Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 14:52
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 14:52
Reported
2024-09-01 14:55
Platform
win7-20240704-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XNfYcUu3iswT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5nRGSyfhBM5h.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QBMQCO6uJOfD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EPrbzEjoAZ0Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4x1VlMn8cvQA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Cl5Gb7yvsur3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\N78bzO93wEzv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lu5hkh4jCKCn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7nMvm0NFUT4P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F0pdR8lbCKtt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkZdCuLxZmyb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/2732-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/2732-1-0x0000000000250000-0x0000000000864000-memory.dmp
memory/2732-2-0x0000000005470000-0x0000000005A82000-memory.dmp
memory/2732-6-0x0000000073CC0000-0x00000000743AE000-memory.dmp
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2732-10-0x00000000736B0000-0x0000000073CB8000-memory.dmp
memory/2732-11-0x00000000736B0000-0x0000000073CB8000-memory.dmp
memory/2732-12-0x00000000736B0000-0x0000000073CB8000-memory.dmp
memory/2732-13-0x0000000073CC0000-0x00000000743AE000-memory.dmp
memory/2732-21-0x0000000005470000-0x0000000005A7C000-memory.dmp
memory/2732-19-0x0000000005470000-0x0000000005A7C000-memory.dmp
memory/2732-17-0x0000000005470000-0x0000000005A7C000-memory.dmp
memory/2732-15-0x0000000005470000-0x0000000005A7C000-memory.dmp
memory/2732-22-0x0000000005470000-0x0000000005A7C000-memory.dmp
memory/2732-14-0x0000000074650000-0x00000000746D0000-memory.dmp
memory/2732-23-0x0000000004DA0000-0x0000000004E52000-memory.dmp
memory/2732-24-0x0000000000BA0000-0x0000000000BA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/2732-39-0x0000000073CC0000-0x00000000743AE000-memory.dmp
memory/2732-40-0x00000000736B0000-0x0000000073CB8000-memory.dmp
memory/2628-41-0x0000000000FD0000-0x000000000109C000-memory.dmp
memory/2612-42-0x0000000001000000-0x0000000001084000-memory.dmp
memory/432-47-0x0000000000270000-0x00000000002F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XNfYcUu3iswT.bat
| MD5 | 7ab048444f99dc78730d65e251fce2ce |
| SHA1 | 2ec8d4ee477b6476a37c22bd11cb6bc7c7989ad6 |
| SHA256 | a26a31fc0cda9de364dc0f4ee8ad0df7622b249778a87d964c6c8d80f27bd553 |
| SHA512 | 8ad228ebd54dd1a61893091326a6a20819a0a3d0e5547724318d1441229f2507f8dfa29c1099517f2f0ada5c1d784d8aa50f433d85d04d5bc23b59e542dece72 |
memory/820-58-0x0000000000E50000-0x0000000000ED4000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\5nRGSyfhBM5h.bat
| MD5 | e14d6395cf317e985c24c837b558b784 |
