Malware Analysis Report

2024-11-15 08:37

Sample ID 240901-r9dkestekl
Target 03778d811f241e83ccad830372313b3c.zip
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
agilenet quasar chrome discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.

Malicious Activity Summary

agilenet quasar chrome discovery evasion spyware themida trojan

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 14:53

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 14:53

Reported

2024-09-01 14:55

Platform

win7-20240705-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2140 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2140 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2140 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2140 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2140 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2140 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2140 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2848 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2848 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2480 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2692 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2692 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2692 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2692 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2916 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2916 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2036 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2036 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2036 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2036 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2036 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2036 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2036 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2036 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1808 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1808 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1808 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1808 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1656 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1656 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1656 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1656 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1656 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1656 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1656 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1656 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1656 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2876 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NPP4fG0NXYyr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gh7pNScCaoTK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSgJ1jhBeY2W.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\y5I9DW9Om25T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zh7ppqmnrqdk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DHek4Plo03mc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UdRMe9ZrB2Vp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\61tGG4scxXXw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwESmSXPbzrY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kvTPAcwTKtyw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tf8QbwVYFcT2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MpeBGhraJTmr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp

Files

memory/2140-0-0x000000007416E000-0x000000007416F000-memory.dmp

memory/2140-1-0x0000000000100000-0x0000000000714000-memory.dmp

memory/2140-2-0x0000000005240000-0x0000000005852000-memory.dmp

memory/2140-6-0x0000000074160000-0x000000007484E000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2140-10-0x0000000073900000-0x0000000073F08000-memory.dmp

memory/2140-11-0x0000000073900000-0x0000000073F08000-memory.dmp

memory/2140-12-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2140-13-0x0000000073900000-0x0000000073F08000-memory.dmp

memory/2140-22-0x0000000005240000-0x000000000584C000-memory.dmp

memory/2140-24-0x0000000000820000-0x0000000000828000-memory.dmp

\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/2140-23-0x0000000002590000-0x0000000002642000-memory.dmp

memory/2140-20-0x0000000005240000-0x000000000584C000-memory.dmp

memory/2140-18-0x0000000005240000-0x000000000584C000-memory.dmp

memory/2140-16-0x0000000005240000-0x000000000584C000-memory.dmp

memory/2140-15-0x0000000005240000-0x000000000584C000-memory.dmp

memory/2140-14-0x0000000073F60000-0x0000000073FE0000-memory.dmp

memory/2884-38-0x0000000001320000-0x00000000013EC000-memory.dmp

memory/2884-39-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2140-42-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2140-41-0x0000000073900000-0x0000000073F08000-memory.dmp

memory/2848-43-0x00000000009A0000-0x0000000000A24000-memory.dmp

memory/2480-48-0x0000000000300000-0x0000000000384000-memory.dmp

memory/2884-49-0x0000000074160000-0x000000007484E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NPP4fG0NXYyr.bat

MD5 643ee272a80abfbd52fe1d158fcd3c17
SHA1 8514d4f5f590a0e8a17c52db011a853bde9fbd8e
SHA256 bf7434398adcd24729c2c9d7e2a8b752c46dd656fa27a5b88534fe739a10fe33
SHA512 a73b21d4779e803db0f26049b0946f83788ea24603dbbeceef0f738200a8a40694861f64717e90e4c4a32ee31f7a5a6bcad225d229c1dc2b02d77a5a060d740d

memory/2884-59-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2884-60-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2916-62-0x00000000010F0000-0x0000000001174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gh7pNScCaoTK.bat

MD5 dd93115093517e622eee4fec09ca7c10
SHA1 c4afedf32ad15ea108909807be2880b005a16cb7
SHA256 e0a0a7faac8fae5ffe6d36b13d8d3990d56c096d89c86cf9ed011db09d867f66
SHA512 65d9d0e7c475c580510eff961d8c750edfe4f94ebd080f6a845f1af4996907794db81131ffc4f17d6b367bc5c413c0460f2578764cd1815d23ca62a0f73fc0f8

