362hyVTrNr.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYypK0Qbwucn.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lpi8OKjgR24F.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c4L58VdI1R2x.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jjREenGQTN3N.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IbhKw1qz6zS7.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zXoKRZ9m3Dz9.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ezlVAwqUJTeH.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9pDsgPFjQHL6.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUJ1BhsrsDMX.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZE5mh4PYAaEA.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2aNKRLCiaQ25.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h1LVAitQqggC.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Release\client.exe

"C:\Users\Admin\AppData\Local\Temp\Release\client.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5vqS6F599lL.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/2904-0-0x00000000751CE000-0x00000000751CF000-memory.dmp

memory/2904-1-0x0000000000A70000-0x0000000000AC0000-memory.dmp

memory/2904-2-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/2904-3-0x00000000054F0000-0x0000000005582000-memory.dmp

memory/2904-4-0x00000000751C0000-0x0000000075970000-memory.dmp

memory/2904-9-0x00000000751C0000-0x0000000075970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vvuEVlgmmIrt.bat

MD5 b1673d80f7fc08d743c3c9d829278af9
SHA1 63abd92e25d59d6ea581085c9a8756b04a6bfa0d
SHA256 3cc04a6a99b02e4b16b6e920751921c29419e60935948be91af88c873901008c
SHA512 74d8ec17f0c033248832b6a2432ac9d0bc666169f321e5cb7ddd11e128c83fd612756accbdc5801890d3e0836b966e7fcb80767b6dfab33da8c72890b8e61c7f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log

MD5 f78129c2d7c98a4397fa4931b11feef4
SHA1 ea26f38d12515741651ff161ea8393d5fa41a5bd
SHA256 29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9
SHA512 cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

memory/1828-12-0x0000000075110000-0x00000000758C0000-memory.dmp

memory/1828-13-0x0000000075110000-0x00000000758C0000-memory.dmp

memory/1828-17-0x0000000075110000-0x00000000758C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hVe4YvHBGHcy.bat

MD5 4829d6de01d3f3ded14b1b636a9f589c
SHA1 40edd678355dd723937759881348e20bb380400a
SHA256 590cbe57fafe259d13d867cb5f320f8d7fba0a19d1314ccd5559219396d0b29c
SHA512 a86e57b16cd238db5463466cd07185eae1c31c3f14be7fb3bd52756f203804484350b23feaee5d9690723c71f42e57be31cc1d80c77a83a8b7ce0c88e24432a0

C:\Users\Admin\AppData\Local\Temp\wEc5GYeY1pmi.bat

MD5 b5e746f2fe493d5b0aa6f949e2ef9270
SHA1 0dead00a5cf09e71990fcedcfea94b206884a304
SHA256 5e544524ede6c02359367879dda02643cda2e9e0b32e76486fc527f550f748b1
SHA512 337889fe81d162adfefab08ae99e67a6b6e79a61293cb1d62e6ab828bac74ab0304db6fe704d7d1caf991c82ffec618bf357d34d86aae5a61c0ad16bd7d28eac

C:\Users\Admin\AppData\Local\Temp\rn3cmlO8dLyw.bat

MD5 2e517f08c9e686902c740380b6da5917
SHA1 7fa4a6ba965e08022446853a7a26814f273bb1dd
SHA256 ff0e2afe04cf4a26b88d2e615578ffa3cbbd05b599d2c609eae9514c556e852a
SHA512 6b86ac71308f772e620049905cf52a04ba5e6139c60ecc7a6b87927824e74a3c1e059e9f02727a7cca948614c968d0c3073f165f93928c823911a07045b5af41

C:\Users\Admin\AppData\Local\Temp\3x8JrznfI2aB.bat

MD5 994e28a388f93b56da5ff0dd6365b69d
SHA1 51ba8b8c9a4db46a173a145493e02f86f46d0cea
SHA256 70d3826fcd2f33badeaf276091e587f39e14f361280d9ee34cef987eaa6354eb
SHA512 f357504216fa2da8e4f391ba694a3e764bc692736b7684bceb53e1b0136eda55984b27591101c1e4b8143e9779f7a76433f8ce1578fbaee0d85974cd4a639d27