| SHA1 | 4a2e1f5db21c6167c4455a42aaea5337b882ff88 |
| SHA256 | 675edc91b79da25f1e38340c690abcac612b61a5fef9da5d9644440c426af906 |
| SHA512 | e80c22297540a92b1c2c13c2d3df87e25c0b85f92ba8ddc91d25891ed179ef4c85265e3bcce4771d16818238cb3efb96cc682ce1488c85b54d692eaaa9ca9083 |
memory/2492-70-0x0000000000110000-0x0000000000194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QBMQCO6uJOfD.bat
| MD5 | 9a0494e2d3401369a3ee7d65e847df6f |
| SHA1 | 5e7522b1d60a67dfea9c2b810830925a6b3fd14b |
| SHA256 | f142d40d188e1386c7f5bdf9d8789665f72ab3ef396dfbee0396fd999ee9cdef |
| SHA512 | b3e7351f51984ef38ae7bf7890cf0aa4d182e2d283a234e8ae88a1646b2373415b83417ed42b1f9986d34d5271b28fb2a9c1d332a99832345598add2ddab7939 |
memory/1468-81-0x0000000001340000-0x00000000013C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EPrbzEjoAZ0Y.bat
| MD5 | fefad7610cd6a79a5c55a728cd67a1f7 |
| SHA1 | 129fc4d917704236c8776f465bca97cf5434f122 |
| SHA256 | b6e24fff63a2d3fb8ac3ce4e84c0520c3f21f358700b9b4d76203587e5f23220 |
| SHA512 | c2335065b8c373b7520fea88c7223e33bf607d54067d449ec1752805ba7bc1f5304268140ddee9ec9654bbb0ca263b26a6b457dfd2ad7367a3c6580900df480a |
C:\Users\Admin\AppData\Local\Temp\4x1VlMn8cvQA.bat
| MD5 | 2891da17ebc201d8103dc9e0b6296edf |
| SHA1 | 8958214a386903a2e4ec810fbe9336b96a2be55c |
| SHA256 | 20e9c7a83b47910899c791596816ccaa7e500149724a17e0076b6a8448bc490b |
| SHA512 | 0f6206fe6540f23e1bad61d15424dbdcef4d9998921060034710ac644790e7690edcb62a8084c83b7617e71a165987b6130c85b0e04d51dcc9058fb1f8dc1a95 |
C:\Users\Admin\AppData\Local\Temp\Cl5Gb7yvsur3.bat
| MD5 | 033d5ffe31164647f585077f09afbc5b |
| SHA1 | d5d95c1804b929ecf27e1c1a2c3d174d7dc4ef5a |
| SHA256 | 1404fb0265b07c203f1cdd2cf3b9438c90ae94b2159e6f4bcc894d2720f2cc6a |
| SHA512 | ed79f7572de1ae19d2363cd871d2b87098ba7bebd1e9c15b488039a835123d5a1d15593a6c94c70ac1a82cb073182debb66de649e5b3132bf0ba0e96b9d97ad0 |
C:\Users\Admin\AppData\Local\Temp\N78bzO93wEzv.bat
| MD5 | 536fd0e7b6d79dbed89ece6968a3fe0b |
| SHA1 | 2f6d53432d2b0a04345bb7f0452d9b13a6dcc939 |
| SHA256 | 4324999caf8abac61dec6669d3ba77b872a461c19ad3233f80b8649838985f1c |
| SHA512 | 6f7ac076b7c8ec0a5bf94cc2a3246008e6e88dbe9af8015af0f6129eb48bc248102ef8d3b49612c3ca39c770c59cefb3427f27cc0976523643c8c4a02638964d |
memory/2916-124-0x00000000001D0000-0x0000000000254000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lu5hkh4jCKCn.bat
| MD5 | 41e0da7e64b0fb0520387a433484a812 |
| SHA1 | 14728937f290685bb4e772a7a9afac9e09e648a3 |
| SHA256 | 8e6d9afca7f918959adf5dbdd518607c05dbbfb737910bc036d523c476b644b5 |
| SHA512 | 0db14d2cefadd8028db5e2b9566825c8993fdc22f8aab2c0d0d75cc7701fdecce9bb4fc8874f39b5079254c54427a19ab29d44f4e812462da03a42a939659233 |
memory/2184-135-0x0000000000D90000-0x0000000000E14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7nMvm0NFUT4P.bat
| MD5 | 97eafdcf9b41d68a97e8c734cfe93776 |
| SHA1 | 94158cca9aed3a1836b9f0a7dffab47c8ee0c93f |