C:\Users\Admin\AppData\Local\Temp\pSgJ1jhBeY2W.bat

MD5 7f0b7af3831c4954b5aae1b3c9c12dcd
SHA1 abd8425337ffc339de7b20f2ae672e249a9b1345
SHA256 d99203a43249a78c1ffb11e16a372a1c5164743f103a40a8246eafcbe284d676
SHA512 b8656131047858cb824d60f4c1ae58e37f890ba819852e01c78af60ef9f9d39c0941355f04aa8f28b361e74da810435783e0b8b1610a2f0cfe0450b44eeff9de

memory/2876-83-0x00000000003D0000-0x0000000000454000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\y5I9DW9Om25T.bat

MD5 f44ea40a739e38727fed4a34430592ca
SHA1 0f84a92d2f867a1546162348fe283c7091d89024
SHA256 85823dd76668b2f502446a444fdddcce87fdc72dd508f1379138bf794e045e0e
SHA512 f12e3f24cadd03e621ebadb1fd721cdf3f0292ca5f153b8bc37c116b1997a139b24ce2389a5439b7c4ae822aa71d2f122e27cd08db6d5937d62c6120b7d1da06

memory/1316-95-0x0000000000C40000-0x0000000000CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Zh7ppqmnrqdk.bat

MD5 1cde5cf1626934cd47304a894bf5bd74
SHA1 26ad37dd27ae42467fdebea0c56aca4794589e4a
SHA256 7898469d7e9172a3c4cde0bcb882a8b389270ec16c93d0965f1097a6e936a76e
SHA512 b08b1353bbf1d4ad6b3996f1bd0648055bc13e2ceda24b49a929a9576e88830631c2016190a4708fb99d5d6fc31f53283a22d87663d8f419e84b8d7bf5990959

memory/2824-106-0x0000000000E70000-0x0000000000EF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DHek4Plo03mc.bat

MD5 2d14c6d732c590b946585b280d0b57be
SHA1 8bb42488f2b61b2f8c38168eeb457f0c113cc10f
SHA256 a8dde0e8a5728d867c0392be1224a935ec06da66a6fcaabd978b701184ed59df
SHA512 ff8554389a3fb58221e38e4b85da7e3484f22495942d14196c7cae1af7f4083f5be4401fc7a0cfe6b0566d1f27f7bcb500332138795718ede7d2fbbcfb62f534

memory/2120-117-0x00000000003F0000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UdRMe9ZrB2Vp.bat

MD5 4f8265fab345ebfde73a4a351af01b7e
SHA1 9b4fd88046e0bb4984c1e3bee650e627c2a53751
SHA256 a09b61a7fe62ca046eb76a43553e961c1f82a623c095918ad01189134f37f381
SHA512 9be14002d7ab1f04e8f39b937af6bbf5082f04b054f7c71a932af1afa8f5db59fce731c81192c57861c36e3efb5fe0b36e1d125a23a8f084820ff45504b0f86e

memory/2676-129-0x0000000000B30000-0x0000000000BB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61tGG4scxXXw.bat

MD5 7e661f7f7dfee426d136cbb4b833c493
SHA1 44443230d62d2de482e3e8ba0f243258e417fd62
SHA256 393b5e1903812fe956e10710899e8da3c6e81766d74b6c36804289630f9a5e5e
SHA512 9b8be92ec3fa41375da5ea7587a0a036719b3c9ba7095307be630278da4b6b7aee8707f35af5d952731f531b5cdd4e4d0d9600f00fcf58c98c878f53c7b01dde

memory/2176-140-0x0000000000B70000-0x0000000000BF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TwESmSXPbzrY.bat

MD5 6153bb69a4dce7aaf9365dd67f879505
SHA1 37cdf3dd41e25e32e7c145d770acc40490a494b4
SHA256 87198de0b168434955d967b6e323fc52ff16925b0a73a0351372f65c775ce0f0
SHA512 c3bea1c494934eaeff49d757f3849696e76fae87ce7d8d7dc06a2ee88fd5fe8240cc6eaeccdc82552c8c614d0cf24fe280777c7dfe59bdba067f063072606703

memory/1696-151-0x0000000000FE0000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kvTPAcwTKtyw.bat

