Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Checks BIOS information in registry
Themida packer
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 14:53
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 14:53
Reported
2024-09-01 14:55
Platform
win7-20240705-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NPP4fG0NXYyr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gh7pNScCaoTK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSgJ1jhBeY2W.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\y5I9DW9Om25T.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zh7ppqmnrqdk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DHek4Plo03mc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UdRMe9ZrB2Vp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\61tGG4scxXXw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwESmSXPbzrY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kvTPAcwTKtyw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tf8QbwVYFcT2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MpeBGhraJTmr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
Files
memory/2140-0-0x000000007416E000-0x000000007416F000-memory.dmp
memory/2140-1-0x0000000000100000-0x0000000000714000-memory.dmp
memory/2140-2-0x0000000005240000-0x0000000005852000-memory.dmp
memory/2140-6-0x0000000074160000-0x000000007484E000-memory.dmp
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2140-10-0x0000000073900000-0x0000000073F08000-memory.dmp
memory/2140-11-0x0000000073900000-0x0000000073F08000-memory.dmp
memory/2140-12-0x0000000074160000-0x000000007484E000-memory.dmp
memory/2140-13-0x0000000073900000-0x0000000073F08000-memory.dmp
memory/2140-22-0x0000000005240000-0x000000000584C000-memory.dmp
memory/2140-24-0x0000000000820000-0x0000000000828000-memory.dmp
\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/2140-23-0x0000000002590000-0x0000000002642000-memory.dmp
memory/2140-20-0x0000000005240000-0x000000000584C000-memory.dmp
memory/2140-18-0x0000000005240000-0x000000000584C000-memory.dmp
memory/2140-16-0x0000000005240000-0x000000000584C000-memory.dmp
memory/2140-15-0x0000000005240000-0x000000000584C000-memory.dmp
memory/2140-14-0x0000000073F60000-0x0000000073FE0000-memory.dmp
memory/2884-38-0x0000000001320000-0x00000000013EC000-memory.dmp
memory/2884-39-0x0000000074160000-0x000000007484E000-memory.dmp
memory/2140-42-0x0000000074160000-0x000000007484E000-memory.dmp
memory/2140-41-0x0000000073900000-0x0000000073F08000-memory.dmp
memory/2848-43-0x00000000009A0000-0x0000000000A24000-memory.dmp
memory/2480-48-0x0000000000300000-0x0000000000384000-memory.dmp
memory/2884-49-0x0000000074160000-0x000000007484E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NPP4fG0NXYyr.bat
| MD5 | 643ee272a80abfbd52fe1d158fcd3c17 |
| SHA1 | 8514d4f5f590a0e8a17c52db011a853bde9fbd8e |
| SHA256 | bf7434398adcd24729c2c9d7e2a8b752c46dd656fa27a5b88534fe739a10fe33 |
| SHA512 | a73b21d4779e803db0f26049b0946f83788ea24603dbbeceef0f738200a8a40694861f64717e90e4c4a32ee31f7a5a6bcad225d229c1dc2b02d77a5a060d740d |
memory/2884-59-0x0000000074160000-0x000000007484E000-memory.dmp