C:\Users\Admin\AppData\Local\Temp\VFgMi3F3IzjW.bat

MD5 385d19e94dc27d188d40598bf5ba1cbe
SHA1 7710d4f6c915ba28128203681958d0d13ba2b001
SHA256 41f699c0f7a31744047d00b26844c06bd020d88852bf5b82df1d991d0a785263
SHA512 4ff38a40c81558ef9dbe687dd665ea6ed2c17f091c2a919ae092f2604b9f3f6970816575b5f615ab0a1406391befe4b14be634e843c7aa27656943bf548d62d8

C:\Users\Admin\AppData\Local\Temp\46vT0Hpcva7G.bat

MD5 f6c7e4ebb811f6b4d27293df1c04319e
SHA1 0ba48aac50f1cf6b003d49678475e239c2892654
SHA256 cde3e7835aeb25ef7defa720875484f6e8fd6fda4245112833901c64fb769b64
SHA512 d1de10b7b39d5fdc30bca93f1d0b7eea2edde039e504a907ab7edb9ad402399b5f1b8b0b7fca8d15adf8ced56a402a2cc01c3c1b22143e5e0c1a85d7f4aa1ff1

C:\Users\Admin\AppData\Local\Temp\jYtdjdVKBrlN.bat

MD5 4a7f552cb3f1f39ac3f82495cc020a53
SHA1 538eaee7368799a8078893ddb582dbbf95299478
SHA256 66079e5bd5977d80c04d3dda022904ef2fab9bb00dbfa8724ad12a7a936bf276
SHA512 0f6f2f28e491e88228be584ea8d85c850da98178497437a3271e821a07dcb1d947ddb870e7e281e227b4d38bf15f3637aacd086456ee839b959122930745a27c

C:\Users\Admin\AppData\Local\Temp\S1eYFkMMxv7O.bat

MD5 3fbba1a433eaba5608ba76a6c9ce6b81
SHA1 261b93956a53c39eb9327b1bdf0a991fbf71029b
SHA256 c41ace8a182877f99b9e662769904a3f43108ad28ab59e09beabb60d500825e5
SHA512 a3860bd08c45b597a4afe03ae06cf150631802f2d0f34fbddf988bb741ee5e36050d319e5b8265ccde16397c68f21e100b4881a8cad2e26d6153b91ab08c8f18

C:\Users\Admin\AppData\Local\Temp\2N4TJ9YzHVP3.bat

MD5 f988147afdcf6bee8cbe13a5dce34673
SHA1 48b2cfbb6117ac4c04fcc022faa0c4fb3591ca71
SHA256 01b26c81ede7b01ed903c7b7d5700f0543906a481908519cc781d6add7bfdb60
SHA512 4effa0844accc59b4e19475d6ed929d9a84d4c62d4faf380c1794d9e1a7c10b3a3795dcfb295fac999d68d44a7dd58140b7a6513792f4606af441a0a36d79089

C:\Users\Admin\AppData\Local\Temp\lqpNqGP13Zk4.bat

MD5 52733be06fb6a22cfb332530e37e3e01
SHA1 2d836d884e0c70f0c9425c754ad00abe46ef640e
SHA256 4a10aa35d4aaf267048f7c828e5650c26aab424a0ad11a1b5d8fb247fcafd0f4
SHA512 c00dbe08531084beb60ca9882ad363ce90e564327fbb05757a258779a7fc07d4f6e15f935e46b0b2a1f3d1138562c295ae54aed04dc2ce45e5ef46d33290bfbe

C:\Users\Admin\AppData\Local\Temp\4ab8LevhLwbh.bat

MD5 8aecf2eb1a8984bd772a3b56b5a3ab9a
SHA1 b516e55674a6afd9dda95b4013ce5265c9672f3a
SHA256 fda6c4283cde3b64485f49e75ba900676fe8444fc519d5d5d84fc4512a72ed1b
SHA512 30f8436af63d1b52d537e08fed6a87e9e95b291c8ccc65d0b8586c66e0a3c440cdf90e0e8d411994485131f561b63ff2e940956cadcb8dd6b8d22d63f9dc2eea

C:\Users\Admin\AppData\Local\Temp\GlgpPsKEzeDw.bat

MD5 3ea87908685a71bd59e801b047652d50
SHA1 4d79f578fb5fb7e4f8ad6234bd945588957c9eea
SHA256 8911a03cd95f497b27e7f22601e3882864d007a52c197f3d1423310b51ca70f2
SHA512 08e11b9c47fb753df101af9f0cf9c851d1d5ca8bb91b6aa9a8d585d3c7d80120eeaf40b66c16ad49c2d966da3457d1a008b71a0325dfb7cbe17d0324a83656e2