| SHA256 | e4308e256c505bf59376ee3c72e9203eca5654eecca0e8358686f971379cc115 |
| SHA512 | b5e98faf0fa88e4df1e634856788eaac91c638a2bda01605f3e898e62f5e47ea6e53e40ff2486be9ddb2c085610935b217e5ca96c5bc2b4382dc6e2c14f46269 |
memory/1164-146-0x0000000000EB0000-0x0000000000F34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F0pdR8lbCKtt.bat
| MD5 | a2b33eef0f9f210a7223fc69f1c2da90 |
| SHA1 | 49d76b7d7b6b19e6238654be238cbc1a2fca1909 |
| SHA256 | 88d19ba40fc06e860d7a78027c341e6d12f8c95d8fe35382382fd762a2a84480 |
| SHA512 | b0df5f593577e774ee1d750dd2e18855cc1c564cdf5a2d9ebd3710accc882cd74e7883a56a100f0322f6a8d6a01ec0b5279c06904122a6917c46390ce29ef3c2 |
C:\Users\Admin\AppData\Local\Temp\lkZdCuLxZmyb.bat
| MD5 | 65f9c9d774ac143421cc701086cd56d2 |
| SHA1 | c0cc65ef011b25f01dfcffa8bcd5152164b53bef |
| SHA256 | 5b57f5a4d40693927edb11ba1a46ab879b8860985c2d5749367900f1079fa088 |
| SHA512 | 2ef64675287088025a9c678ce97d40383bb6f0c7d32d28785ddbda9b4f9dd1138cc4f4b7b851357f206dcd699e14d258a4b77928cb9a6aad1c531fa233e93301 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 14:52
Reported
2024-09-01 14:55
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPLBKxt1WC44.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jw8jwv1muM1c.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkHmkajHTT4I.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCLloocIWgCe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kXVgFHorOD9V.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYC8s2LejgpJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SlbNZMxhQ8ee.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3M9mwzxBOcg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toJjsTceVr7y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4vqmUZkhunXn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1j8jFR5fYZ7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVrdSM8UGvGR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6dSb353Tjp0l.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/2440-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2440-1-0x00000000001E0000-0x00000000007F4000-memory.dmp
memory/2440-2-0x0000000005010000-0x0000000005622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2440-10-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2440-11-0x00000000716C0000-0x0000000071CC8000-memory.dmp
memory/2440-12-0x00000000716C0000-0x0000000071CC8000-memory.dmp
memory/2440-13-0x00000000716C0000-0x0000000071CC8000-memory.dmp
memory/2440-14-0x0000000072FF0000-0x0000000073079000-memory.dmp
memory/2440-16-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2440-15-0x0000000005010000-0x000000000561C000-memory.dmp
memory/2440-19-0x0000000005010000-0x000000000561C000-memory.dmp
memory/2440-23-0x0000000005010000-0x000000000561C000-memory.dmp
memory/2440-21-0x0000000005010000-0x000000000561C000-memory.dmp
memory/2440-17-0x0000000005010000-0x000000000561C000-memory.dmp
