Malware Analysis Report

2024-11-15 08:36

Sample ID 240901-r8y5qsthmf
Target 03778d811f241e83ccad830372313b3c.zip
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
agilenet quasar chrome discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.

Malicious Activity Summary

agilenet quasar chrome discovery evasion spyware themida trojan

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 14:52

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 14:52

Reported

2024-09-01 14:55

Platform

win7-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2732 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2612 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2612 wrote to memory of 432 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 432 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 432 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 432 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 432 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 432 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 432 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2828 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2828 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2828 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2168 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2168 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2168 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2168 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2168 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2168 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2168 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2168 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2492 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2492 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2492 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2492 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2088 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2088 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2088 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2088 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2088 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XNfYcUu3iswT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5nRGSyfhBM5h.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QBMQCO6uJOfD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EPrbzEjoAZ0Y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4x1VlMn8cvQA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Cl5Gb7yvsur3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\N78bzO93wEzv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lu5hkh4jCKCn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7nMvm0NFUT4P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F0pdR8lbCKtt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkZdCuLxZmyb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/2732-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/2732-1-0x0000000000250000-0x0000000000864000-memory.dmp

memory/2732-2-0x0000000005470000-0x0000000005A82000-memory.dmp

memory/2732-6-0x0000000073CC0000-0x00000000743AE000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2732-10-0x00000000736B0000-0x0000000073CB8000-memory.dmp

memory/2732-11-0x00000000736B0000-0x0000000073CB8000-memory.dmp

memory/2732-12-0x00000000736B0000-0x0000000073CB8000-memory.dmp

memory/2732-13-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/2732-21-0x0000000005470000-0x0000000005A7C000-memory.dmp

memory/2732-19-0x0000000005470000-0x0000000005A7C000-memory.dmp

memory/2732-17-0x0000000005470000-0x0000000005A7C000-memory.dmp

memory/2732-15-0x0000000005470000-0x0000000005A7C000-memory.dmp

memory/2732-22-0x0000000005470000-0x0000000005A7C000-memory.dmp

memory/2732-14-0x0000000074650000-0x00000000746D0000-memory.dmp

memory/2732-23-0x0000000004DA0000-0x0000000004E52000-memory.dmp

memory/2732-24-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/2732-39-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/2732-40-0x00000000736B0000-0x0000000073CB8000-memory.dmp

memory/2628-41-0x0000000000FD0000-0x000000000109C000-memory.dmp

memory/2612-42-0x0000000001000000-0x0000000001084000-memory.dmp

memory/432-47-0x0000000000270000-0x00000000002F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XNfYcUu3iswT.bat

MD5 7ab048444f99dc78730d65e251fce2ce
SHA1 2ec8d4ee477b6476a37c22bd11cb6bc7c7989ad6
SHA256 a26a31fc0cda9de364dc0f4ee8ad0df7622b249778a87d964c6c8d80f27bd553
SHA512 8ad228ebd54dd1a61893091326a6a20819a0a3d0e5547724318d1441229f2507f8dfa29c1099517f2f0ada5c1d784d8aa50f433d85d04d5bc23b59e542dece72

memory/820-58-0x0000000000E50000-0x0000000000ED4000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\5nRGSyfhBM5h.bat

MD5 e14d6395cf317e985c24c837b558b784
SHA1 4a2e1f5db21c6167c4455a42aaea5337b882ff88
SHA256 675edc91b79da25f1e38340c690abcac612b61a5fef9da5d9644440c426af906
SHA512 e80c22297540a92b1c2c13c2d3df87e25c0b85f92ba8ddc91d25891ed179ef4c85265e3bcce4771d16818238cb3efb96cc682ce1488c85b54d692eaaa9ca9083

memory/2492-70-0x0000000000110000-0x0000000000194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QBMQCO6uJOfD.bat