C:\Users\Admin\AppData\Local\Temp\X0Im93Fqa3Be.bat

MD5 6908994bdabc199ba7f820fd674e60cb
SHA1 3d959195c0d81e8fb7bcbcb31668cfd3e8ddfe5e
SHA256 d8b43157496b433093b09ed4cddecc15a7d0c151f92933907b7287adbc306200
SHA512 b981d75a0f56919be6bb8d725921bf663b4df6ddf71f8aeddc231f54c876ce0d6ce910a642e81ad1dc159e6e2e7e813d2d0c49167e8c178ba1c98a5e84dcbf9d

C:\Users\Admin\AppData\Local\Temp\ohK1mEQlRWOi.bat

MD5 3f3f7207b447b82fa8c14f909dafe82a
SHA1 ecd0e2fdd34edb49b87d28818884b2c790809aa0
SHA256 54621e0b172fadf27974d04649700baf86391fe6cafb74f5884de522b320ddc2
SHA512 4fd8bb28875e0a892a8925d4ac56105de2d6e1803532bb8698ec3367e5432e5096111a8e94034fd68f5b9991eaeb9c843479ab5e23383ec415e4eb78c1df77f4

C:\Users\Admin\AppData\Local\Temp\I2caWVDvsMCd.bat

MD5 d1bafe9cdc31dbd79002c11a4b348001
SHA1 9742fecfd798c280a729107925fc697647574605
SHA256 92d074b8961b3a5c071279942c009fc7af552925cff6dc2926bbd7a81a30313c
SHA512 0ed9fab705912a6ec5642b5cbb09ff80ae9ce5003debf69ade643859ceea1ebc1b29f757ba30cac5bd579a2dd6c1065b573769a5d7afd3c94003a35e880b3ea7

C:\Users\Admin\AppData\Local\Temp\Cb362hyVTrNr.bat

MD5 5c9b0cdd9e77063da547aa4e562264c3
SHA1 e8d2cfa88f99a0fc0cde9285672991cf327dde3f
SHA256 65617a480d378eefb1c7b02e830d601d08ec481226cba071ac66079937011833
SHA512 3236cc8b03cea72ed25a0113cf3e215c63deee28435f32215eef534b34d8baa8c28429b1c7625711d4bc5bd776765beb3229689afea4f382b946384fe4b51a81

C:\Users\Admin\AppData\Local\Temp\xYypK0Qbwucn.bat

MD5 f3c29e2123475ef9183618fd68b4e596
SHA1 343f18d7bf9b028af63b4be7817b69dfbb0a7bcf
SHA256 7bb152cfdb638e0e39c70ef504215b0cc7691e270f74e623d52481092ff051a3
SHA512 f8a35c09ffcd70c09a140c5cd83878955226f95430db3885a4428fe61d104641fb065af22acc8217faf4bf2bd4cb27c879c209d5bbdf59a4e49ab45973d7195a

C:\Users\Admin\AppData\Local\Temp\Lpi8OKjgR24F.bat

MD5 3eaf6de29422833dbea956847383f92a
SHA1 fe51ead008384a7c7b6667e720914d81b223336f
SHA256 ec4bcb449de550364a61af2d742acde56efd860b205f0f21e07c1878948761a7
SHA512 1e65fb501f990a82cd576a7b29229bd0d013336e341edc38ba479e5b2619ffa72142ed737bb35926fb7c605e37cb9dc286b6e12e32995a47ed66593c23b43bb0

C:\Users\Admin\AppData\Local\Temp\c4L58VdI1R2x.bat

MD5 69b9c9bc385279a5f703d4636415f0b8
SHA1 e171b18c090e6af5c2c9ab0a5c01934231bcef9f
SHA256 617bcac209fd31ef081976b35b236376849947089281d8fd2e032db53c7a900d
SHA512 e0d0a31ee7bc100533b4ca41940dfe37f61d19ec9813528c2c885338228a95c65cd2972fd39c5023a75d361f36f84edd9047d017d2bdeedf3fd946e5c37e29a2

C:\Users\Admin\AppData\Local\Temp\jjREenGQTN3N.bat

MD5 c4f568b2d7287b7bf05b2c4acc83d51b
SHA1 56affdca5abe898095420456748eb8701c5e67f0
SHA256 c3fe5e59650cf33bfa91be5788b316b75740507d419f8dbcf143ce69ffa8166f
SHA512 74549ff28fa5e4e44a1439bca3547b9f46abd7bb7488841d0839d4998c08cedeaf1ba8aa817e946ba3c1707255ea3d1ad76a876212c222174a1c52e81cbee2c1