memory/2884-60-0x0000000074160000-0x000000007484E000-memory.dmp
memory/2916-62-0x00000000010F0000-0x0000000001174000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gh7pNScCaoTK.bat
| MD5 | dd93115093517e622eee4fec09ca7c10 |
| SHA1 | c4afedf32ad15ea108909807be2880b005a16cb7 |
| SHA256 | e0a0a7faac8fae5ffe6d36b13d8d3990d56c096d89c86cf9ed011db09d867f66 |
| SHA512 | 65d9d0e7c475c580510eff961d8c750edfe4f94ebd080f6a845f1af4996907794db81131ffc4f17d6b367bc5c413c0460f2578764cd1815d23ca62a0f73fc0f8 |
C:\Users\Admin\AppData\Local\Temp\pSgJ1jhBeY2W.bat
| MD5 | 7f0b7af3831c4954b5aae1b3c9c12dcd |
| SHA1 | abd8425337ffc339de7b20f2ae672e249a9b1345 |
| SHA256 | d99203a43249a78c1ffb11e16a372a1c5164743f103a40a8246eafcbe284d676 |
| SHA512 | b8656131047858cb824d60f4c1ae58e37f890ba819852e01c78af60ef9f9d39c0941355f04aa8f28b361e74da810435783e0b8b1610a2f0cfe0450b44eeff9de |
memory/2876-83-0x00000000003D0000-0x0000000000454000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\y5I9DW9Om25T.bat
| MD5 | f44ea40a739e38727fed4a34430592ca |
| SHA1 | 0f84a92d2f867a1546162348fe283c7091d89024 |
| SHA256 | 85823dd76668b2f502446a444fdddcce87fdc72dd508f1379138bf794e045e0e |
| SHA512 | f12e3f24cadd03e621ebadb1fd721cdf3f0292ca5f153b8bc37c116b1997a139b24ce2389a5439b7c4ae822aa71d2f122e27cd08db6d5937d62c6120b7d1da06 |
memory/1316-95-0x0000000000C40000-0x0000000000CC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zh7ppqmnrqdk.bat
| MD5 | 1cde5cf1626934cd47304a894bf5bd74 |
| SHA1 | 26ad37dd27ae42467fdebea0c56aca4794589e4a |
| SHA256 | 7898469d7e9172a3c4cde0bcb882a8b389270ec16c93d0965f1097a6e936a76e |
| SHA512 | b08b1353bbf1d4ad6b3996f1bd0648055bc13e2ceda24b49a929a9576e88830631c2016190a4708fb99d5d6fc31f53283a22d87663d8f419e84b8d7bf5990959 |
memory/2824-106-0x0000000000E70000-0x0000000000EF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DHek4Plo03mc.bat
| MD5 | 2d14c6d732c590b946585b280d0b57be |
| SHA1 | 8bb42488f2b61b2f8c38168eeb457f0c113cc10f |
| SHA256 | a8dde0e8a5728d867c0392be1224a935ec06da66a6fcaabd978b701184ed59df |
| SHA512 | ff8554389a3fb58221e38e4b85da7e3484f22495942d14196c7cae1af7f4083f5be4401fc7a0cfe6b0566d1f27f7bcb500332138795718ede7d2fbbcfb62f534 |
memory/2120-117-0x00000000003F0000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UdRMe9ZrB2Vp.bat
| MD5 | 4f8265fab345ebfde73a4a351af01b7e |
| SHA1 | 9b4fd88046e0bb4984c1e3bee650e627c2a53751 |
| SHA256 | a09b61a7fe62ca046eb76a43553e961c1f82a623c095918ad01189134f37f381 |
| SHA512 | 9be14002d7ab1f04e8f39b937af6bbf5082f04b054f7c71a932af1afa8f5db59fce731c81192c57861c36e3efb5fe0b36e1d125a23a8f084820ff45504b0f86e |
memory/2676-129-0x0000000000B30000-0x0000000000BB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61tGG4scxXXw.bat
| MD5 | 7e661f7f7dfee426d136cbb4b833c493 |
| SHA1 | 44443230d62d2de482e3e8ba0f243258e417fd62 |
| SHA256 | 393b5e1903812fe956e10710899e8da3c6e81766d74b6c36804289630f9a5e5e |
| SHA512 | 9b8be92ec3fa41375da5ea7587a0a036719b3c9ba7095307be630278da4b6b7aee8707f35af5d952731f531b5cdd4e4d0d9600f00fcf58c98c878f53c7b01dde |
memory/2176-140-0x0000000000B70000-0x0000000000BF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TwESmSXPbzrY.bat