MD5 c5824769269e9a4c5ee48d89c390e9f9
SHA1 f29a1af25931275ce3248bffe45e787690c1e736
SHA256 b0acccfb392e1557d259645283ba34d2d608fc32201cd9038acdaf4efde1cdc7
SHA512 59126779e11ff268600ec1ced8add72ba70f2bb5bf8928243fa4fa481a8aebd8e42b881d37ec1750d2f5bf95d26491b748eacdb561385a9ba5063f99b4689d46

C:\Users\Admin\AppData\Local\Temp\tf8QbwVYFcT2.bat

MD5 73320d94a5c5578edb02968536dabb1c
SHA1 9b9be2555bd2fe73d44e7d4d26007ece8afcb35b
SHA256 0c55e49e9213c52fee6105ada0a536f58a610bb3b6ef7e41192a57ddc86dd0e5
SHA512 14f61110c02c50bff9d429fb335f63a809486260043908d5d9162188ac573a80df066ce82d4540debc8150491108f9ba8fb4c64eb42047b4d10e62631fd4ee9f

memory/560-172-0x0000000000360000-0x00000000003E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MpeBGhraJTmr.bat

MD5 d796f3dfd3466e2a82a5b8d10aa28df0
SHA1 90ddf7bffb90a2569244155f5db53847a7b97468
SHA256 9f8dae2ac07f68cd9cf597b9d10aff0383e5d220dba1877c7ab8e1991b1bb9b6
SHA512 1031a9e757869b70380566d6720a46a12f4255023b509297fa7c93e611d213d0f15266ca986b77508cc6cc52e389252b7390baefc59796a78cd5d0f2500a349e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 14:53

Reported

2024-09-01 14:56

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4760 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4760 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4760 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4760 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4776 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4776 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4776 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4776 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3584 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3584 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3584 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 456 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 456 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 456 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 456 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 456 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 456 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3652 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3652 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3652 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3652 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5056 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5056 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3132 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3132 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3132 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3132 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3132 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2716 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2716 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2716 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2828 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2828 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2828 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2828 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5008 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5008 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5008 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5008 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3916 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3916 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3916 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3916 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3916 wrote to memory of 688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3916 wrote to memory of 688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 688 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 688 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 688 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 688 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5088 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5088 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5088 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3676 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fpC0LdY6mgWo.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IbXEWFKNjw37.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00xG9REBODar.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PL6003Sm5y2G.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPolwkhv6FgM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iBSTGk807IDj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNwvaqImn10X.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bTMdxgLaWR1T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Ux3YFU8QKCN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3cZyl6r5sF2M.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cExtpCHQnfzd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSEAhOv56Fv6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J2O3L3EfBncD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XppgxuG2k82h.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp
US 8.8.8.8:53 89.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 168.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/4760-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4760-1-0x0000000000700000-0x0000000000D14000-memory.dmp

memory/4760-2-0x00000000056B0000-0x0000000005CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/4760-10-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4760-11-0x0000000071A90000-0x0000000072098000-memory.dmp

memory/4760-13-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/4760-12-0x0000000071A90000-0x0000000072098000-memory.dmp

memory/4760-14-0x0000000071A90000-0x0000000072098000-memory.dmp

memory/4760-15-0x00000000733C0000-0x0000000073449000-memory.dmp

memory/4760-16-0x00000000056B0000-0x0000000005CBC000-memory.dmp

memory/4760-19-0x00000000056B0000-0x0000000005CBC000-memory.dmp

memory/4760-18-0x00000000056B0000-0x0000000005CBC000-memory.dmp

memory/4760-22-0x00000000056B0000-0x0000000005CBC000-memory.dmp

memory/4760-23-0x00000000056B0000-0x0000000005CBC000-memory.dmp

memory/4760-24-0x0000000005CC0000-0x0000000005D72000-memory.dmp

memory/4760-25-0x0000000005D70000-0x0000000005D78000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

memory/4776-45-0x00007FFFAB983000-0x00007FFFAB985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/4776-51-0x0000000000E70000-0x0000000000EF4000-memory.dmp