MD5 9a0494e2d3401369a3ee7d65e847df6f
SHA1 5e7522b1d60a67dfea9c2b810830925a6b3fd14b
SHA256 f142d40d188e1386c7f5bdf9d8789665f72ab3ef396dfbee0396fd999ee9cdef
SHA512 b3e7351f51984ef38ae7bf7890cf0aa4d182e2d283a234e8ae88a1646b2373415b83417ed42b1f9986d34d5271b28fb2a9c1d332a99832345598add2ddab7939

memory/1468-81-0x0000000001340000-0x00000000013C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EPrbzEjoAZ0Y.bat

MD5 fefad7610cd6a79a5c55a728cd67a1f7
SHA1 129fc4d917704236c8776f465bca97cf5434f122
SHA256 b6e24fff63a2d3fb8ac3ce4e84c0520c3f21f358700b9b4d76203587e5f23220
SHA512 c2335065b8c373b7520fea88c7223e33bf607d54067d449ec1752805ba7bc1f5304268140ddee9ec9654bbb0ca263b26a6b457dfd2ad7367a3c6580900df480a

C:\Users\Admin\AppData\Local\Temp\4x1VlMn8cvQA.bat

MD5 2891da17ebc201d8103dc9e0b6296edf
SHA1 8958214a386903a2e4ec810fbe9336b96a2be55c
SHA256 20e9c7a83b47910899c791596816ccaa7e500149724a17e0076b6a8448bc490b
SHA512 0f6206fe6540f23e1bad61d15424dbdcef4d9998921060034710ac644790e7690edcb62a8084c83b7617e71a165987b6130c85b0e04d51dcc9058fb1f8dc1a95

C:\Users\Admin\AppData\Local\Temp\Cl5Gb7yvsur3.bat

MD5 033d5ffe31164647f585077f09afbc5b
SHA1 d5d95c1804b929ecf27e1c1a2c3d174d7dc4ef5a
SHA256 1404fb0265b07c203f1cdd2cf3b9438c90ae94b2159e6f4bcc894d2720f2cc6a
SHA512 ed79f7572de1ae19d2363cd871d2b87098ba7bebd1e9c15b488039a835123d5a1d15593a6c94c70ac1a82cb073182debb66de649e5b3132bf0ba0e96b9d97ad0

C:\Users\Admin\AppData\Local\Temp\N78bzO93wEzv.bat

MD5 536fd0e7b6d79dbed89ece6968a3fe0b
SHA1 2f6d53432d2b0a04345bb7f0452d9b13a6dcc939
SHA256 4324999caf8abac61dec6669d3ba77b872a461c19ad3233f80b8649838985f1c
SHA512 6f7ac076b7c8ec0a5bf94cc2a3246008e6e88dbe9af8015af0f6129eb48bc248102ef8d3b49612c3ca39c770c59cefb3427f27cc0976523643c8c4a02638964d

memory/2916-124-0x00000000001D0000-0x0000000000254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lu5hkh4jCKCn.bat

MD5 41e0da7e64b0fb0520387a433484a812
SHA1 14728937f290685bb4e772a7a9afac9e09e648a3
SHA256 8e6d9afca7f918959adf5dbdd518607c05dbbfb737910bc036d523c476b644b5
SHA512 0db14d2cefadd8028db5e2b9566825c8993fdc22f8aab2c0d0d75cc7701fdecce9bb4fc8874f39b5079254c54427a19ab29d44f4e812462da03a42a939659233

memory/2184-135-0x0000000000D90000-0x0000000000E14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7nMvm0NFUT4P.bat

MD5 97eafdcf9b41d68a97e8c734cfe93776
SHA1 94158cca9aed3a1836b9f0a7dffab47c8ee0c93f
SHA256 e4308e256c505bf59376ee3c72e9203eca5654eecca0e8358686f971379cc115
SHA512 b5e98faf0fa88e4df1e634856788eaac91c638a2bda01605f3e898e62f5e47ea6e53e40ff2486be9ddb2c085610935b217e5ca96c5bc2b4382dc6e2c14f46269

memory/1164-146-0x0000000000EB0000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0pdR8lbCKtt.bat