| MD5 | 6153bb69a4dce7aaf9365dd67f879505 |
| SHA1 | 37cdf3dd41e25e32e7c145d770acc40490a494b4 |
| SHA256 | 87198de0b168434955d967b6e323fc52ff16925b0a73a0351372f65c775ce0f0 |
| SHA512 | c3bea1c494934eaeff49d757f3849696e76fae87ce7d8d7dc06a2ee88fd5fe8240cc6eaeccdc82552c8c614d0cf24fe280777c7dfe59bdba067f063072606703 |
memory/1696-151-0x0000000000FE0000-0x0000000001064000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kvTPAcwTKtyw.bat
| MD5 | c5824769269e9a4c5ee48d89c390e9f9 |
| SHA1 | f29a1af25931275ce3248bffe45e787690c1e736 |
| SHA256 | b0acccfb392e1557d259645283ba34d2d608fc32201cd9038acdaf4efde1cdc7 |
| SHA512 | 59126779e11ff268600ec1ced8add72ba70f2bb5bf8928243fa4fa481a8aebd8e42b881d37ec1750d2f5bf95d26491b748eacdb561385a9ba5063f99b4689d46 |
C:\Users\Admin\AppData\Local\Temp\tf8QbwVYFcT2.bat
| MD5 | 73320d94a5c5578edb02968536dabb1c |
| SHA1 | 9b9be2555bd2fe73d44e7d4d26007ece8afcb35b |
| SHA256 | 0c55e49e9213c52fee6105ada0a536f58a610bb3b6ef7e41192a57ddc86dd0e5 |
| SHA512 | 14f61110c02c50bff9d429fb335f63a809486260043908d5d9162188ac573a80df066ce82d4540debc8150491108f9ba8fb4c64eb42047b4d10e62631fd4ee9f |
memory/560-172-0x0000000000360000-0x00000000003E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MpeBGhraJTmr.bat
| MD5 | d796f3dfd3466e2a82a5b8d10aa28df0 |
| SHA1 | 90ddf7bffb90a2569244155f5db53847a7b97468 |
| SHA256 | 9f8dae2ac07f68cd9cf597b9d10aff0383e5d220dba1877c7ab8e1991b1bb9b6 |
| SHA512 | 1031a9e757869b70380566d6720a46a12f4255023b509297fa7c93e611d213d0f15266ca986b77508cc6cc52e389252b7390baefc59796a78cd5d0f2500a349e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 14:53
Reported
2024-09-01 14:56
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fpC0LdY6mgWo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IbXEWFKNjw37.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00xG9REBODar.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PL6003Sm5y2G.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPolwkhv6FgM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iBSTGk807IDj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNwvaqImn10X.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bTMdxgLaWR1T.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Ux3YFU8QKCN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3cZyl6r5sF2M.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cExtpCHQnfzd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSEAhOv56Fv6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J2O3L3EfBncD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XppgxuG2k82h.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 89.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 168.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/4760-0-0x00000000749BE000-0x00000000749BF000-memory.dmp
memory/4760-1-0x0000000000700000-0x0000000000D14000-memory.dmp
memory/4760-2-0x00000000056B0000-0x0000000005CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/4760-10-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/4760-11-0x0000000071A90000-0x0000000072098000-memory.dmp