memory/1040-50-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/4776-53-0x00000000015B0000-0x00000000015C0000-memory.dmp

memory/4760-54-0x0000000071A90000-0x0000000072098000-memory.dmp

memory/4760-55-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1040-56-0x0000000000150000-0x000000000021C000-memory.dmp

memory/1040-57-0x0000000005140000-0x00000000056E4000-memory.dmp

memory/1040-58-0x0000000004B90000-0x0000000004C22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3584-65-0x000000001B700000-0x000000001B750000-memory.dmp

memory/3584-66-0x000000001B810000-0x000000001B8C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fpC0LdY6mgWo.bat

MD5 305a9e341390915a6f8138d5509d2191
SHA1 c33aa939233430628a2749d68a9c5541c35fd6d5
SHA256 f1fa859468715d8408698add0751619992c44adb57343fdb0d7000e51ab7be10
SHA512 ad405b56a5c76d6706b80e2160096c166efae1b266f26bfc826c7005fa7e4549c82958183c88d72349c9414eb1278aabce164bb5f752e1f67011bc7601c366e6

C:\Users\Admin\AppData\Local\Temp\00xG9REBODar.bat

MD5 90c70c13a4055ed19f7998c74abae898
SHA1 83768f7a87b878e24ec0c2ec9f9dd4797db2057e
SHA256 d89efd9f39d63b1a1b3951cdb070db5d7985af7ba9a12aedfda62af01f9fd49b
SHA512 b53f9b1f66a5a1d2ef058170f85bc8d6ca88082faeeeff49e0ba68fb022464a80ec516c61436610832168f7310cfe372d7a21a4c2a62bcdff5d9ae8af11c0b16

C:\Users\Admin\AppData\Local\Temp\PL6003Sm5y2G.bat

MD5 737fbb853b4df9db7abc08d207cc075b
SHA1 9d8729e38cf913efa19c9693c6d0aa6e3d10d156
SHA256 624a355097cfee4ab894eaddfc50f4baf098313099ce903cebef5648c954ed4a
SHA512 984a9ff289ae067cecc717f7ec1dd847f05aebf074ffa616618ccc70ee3e3893b639f0ffa6e23607cd42eadeef614d83bbc5e8d418d00485cfa68208d529a9e3

C:\Users\Admin\AppData\Local\Temp\rPolwkhv6FgM.bat

MD5 71094bcd9a30a4068d284a58aaf83476
SHA1 5ce042fecf072a45695fe1269c62e0b4c1c176dd
SHA256 f483dbfa869baf18aec09fdbd08a9e7a4406d11052634a9cd7b4092ad7f808da
SHA512 0772d7c6c0c247b992233ed46afec7a233de4f1199792c7d98bbd015c4933ce1b527ba1b05fe406c715f7e151639e6126e1d01b20e64d30a507bff5c6f795259

C:\Users\Admin\AppData\Local\Temp\iBSTGk807IDj.bat

MD5 3bff2ed1b336328ab8a2603ac8f8b75e
SHA1 9439d2fc1d27d8206e74edbb92fc008a1399bcd1
SHA256 98066f34f7732100ada82be43140b59eac0865d007a8dbcff7b13bb5d3267263
SHA512 9af617aa55e5b7a0da105c6450e7c037a3fa101c0fdbac045266458cda93d9a2ee520291a31eb19ff0e93f2c7e46993ec96ca2dbb979bb7be4b81fdbc65dddd8

C:\Users\Admin\AppData\Local\Temp\CNwvaqImn10X.bat

MD5 fcc9947eff6e30c6c33822fa213d7ae7
SHA1 e3782ea8aab2dfa96c6637f41ba1deac8c8d874f
SHA256 5ab613e93d430b86a164551919c278f584242d2fcba8a291ea148880b21e65e9
SHA512 cc661d35f8097ff7a8951cf964ba40df7d1456cf013e48b3cca7b3fcfabc8a8a9c60c4dca1ed8496c80e10a84386389fcfb52e084891c0e14a27449a1116e09d