memory/2440-25-0x0000000005670000-0x0000000005678000-memory.dmp
memory/2440-24-0x0000000005BB0000-0x0000000005C62000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/732-51-0x0000000000860000-0x00000000008E4000-memory.dmp
memory/4156-53-0x0000000000CE0000-0x0000000000DAC000-memory.dmp
memory/732-54-0x0000000001160000-0x0000000001170000-memory.dmp
memory/4156-55-0x0000000005E40000-0x00000000063E4000-memory.dmp
memory/2440-57-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4156-56-0x0000000005760000-0x00000000057F2000-memory.dmp
memory/2440-52-0x00000000716C0000-0x0000000071CC8000-memory.dmp
memory/4156-49-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/732-45-0x00007FFDE9263000-0x00007FFDE9265000-memory.dmp
memory/4156-63-0x0000000005880000-0x0000000005890000-memory.dmp
memory/4440-64-0x000000001BB40000-0x000000001BB90000-memory.dmp
memory/4440-65-0x000000001C490000-0x000000001C542000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\iPLBKxt1WC44.bat
| MD5 | 32aef825be63bcc40908cd83eb177771 |
| SHA1 | 0b11d58c2deef587babcb1d3f294e67228071115 |
| SHA256 | 7b529ace3d3ca331f75a96deaecf606a145c1a71d3f7cb970ebf7381595b2c85 |
| SHA512 | 2d2e0c0870eaec8f296a34b50f40b566235b7031b959547072e81e2af7ebbe7b529eed78f30a67e368067e5aa91a31cdfcda993d1afae2402e5afd8e7fb07338 |
memory/4156-71-0x00000000745EE000-0x00000000745EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jw8jwv1muM1c.bat
| MD5 | 8ad9ecf8c866cbc46c7ea40752ce45f3 |
| SHA1 | d6a0cec73e038f2efcaba00bd1883f9c784a9b6f |
| SHA256 | abedd9fe91bb26a5e9077da7337b8a4faba52cbf97485e3b01d5a2bcb8f6c963 |
| SHA512 | 30d78bf9dabf89f97474230a3d2a257681ff6b0d595289d09f0bc63be5543d8fd72eeacaa0141115b084bce90b69fdb7e9899a8ce955eb50a5128417c798a7a4 |
C:\Users\Admin\AppData\Local\Temp\dkHmkajHTT4I.bat
| MD5 | b4a9da2695ae55dbdf12c716153ec43a |
| SHA1 | 7efd00af0d08d9a55c47c14ae9840efa0f80f2c4 |
| SHA256 | 031b33fe86751c6b304631cba907b811501c53cf3612d3922bee80cc3ee6156a |
| SHA512 | 92e374675aaae2a38ffae0508343353cc51e05c0b00a10e634ac5d268a3cca29b46ae4cffb85ce4df65d118772fcdf8157fb3f276b5f1cf72e70936bf1c095aa |
C:\Users\Admin\AppData\Local\Temp\oCLloocIWgCe.bat
| MD5 | a72308e4d3ff17bae641a4760ec74e68 |
| SHA1 | 0e50a6b1c59cb7f96deb1c350aedd3e59a9c35bb |
| SHA256 | 4916137e925a7ed19271a18fd0edac06b6da121c7a945879a2c195f984c91b55 |
| SHA512 | fa704fcd0bb8e0460949b960da59204f2bce559ef17b2478a10c229de9c20f9b543d4f34f17a9c868242a24930250d0152e79750e9549a834c42928d79360957 |
C:\Users\Admin\AppData\Local\Temp\kXVgFHorOD9V.bat
| MD5 | f42f84c5ca70c0b7b670b854942fe0c8 |
| SHA1 | 040bcc8a73d6ade33008dbf0e9dbef9811882c3d |
| SHA256 | 9ef726d8652326558dca08f26c7d3cbe699853366443db712836e6b9fc08c266 |
| SHA512 | 59ab5ef2bdb40fcaad9a99d032eb107c48ac1df79bf8a18a0631d4e243ff81264009731d4a3e9ac07c63774fce02ed682fbc6ddbe8f107e6a45f38c4850e1f89 |
C:\Users\Admin\AppData\Local\Temp\cYC8s2LejgpJ.bat