memory/4760-13-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/4760-12-0x0000000071A90000-0x0000000072098000-memory.dmp
memory/4760-14-0x0000000071A90000-0x0000000072098000-memory.dmp
memory/4760-15-0x00000000733C0000-0x0000000073449000-memory.dmp
memory/4760-16-0x00000000056B0000-0x0000000005CBC000-memory.dmp
memory/4760-19-0x00000000056B0000-0x0000000005CBC000-memory.dmp
memory/4760-18-0x00000000056B0000-0x0000000005CBC000-memory.dmp
memory/4760-22-0x00000000056B0000-0x0000000005CBC000-memory.dmp
memory/4760-23-0x00000000056B0000-0x0000000005CBC000-memory.dmp
memory/4760-24-0x0000000005CC0000-0x0000000005D72000-memory.dmp
memory/4760-25-0x0000000005D70000-0x0000000005D78000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
memory/4776-45-0x00007FFFAB983000-0x00007FFFAB985000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/4776-51-0x0000000000E70000-0x0000000000EF4000-memory.dmp
memory/1040-50-0x00000000749BE000-0x00000000749BF000-memory.dmp
memory/4776-53-0x00000000015B0000-0x00000000015C0000-memory.dmp
memory/4760-54-0x0000000071A90000-0x0000000072098000-memory.dmp
memory/4760-55-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/1040-56-0x0000000000150000-0x000000000021C000-memory.dmp
memory/1040-57-0x0000000005140000-0x00000000056E4000-memory.dmp
memory/1040-58-0x0000000004B90000-0x0000000004C22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3584-65-0x000000001B700000-0x000000001B750000-memory.dmp
memory/3584-66-0x000000001B810000-0x000000001B8C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fpC0LdY6mgWo.bat
| MD5 | 305a9e341390915a6f8138d5509d2191 |
| SHA1 | c33aa939233430628a2749d68a9c5541c35fd6d5 |
| SHA256 | f1fa859468715d8408698add0751619992c44adb57343fdb0d7000e51ab7be10 |
| SHA512 | ad405b56a5c76d6706b80e2160096c166efae1b266f26bfc826c7005fa7e4549c82958183c88d72349c9414eb1278aabce164bb5f752e1f67011bc7601c366e6 |
C:\Users\Admin\AppData\Local\Temp\00xG9REBODar.bat
| MD5 | 90c70c13a4055ed19f7998c74abae898 |
| SHA1 | 83768f7a87b878e24ec0c2ec9f9dd4797db2057e |
| SHA256 | d89efd9f39d63b1a1b3951cdb070db5d7985af7ba9a12aedfda62af01f9fd49b |
| SHA512 | b53f9b1f66a5a1d2ef058170f85bc8d6ca88082faeeeff49e0ba68fb022464a80ec516c61436610832168f7310cfe372d7a21a4c2a62bcdff5d9ae8af11c0b16 |
C:\Users\Admin\AppData\Local\Temp\PL6003Sm5y2G.bat
| MD5 | 737fbb853b4df9db7abc08d207cc075b |
| SHA1 | 9d8729e38cf913efa19c9693c6d0aa6e3d10d156 |
| SHA256 | 624a355097cfee4ab894eaddfc50f4baf098313099ce903cebef5648c954ed4a |
| SHA512 | 984a9ff289ae067cecc717f7ec1dd847f05aebf074ffa616618ccc70ee3e3893b639f0ffa6e23607cd42eadeef614d83bbc5e8d418d00485cfa68208d529a9e3 |
C:\Users\Admin\AppData\Local\Temp\rPolwkhv6FgM.bat
| MD5 | 71094bcd9a30a4068d284a58aaf83476 |
| SHA1 | 5ce042fecf072a45695fe1269c62e0b4c1c176dd |
| SHA256 | f483dbfa869baf18aec09fdbd08a9e7a4406d11052634a9cd7b4092ad7f808da |
| SHA512 | 0772d7c6c0c247b992233ed46afec7a233de4f1199792c7d98bbd015c4933ce1b527ba1b05fe406c715f7e151639e6126e1d01b20e64d30a507bff5c6f795259 |
C:\Users\Admin\AppData\Local\Temp\iBSTGk807IDj.bat
| MD5 | 3bff2ed1b336328ab8a2603ac8f8b75e |
| SHA1 | 9439d2fc1d27d8206e74edbb92fc008a1399bcd1 |