MD5 a2b33eef0f9f210a7223fc69f1c2da90
SHA1 49d76b7d7b6b19e6238654be238cbc1a2fca1909
SHA256 88d19ba40fc06e860d7a78027c341e6d12f8c95d8fe35382382fd762a2a84480
SHA512 b0df5f593577e774ee1d750dd2e18855cc1c564cdf5a2d9ebd3710accc882cd74e7883a56a100f0322f6a8d6a01ec0b5279c06904122a6917c46390ce29ef3c2

C:\Users\Admin\AppData\Local\Temp\lkZdCuLxZmyb.bat

MD5 65f9c9d774ac143421cc701086cd56d2
SHA1 c0cc65ef011b25f01dfcffa8bcd5152164b53bef
SHA256 5b57f5a4d40693927edb11ba1a46ab879b8860985c2d5749367900f1079fa088
SHA512 2ef64675287088025a9c678ce97d40383bb6f0c7d32d28785ddbda9b4f9dd1138cc4f4b7b851357f206dcd699e14d258a4b77928cb9a6aad1c531fa233e93301

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 14:52

Reported

2024-09-01 14:55

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2440 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2440 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2440 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2440 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 732 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 732 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 732 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 732 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4440 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4440 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4440 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2880 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2880 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2880 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2880 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2880 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1004 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1004 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1004 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1004 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1580 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1580 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1580 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1580 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1580 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1580 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2948 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2948 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2948 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1764 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1764 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1764 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1764 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1764 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3604 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3604 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3604 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 912 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 912 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 912 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 912 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 912 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2208 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2208 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2208 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 672 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 672 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 672 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 672 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 672 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 672 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2792 wrote to memory of 184 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2792 wrote to memory of 184 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2792 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPLBKxt1WC44.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jw8jwv1muM1c.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkHmkajHTT4I.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCLloocIWgCe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kXVgFHorOD9V.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYC8s2LejgpJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SlbNZMxhQ8ee.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3M9mwzxBOcg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toJjsTceVr7y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4vqmUZkhunXn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1j8jFR5fYZ7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVrdSM8UGvGR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6dSb353Tjp0l.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 172.67.200.89:443 synapse.to tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 89.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/2440-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/2440-1-0x00000000001E0000-0x00000000007F4000-memory.dmp

memory/2440-2-0x0000000005010000-0x0000000005622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2440-10-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2440-11-0x00000000716C0000-0x0000000071CC8000-memory.dmp

memory/2440-12-0x00000000716C0000-0x0000000071CC8000-memory.dmp

memory/2440-13-0x00000000716C0000-0x0000000071CC8000-memory.dmp

memory/2440-14-0x0000000072FF0000-0x0000000073079000-memory.dmp

memory/2440-16-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/2440-15-0x0000000005010000-0x000000000561C000-memory.dmp

memory/2440-19-0x0000000005010000-0x000000000561C000-memory.dmp

memory/2440-23-0x0000000005010000-0x000000000561C000-memory.dmp

memory/2440-21-0x0000000005010000-0x000000000561C000-memory.dmp

memory/2440-17-0x0000000005010000-0x000000000561C000-memory.dmp

memory/2440-25-0x0000000005670000-0x0000000005678000-memory.dmp

memory/2440-24-0x0000000005BB0000-0x0000000005C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/732-51-0x0000000000860000-0x00000000008E4000-memory.dmp

memory/4156-53-0x0000000000CE0000-0x0000000000DAC000-memory.dmp

memory/732-54-0x0000000001160000-0x0000000001170000-memory.dmp

memory/4156-55-0x0000000005E40000-0x00000000063E4000-memory.dmp

memory/2440-57-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/4156-56-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/2440-52-0x00000000716C0000-0x0000000071CC8000-memory.dmp

memory/4156-49-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/732-45-0x00007FFDE9263000-0x00007FFDE9265000-memory.dmp

memory/4156-63-0x0000000005880000-0x0000000005890000-memory.dmp

memory/4440-64-0x000000001BB40000-0x000000001BB90000-memory.dmp

memory/4440-65-0x000000001C490000-0x000000001C542000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\iPLBKxt1WC44.bat