C:\Users\Admin\AppData\Local\Temp\IbhKw1qz6zS7.bat

MD5 c5467943dec93b379db2d13db849590e
SHA1 bfd04c06d1341087eae95166f194c70972013f96
SHA256 fd15e00ba41eb220a53f5cee422bcfd4793c81a3ed237ec4131049223eca5672
SHA512 fcd44f32372ab07c2000725cd2d3244e8c69dc69e2014b9fadc4c85c2729081d51beab6cbe529a6775e9962d07dcf5bee5f4201bc98fede0e8fb2baf1b363d52

C:\Users\Admin\AppData\Local\Temp\zXoKRZ9m3Dz9.bat

MD5 aa17b7bfcd93536a3c2eec0775756fe1
SHA1 81cc0ed6a12f8df4c33d294ba3514cea5c021de7
SHA256 f9ff3238d684a0f1205e86b3cb7326a7e8cb73fd69004bd8b31d92e6ba7de0f9
SHA512 e2f252fe47849f9735de3c6bf638812b8e21e5a0c982244dc38524e66019adc1c68970d8beee991f6816a071ca8fc6115c00ba1a6c5278e9d7686cb64da1c10b

C:\Users\Admin\AppData\Local\Temp\ezlVAwqUJTeH.bat

MD5 0e6140d222e7c92df7815e8388c5b7cd
SHA1 63a0fdde1af0808b85d87d049e1ff23f666cb85b
SHA256 04fd3a70b4b6b3f17a28ccf06027361931fc09e20a1a8bc7343abd653bdb8e99
SHA512 ac01d5391d8eaf39521a0a9b31085dade8306e89de19c604fd6a9e474a170ccbfaae93211d076e7c9a356be8ceb2e6dd2b33049edb4cb89c24ca280ed1b84c12

C:\Users\Admin\AppData\Local\Temp\9pDsgPFjQHL6.bat

MD5 18be8f64d7ac33881ac477badbcee671
SHA1 9837b4a87fae3de5122bad5905940ec07b1c1442
SHA256 6c328e43562eb7d21ad8f89f6443f89c8a08175485d20e140f46a648af998c24
SHA512 64b475b429da11fcb7a0d61b973cabcc0bdc61bd8b90b0d9bccd0597175aae1b4fb922c22f2421f64066b2fe0871a37b84c34908178531e4e04809beffb27869

C:\Users\Admin\AppData\Local\Temp\GUJ1BhsrsDMX.bat

MD5 aaa181922fd84b9977a59788d38068c9
SHA1 cf3694615ef7919d04ab2d5a6c2eb2f0b0c0af01
SHA256 396868e6616e29e44d656492fe373d8ffbcb20282a59eacddbd87397b23a82f3
SHA512 f892ca18e084d36b4784cebc5cfc602c0a6e6f03626262c92545390aa425bf2dd620cd93aa4e36632b66a022f8767dd74e5566c2437e1a842817da64a40d9674

C:\Users\Admin\AppData\Local\Temp\ZE5mh4PYAaEA.bat

MD5 ad002b9c3b14e56c268af1f44ceb6ca2
SHA1 9132e39003157bfe65ebfd57ddf41e4251271942
SHA256 207d5c55e55fde69ceb7b10e75dc71a63107507f71617e09456514c7d775d22e
SHA512 36619d2cb0b50eb3ecf5dc6b95211e3427543a8a8cc99405df0511dd470b6c50d816ac1b6dec6ef1de9c650dc976726881abb838052b99500ca99f22dca97664

C:\Users\Admin\AppData\Local\Temp\2aNKRLCiaQ25.bat

MD5 99a035b6f2c747b7d06e399ba5d1d3d8
SHA1 0dbf7ce9e37d5b2ca6cca77c3381e146747afb1c
SHA256 dab6af78e2f4107b17b99d437e84778f86ba636fbd3e908196fa8f3ef7e35ae4
SHA512 c6bd7bb91e4de5cfb4cb71603ee38c6cbf5fb7bebd1959c404a33aaed850871a4ae8dc17ff1ebe0ebb310bae1ed1ecafadfa3a0c36b87c4f0a989f21b527facf