| SHA256 | 98066f34f7732100ada82be43140b59eac0865d007a8dbcff7b13bb5d3267263 |
| SHA512 | 9af617aa55e5b7a0da105c6450e7c037a3fa101c0fdbac045266458cda93d9a2ee520291a31eb19ff0e93f2c7e46993ec96ca2dbb979bb7be4b81fdbc65dddd8 |
C:\Users\Admin\AppData\Local\Temp\CNwvaqImn10X.bat
| MD5 | fcc9947eff6e30c6c33822fa213d7ae7 |
| SHA1 | e3782ea8aab2dfa96c6637f41ba1deac8c8d874f |
| SHA256 | 5ab613e93d430b86a164551919c278f584242d2fcba8a291ea148880b21e65e9 |
| SHA512 | cc661d35f8097ff7a8951cf964ba40df7d1456cf013e48b3cca7b3fcfabc8a8a9c60c4dca1ed8496c80e10a84386389fcfb52e084891c0e14a27449a1116e09d |
C:\Users\Admin\AppData\Local\Temp\bTMdxgLaWR1T.bat
| MD5 | 373acc7fcf71ccf4024430237ac12bc0 |
| SHA1 | 4d70a8df6f522943096d445385c3ec4b25d4878c |
| SHA256 | 39567ddce2cd048e52527795c9772769228f9b18c41171bd4079cb44b2149a2c |
| SHA512 | 9b1b51ec7cdd7207410f8f4fdbd5da68fdc531c84bd9bb47eb876d0c35d371d36acbe73dad6fcaf9a3773f609caf30279a67341a587ae29951bd8b406c2bf59a |
C:\Users\Admin\AppData\Local\Temp\7Ux3YFU8QKCN.bat
| MD5 | 0d6ea086cc6d41cc779c87dfe734fb2e |
| SHA1 | 94e7fd94d6e037f1b2c792b3682d73fe0e1455ed |
| SHA256 | 0cdfb2d390135dc804d230976e9f25e878393601ea730b8bd33cb2e1cac3d884 |
| SHA512 | 80ea8815e1a58588889e01031fc59a8573e5f53597ef3a0816fb5a4ee97f8b624f62a5b6c693b52971d1a6f3dd0de8b71d98b62608817fe637a9209799392fa8 |
C:\Users\Admin\AppData\Local\Temp\3cZyl6r5sF2M.bat
| MD5 | f339dde678bfc0652a652b09bebf0715 |
| SHA1 | b3d332a7242a36b3e1fb2ff695612cd885556cf1 |
| SHA256 | 9d8ddc11fa3d0c3ae0b3eed6dbeaf64fbf4e26c994925f0a45ef96e7268e7702 |
| SHA512 | dd2b2db4983143fdb5c47688fe80ffde5ea589ece71dcbe64bb83e36166e925f5ad3cfdf9cf1a240467f7a9e6201b97a0ba6362265588293e757474538bd3e81 |
C:\Users\Admin\AppData\Local\Temp\cExtpCHQnfzd.bat
| MD5 | 7f003baeefa26978df6384379931659e |
| SHA1 | 207095150d4047f1c16f807e231415c6e60fdb7d |
| SHA256 | ac3a03ac298e09db7d6a5311dd6edb5f722f92fe4ec63316b6c6ffe5bdb3d847 |
| SHA512 | 406811b0873f47b2153e77b2bfb5fd6f5cf21f230c24b7374fdefa998b41d3744817ded54e00ba855e86a675628ca55e7591f25a720b7cf01dad5fd6e52f3dbd |
C:\Users\Admin\AppData\Local\Temp\GSEAhOv56Fv6.bat
| MD5 | 41aaf6c15cf844bbccdf71859eda3f3b |
| SHA1 | 42a2c757f794139ae7bcf56bf290627d13f8b693 |
| SHA256 | d43caf2a91e41c0eeec74f8ae5d09195ac02b5c192ef4dd6ee44ed43ef911f05 |
| SHA512 | ffbd6f7f55fe7407551d3120fefed8d407105e35b4ecd473fa13439dcd8eda1519e38d53d87dfdd76feb1259391972038f45cf3158f4c775b8133c485f8f27fe |
C:\Users\Admin\AppData\Local\Temp\J2O3L3EfBncD.bat
| MD5 | 3a120ab38e35c5d469715d32a1b1e88d |
| SHA1 | e3935686f63c41ab77ef7d3e16e8d9b38af73d82 |
| SHA256 | b7abd7e305a0e85b47b880ab6fde300e711d8c694e428518fb2abb14b62fa234 |
| SHA512 | deea585788243b2fd8bc6d3be33ffe7167b06fc5be3d78aadc1c253b5f0d8349038f1e40a72e4a18479c64f1d696bd86d11087a92fd0b467d357f04e2dcb0f1e |
C:\Users\Admin\AppData\Local\Temp\XppgxuG2k82h.bat
| MD5 | 489f7eab1d48634e065e8ad7ae39b0ff |
| SHA1 | 61a5de291fa46f0d09244907ecad71655832bff1 |
| SHA256 | 796553676de4ac0a8c223f9824fb4d9d88ab94337acc694c3f7893a5b676bc6a |
| SHA512 | 17e15bbf347c0bb81d49a7feaa9c8fd69c62766a081e4f0983105a8f0030da342b25787964bb0ac77a11e89eea6433ca3a6a27b8329674374bf24b750cde729e |