| MD5 | 7f7a2aa2bf22bba317ad637b3ae5a8f9 |
| SHA1 | bd26629ca9abf48ca1d5ca46c2d31fdfda2ae872 |
| SHA256 | 2c122bf9a7caa9d21390da058396153ed8ca5fb3045a3a77df2ae40bc325cdc3 |
| SHA512 | 4159164f7c6efb3300eddc9b921ae00e46aeabc9f7e9efa4ee73bce50139311e3cb479595e60da481e63fe3cc0cb5785e5ca18ba41e2a113d068c214772724a8 |
C:\Users\Admin\AppData\Local\Temp\SlbNZMxhQ8ee.bat
| MD5 | dbddf2bdc9122d2de24dbcc762cbec53 |
| SHA1 | 35bc674b0535ce9f7696a63182a0cbdc257db983 |
| SHA256 | edd9576b39647a6ca3d04eaf39334c9ede85d177dfd7dd6010d7e0f3927f8090 |
| SHA512 | 7e83cad9d3010ffde8ab7b17fc7debe9af4f4aee254bcae5e700f5484ed1c18768c7790b0d6464974da39d0f37c9c757caf5ec1865526e3744b18506c86e9828 |
C:\Users\Admin\AppData\Local\Temp\b3M9mwzxBOcg.bat
| MD5 | 90a179dbaa2dded91a67a5695db0c359 |
| SHA1 | 4edca612a918be99732aa4879d1267d658866590 |
| SHA256 | 46569d6e88a911a28259f0cde3c208c1349177166a726b941ca01e7a0703a584 |
| SHA512 | c1677d403ba12cfee37713f504a92b298f3de2effc39185a7cc413ff56e6878805dcf0227b93b4fe9f3a0b34ca0606bbe663f5ed2593518a4ba04d81e7175093 |
C:\Users\Admin\AppData\Local\Temp\toJjsTceVr7y.bat
| MD5 | c4e929969404ee6b7208a61c401ef8e2 |
| SHA1 | 0dbe4b238ed5f27868e77615367456f71c6faba2 |
| SHA256 | fd9b63d0245ce2c6ef9a94677c7e95e026a61107d4e59981ad02ccd373eef522 |
| SHA512 | be06820586dc75391f2c50ae4fbf1a97a57a05e938ffe5ef550bac68b5610f5eceb727c5de608506629c08892e15621f2fdf2f7a139a1e3d67feabb84be40dd6 |
C:\Users\Admin\AppData\Local\Temp\4vqmUZkhunXn.bat
| MD5 | bed43a1a0e39c4909d7e7a43158d952c |
| SHA1 | 1c8a493cc296116c751fb878a5529969c128bdbb |
| SHA256 | 6ed6413fc9bf60dc4ffae386ccd38c8d47434c4fecf06fc687f95cfa26ff7798 |
| SHA512 | 960f491a10797332e8454939ba121baf2adb46d485452c2f8bef0a0dfbc233a12d49baa149727a25dc6d4b47d98a994991e2873079ea64d423ffa3ca6c5da1c5 |
C:\Users\Admin\AppData\Local\Temp\l1j8jFR5fYZ7.bat
| MD5 | e9973f9d6eb9046c377e3462582de826 |
| SHA1 | 99f4b3bb9ff5e613209864cab89e7720add7cb93 |
| SHA256 | acc2d609b0b12d755b031de42d85199b57f087ad641925f61c9103397857c2eb |
| SHA512 | dd20089fcad461b78e30ca08faf0705973697822046c21376c601d60a8e933a6f446c23a785b5027170dd9a4a481711defef8b26444e87f9c6d2f07837f62bbe |
C:\Users\Admin\AppData\Local\Temp\SVrdSM8UGvGR.bat
| MD5 | de1fbf444e8f7c6b1a57fd9b1e093333 |
| SHA1 | 0e109a986f8eefb9a88c7ee8d9450d7ae33a6dae |
| SHA256 | c30551ffdf945c0405540f4ad7f7404a31976d8f884a002bac744decf8519518 |
| SHA512 | d4a00e44660c3c46802de4a481521bb3c304f5bff99b328b6799bb5876e61bb80bfaaf056856e4d0d906695e770ee996d19d81b5d379e79c879c619cd0d15813 |
C:\Users\Admin\AppData\Local\Temp\6dSb353Tjp0l.bat
| MD5 | 2d6f0bbb33fb79c29e605f556bd301f7 |
| SHA1 | 065dfd91965ac7464e379805c0681278c1b86707 |
| SHA256 | 4a3075f1642207eb39cee09ea9bf60cd07df7cecf694ffb8b78683fad52453c2 |
| SHA512 | d404444ad2bf51ee7f1d2b2c7751f3ca8182b4b44b16ff3fc3d568427ac5439af89ad6ddea75d8ec9f0c1ee7ec7b4bbea72e89a3228dae645b79f2cb59d25cef |