C:\Users\Admin\AppData\Local\Temp\h1LVAitQqggC.bat

MD5 8bb5f549a8b0f0e5783ad83a70c99ce5
SHA1 916f55ecf66669fd14980718f13b5a8eb643c2bc
SHA256 2d711b7f147b1ad417f1cee0bd2ca75eeee76cba6a46b596d0278626a6543eb2
SHA512 80bf9acd41f31872643479ef7c50926d39692305223e3196c54da2ee0de8abca4894efb4f886b23006015a5e801b46f5412cb9b60e02b7b15298b306067bdb2b

C:\Users\Admin\AppData\Local\Temp\e5vqS6F599lL.bat

MD5 1b60d7b935f2edb8a6409951c10db250
SHA1 957acc0c358280ae5da87f244707741e314828c9
SHA256 3cd51ce9ec58b6285a275ba18e377ccaacd4b68c83803d18c74ad37a23d29eb6
SHA512 3f17109d0d6a02014c946afdc7a60584570da65aa56489f83071251b191ba60cf5601677bf398c6dc118b189fc8e506525124970573427ab9adbccb2d10f46b1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

277s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Mono.Nat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Mono.Nat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Octokit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Octokit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe

"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2936-0-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

memory/2936-1-0x0000019DACFF0000-0x0000019DAD3C2000-memory.dmp

memory/2936-2-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/2936-3-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

memory/2936-4-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240426-en

Max time kernel

248s

Max time network

277s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240508-en

Max time kernel

297s

Max time network

273s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Mono.Cecil.dll,#1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Mono.Cecil.dll,#1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe

"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"

C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe

"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 10.127.0.1:5351 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/1000-0-0x00007FF8E75C3000-0x00007FF8E75C5000-memory.dmp

memory/1000-1-0x000001BCFC160000-0x000001BCFC532000-memory.dmp

memory/1000-2-0x00007FF8E75C0000-0x00007FF8E8081000-memory.dmp

memory/1000-3-0x00007FF8E75C0000-0x00007FF8E8081000-memory.dmp

memory/4796-5-0x000001199E210000-0x000001199E406000-memory.dmp

memory/4796-8-0x000001199E9E0000-0x000001199E9F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Release\settings.xml

MD5 8af01757cc429d1347430084913566d1
SHA1 e4ec570a0b1a5c99e0613da232eeff4b42ffaa75
SHA256 f1a33cd5b1c9368f73b8ff144bed026664577317df27baff774b2bd2acbd52ef
SHA512 3edbca5a661d0fbdd0f8aac994b50e3f844e1d6ee6bfeadf0d8aa89fab1b7cec69b9f687a704c7a989726bb676604e2cdb75ca30441e94a05fdd4027ec9a494a

C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml

MD5 bffc7dc598bcf4bda005c69c09e5d3de
SHA1 53cb4f0307f5bacdac9278a964ef58283bca3e11
SHA256 7b92e3dc71bd97ea0848a7beb0597cbc7b34569a2bdb9a03e1d5dfe395a27b0d
SHA512 b5c4ddafdf9e138ce0f9019d7bbe39fcea107e3fd61e68b7dd7138ce63a40738629975f6c56536ed8677e88db3c94b68d8d7aae218c89ebff707f61f58c906a3

C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml

MD5 cd066e8abf5726b690a2ca6682f741c2
SHA1 947d4ccc8a42e3e836acb49cfa71ac6a05c54f1d
SHA256 a673e6e873daf7564be855f721ee374247269c385cbbdf612d29f4a29c3938a6
SHA512 0bb6832236eb9c761d3d203619400cc71057e37347507773caaf0bb9ed61942712813aaf0ee2dc5d96d6ef7bc6ac1ce1a715eac581c0e4b116877925d6de1739

C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml

MD5 878fd2a88f9e0bbf703bda0bd0b606b3
SHA1 338bdbeab30c64382ae727092518c7affc87e74d
SHA256 6f5dff5587f119059a35241e684555fb33c0d7921c64e24176148df0a05edafb
SHA512 0f9552b8fe357070ea2a8c4ec9c17bd3b78172e0f81fe094db3f02a373bd1d59176a7a2635300d3ddab6f44e5920f9f3a43a86686c7866caab9871df45e8081d

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-09 15:32

Reported

2024-06-09 15:38

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

187s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Siticone.Desktop.UI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Siticone.Desktop.UI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp

Files

N/A