MD5 32aef825be63bcc40908cd83eb177771
SHA1 0b11d58c2deef587babcb1d3f294e67228071115
SHA256 7b529ace3d3ca331f75a96deaecf606a145c1a71d3f7cb970ebf7381595b2c85
SHA512 2d2e0c0870eaec8f296a34b50f40b566235b7031b959547072e81e2af7ebbe7b529eed78f30a67e368067e5aa91a31cdfcda993d1afae2402e5afd8e7fb07338

memory/4156-71-0x00000000745EE000-0x00000000745EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jw8jwv1muM1c.bat

MD5 8ad9ecf8c866cbc46c7ea40752ce45f3
SHA1 d6a0cec73e038f2efcaba00bd1883f9c784a9b6f
SHA256 abedd9fe91bb26a5e9077da7337b8a4faba52cbf97485e3b01d5a2bcb8f6c963
SHA512 30d78bf9dabf89f97474230a3d2a257681ff6b0d595289d09f0bc63be5543d8fd72eeacaa0141115b084bce90b69fdb7e9899a8ce955eb50a5128417c798a7a4

C:\Users\Admin\AppData\Local\Temp\dkHmkajHTT4I.bat

MD5 b4a9da2695ae55dbdf12c716153ec43a
SHA1 7efd00af0d08d9a55c47c14ae9840efa0f80f2c4
SHA256 031b33fe86751c6b304631cba907b811501c53cf3612d3922bee80cc3ee6156a
SHA512 92e374675aaae2a38ffae0508343353cc51e05c0b00a10e634ac5d268a3cca29b46ae4cffb85ce4df65d118772fcdf8157fb3f276b5f1cf72e70936bf1c095aa

C:\Users\Admin\AppData\Local\Temp\oCLloocIWgCe.bat

MD5 a72308e4d3ff17bae641a4760ec74e68
SHA1 0e50a6b1c59cb7f96deb1c350aedd3e59a9c35bb
SHA256 4916137e925a7ed19271a18fd0edac06b6da121c7a945879a2c195f984c91b55
SHA512 fa704fcd0bb8e0460949b960da59204f2bce559ef17b2478a10c229de9c20f9b543d4f34f17a9c868242a24930250d0152e79750e9549a834c42928d79360957

C:\Users\Admin\AppData\Local\Temp\kXVgFHorOD9V.bat

MD5 f42f84c5ca70c0b7b670b854942fe0c8
SHA1 040bcc8a73d6ade33008dbf0e9dbef9811882c3d
SHA256 9ef726d8652326558dca08f26c7d3cbe699853366443db712836e6b9fc08c266
SHA512 59ab5ef2bdb40fcaad9a99d032eb107c48ac1df79bf8a18a0631d4e243ff81264009731d4a3e9ac07c63774fce02ed682fbc6ddbe8f107e6a45f38c4850e1f89

C:\Users\Admin\AppData\Local\Temp\cYC8s2LejgpJ.bat

MD5 7f7a2aa2bf22bba317ad637b3ae5a8f9
SHA1 bd26629ca9abf48ca1d5ca46c2d31fdfda2ae872
SHA256 2c122bf9a7caa9d21390da058396153ed8ca5fb3045a3a77df2ae40bc325cdc3
SHA512 4159164f7c6efb3300eddc9b921ae00e46aeabc9f7e9efa4ee73bce50139311e3cb479595e60da481e63fe3cc0cb5785e5ca18ba41e2a113d068c214772724a8