C:\Users\Admin\AppData\Local\Temp\bTMdxgLaWR1T.bat

MD5 373acc7fcf71ccf4024430237ac12bc0
SHA1 4d70a8df6f522943096d445385c3ec4b25d4878c
SHA256 39567ddce2cd048e52527795c9772769228f9b18c41171bd4079cb44b2149a2c
SHA512 9b1b51ec7cdd7207410f8f4fdbd5da68fdc531c84bd9bb47eb876d0c35d371d36acbe73dad6fcaf9a3773f609caf30279a67341a587ae29951bd8b406c2bf59a

C:\Users\Admin\AppData\Local\Temp\7Ux3YFU8QKCN.bat

MD5 0d6ea086cc6d41cc779c87dfe734fb2e
SHA1 94e7fd94d6e037f1b2c792b3682d73fe0e1455ed
SHA256 0cdfb2d390135dc804d230976e9f25e878393601ea730b8bd33cb2e1cac3d884
SHA512 80ea8815e1a58588889e01031fc59a8573e5f53597ef3a0816fb5a4ee97f8b624f62a5b6c693b52971d1a6f3dd0de8b71d98b62608817fe637a9209799392fa8

C:\Users\Admin\AppData\Local\Temp\3cZyl6r5sF2M.bat

MD5 f339dde678bfc0652a652b09bebf0715
SHA1 b3d332a7242a36b3e1fb2ff695612cd885556cf1
SHA256 9d8ddc11fa3d0c3ae0b3eed6dbeaf64fbf4e26c994925f0a45ef96e7268e7702
SHA512 dd2b2db4983143fdb5c47688fe80ffde5ea589ece71dcbe64bb83e36166e925f5ad3cfdf9cf1a240467f7a9e6201b97a0ba6362265588293e757474538bd3e81

C:\Users\Admin\AppData\Local\Temp\cExtpCHQnfzd.bat

MD5 7f003baeefa26978df6384379931659e
SHA1 207095150d4047f1c16f807e231415c6e60fdb7d
SHA256 ac3a03ac298e09db7d6a5311dd6edb5f722f92fe4ec63316b6c6ffe5bdb3d847
SHA512 406811b0873f47b2153e77b2bfb5fd6f5cf21f230c24b7374fdefa998b41d3744817ded54e00ba855e86a675628ca55e7591f25a720b7cf01dad5fd6e52f3dbd

C:\Users\Admin\AppData\Local\Temp\GSEAhOv56Fv6.bat

MD5 41aaf6c15cf844bbccdf71859eda3f3b
SHA1 42a2c757f794139ae7bcf56bf290627d13f8b693
SHA256 d43caf2a91e41c0eeec74f8ae5d09195ac02b5c192ef4dd6ee44ed43ef911f05
SHA512 ffbd6f7f55fe7407551d3120fefed8d407105e35b4ecd473fa13439dcd8eda1519e38d53d87dfdd76feb1259391972038f45cf3158f4c775b8133c485f8f27fe

C:\Users\Admin\AppData\Local\Temp\J2O3L3EfBncD.bat

MD5 3a120ab38e35c5d469715d32a1b1e88d
SHA1 e3935686f63c41ab77ef7d3e16e8d9b38af73d82
SHA256 b7abd7e305a0e85b47b880ab6fde300e711d8c694e428518fb2abb14b62fa234
SHA512 deea585788243b2fd8bc6d3be33ffe7167b06fc5be3d78aadc1c253b5f0d8349038f1e40a72e4a18479c64f1d696bd86d11087a92fd0b467d357f04e2dcb0f1e

C:\Users\Admin\AppData\Local\Temp\XppgxuG2k82h.bat

MD5 489f7eab1d48634e065e8ad7ae39b0ff
SHA1 61a5de291fa46f0d09244907ecad71655832bff1
SHA256 796553676de4ac0a8c223f9824fb4d9d88ab94337acc694c3f7893a5b676bc6a
SHA512 17e15bbf347c0bb81d49a7feaa9c8fd69c62766a081e4f0983105a8f0030da342b25787964bb0ac77a11e89eea6433ca3a6a27b8329674374bf24b750cde729e