C:\Users\Admin\AppData\Local\Temp\SlbNZMxhQ8ee.bat

MD5 dbddf2bdc9122d2de24dbcc762cbec53
SHA1 35bc674b0535ce9f7696a63182a0cbdc257db983
SHA256 edd9576b39647a6ca3d04eaf39334c9ede85d177dfd7dd6010d7e0f3927f8090
SHA512 7e83cad9d3010ffde8ab7b17fc7debe9af4f4aee254bcae5e700f5484ed1c18768c7790b0d6464974da39d0f37c9c757caf5ec1865526e3744b18506c86e9828

C:\Users\Admin\AppData\Local\Temp\b3M9mwzxBOcg.bat

MD5 90a179dbaa2dded91a67a5695db0c359
SHA1 4edca612a918be99732aa4879d1267d658866590
SHA256 46569d6e88a911a28259f0cde3c208c1349177166a726b941ca01e7a0703a584
SHA512 c1677d403ba12cfee37713f504a92b298f3de2effc39185a7cc413ff56e6878805dcf0227b93b4fe9f3a0b34ca0606bbe663f5ed2593518a4ba04d81e7175093

C:\Users\Admin\AppData\Local\Temp\toJjsTceVr7y.bat

MD5 c4e929969404ee6b7208a61c401ef8e2
SHA1 0dbe4b238ed5f27868e77615367456f71c6faba2
SHA256 fd9b63d0245ce2c6ef9a94677c7e95e026a61107d4e59981ad02ccd373eef522
SHA512 be06820586dc75391f2c50ae4fbf1a97a57a05e938ffe5ef550bac68b5610f5eceb727c5de608506629c08892e15621f2fdf2f7a139a1e3d67feabb84be40dd6

C:\Users\Admin\AppData\Local\Temp\4vqmUZkhunXn.bat

MD5 bed43a1a0e39c4909d7e7a43158d952c
SHA1 1c8a493cc296116c751fb878a5529969c128bdbb
SHA256 6ed6413fc9bf60dc4ffae386ccd38c8d47434c4fecf06fc687f95cfa26ff7798
SHA512 960f491a10797332e8454939ba121baf2adb46d485452c2f8bef0a0dfbc233a12d49baa149727a25dc6d4b47d98a994991e2873079ea64d423ffa3ca6c5da1c5

C:\Users\Admin\AppData\Local\Temp\l1j8jFR5fYZ7.bat

MD5 e9973f9d6eb9046c377e3462582de826
SHA1 99f4b3bb9ff5e613209864cab89e7720add7cb93
SHA256 acc2d609b0b12d755b031de42d85199b57f087ad641925f61c9103397857c2eb
SHA512 dd20089fcad461b78e30ca08faf0705973697822046c21376c601d60a8e933a6f446c23a785b5027170dd9a4a481711defef8b26444e87f9c6d2f07837f62bbe

C:\Users\Admin\AppData\Local\Temp\SVrdSM8UGvGR.bat

MD5 de1fbf444e8f7c6b1a57fd9b1e093333
SHA1 0e109a986f8eefb9a88c7ee8d9450d7ae33a6dae
SHA256 c30551ffdf945c0405540f4ad7f7404a31976d8f884a002bac744decf8519518
SHA512 d4a00e44660c3c46802de4a481521bb3c304f5bff99b328b6799bb5876e61bb80bfaaf056856e4d0d906695e770ee996d19d81b5d379e79c879c619cd0d15813

C:\Users\Admin\AppData\Local\Temp\6dSb353Tjp0l.bat

MD5 2d6f0bbb33fb79c29e605f556bd301f7
SHA1 065dfd91965ac7464e379805c0681278c1b86707
SHA256 4a3075f1642207eb39cee09ea9bf60cd07df7cecf694ffb8b78683fad52453c2
SHA512 d404444ad2bf51ee7f1d2b2c7751f3ca8182b4b44b16ff3fc3d568427ac5439af89ad6ddea75d8ec9f0c1ee7ec7b4bbea72e89a3228dae645b79f2cb59d25cef