Malware Analysis Report

2024-11-15 08:37

Sample ID 240901-sajstsvapa
Target 03778d811f241e83ccad830372313b3c.zip
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
quasar chrome agilenet discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.

Malicious Activity Summary

quasar chrome agilenet discovery evasion spyware themida trojan

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 14:55

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 14:55

Reported

2024-09-01 14:58

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4640 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 3800 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3800 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1788 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1788 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1788 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5052 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5052 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5052 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5052 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5052 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5052 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4756 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4756 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4756 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4392 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1544 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1544 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1544 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 728 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 728 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 728 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 728 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 728 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3100 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3100 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3100 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3100 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1996 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3772 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3772 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3772 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2148 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2148 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2148 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2148 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2148 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 988 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 988 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 988 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 988 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xBLmw1hQvozl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biGXRFR6MXQS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8DjqxB2HOKi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avhp4H7HLRfA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFgWuVug1NHL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5pINGIqQjZL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZM301tlsBqj8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCVnIEh3c97Q.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTI0z71MlcLR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VRPwkoA4zMdP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xc4Puk4MbBFg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EjLMrInu0xGj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6TqJOblx4S91.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyZ4sHm9tzOH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Gfzxcqb0xDB.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp
US 8.8.8.8:53 89.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 168.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/4640-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/4640-1-0x0000000000B20000-0x0000000001134000-memory.dmp

memory/4640-2-0x0000000005A60000-0x0000000006072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/4640-10-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4640-12-0x00000000718A0000-0x0000000071EA8000-memory.dmp

memory/4640-11-0x00000000718A0000-0x0000000071EA8000-memory.dmp

memory/4640-13-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4640-14-0x00000000718A0000-0x0000000071EA8000-memory.dmp

memory/4640-15-0x00000000731D0000-0x0000000073259000-memory.dmp

memory/4640-17-0x0000000005A60000-0x000000000606C000-memory.dmp

memory/4640-19-0x0000000005A60000-0x000000000606C000-memory.dmp

memory/4640-23-0x0000000005A60000-0x000000000606C000-memory.dmp

memory/4640-21-0x0000000005A60000-0x000000000606C000-memory.dmp

memory/4640-16-0x0000000005A60000-0x000000000606C000-memory.dmp

memory/4640-25-0x00000000065B0000-0x00000000065B8000-memory.dmp

memory/4640-24-0x00000000060F0000-0x00000000061A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

memory/3916-50-0x00000000747CE000-0x00000000747CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/3800-51-0x0000000000B50000-0x0000000000BD4000-memory.dmp

memory/3800-46-0x00007FFA14F63000-0x00007FFA14F65000-memory.dmp

memory/4640-53-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4640-52-0x00000000718A0000-0x0000000071EA8000-memory.dmp

memory/3916-54-0x0000000000E50000-0x0000000000F1C000-memory.dmp

memory/3800-55-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/3916-56-0x0000000005D20000-0x00000000062C4000-memory.dmp

memory/3916-57-0x0000000005810000-0x00000000058A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1788-64-0x000000001B2F0000-0x000000001B340000-memory.dmp

memory/1788-65-0x000000001B970000-0x000000001BA22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xBLmw1hQvozl.bat

MD5 d54a610dd84cbfc6c9a9c69e5e1a1e74
SHA1 c3ecb6603df10c1b3280b9e1b0deafd301354dc1
SHA256 f2a444744f555e2325179308bc119f713ccfaaab1859cd35cbfdefe7db7adfc8
SHA512 b0386be01a2c40cb110441a12dbb2cc1f7dcd2b92b895facbfa93bc40add708011e0a9b971a59ade43b7eb67f1531b46c82ee8b46e23752cb9e6ae4155ee85af

memory/3916-70-0x0000000005760000-0x0000000005770000-memory.dmp

memory/3916-71-0x00000000747CE000-0x00000000747CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biGXRFR6MXQS.bat

MD5 a9b10fe626ad626edcfeb5963ec73efa
SHA1 41d48163e909e37b385c7c640c931a202458f962
SHA256 7dcbc10209cd6d043775f10bfaea16426b0048732315f30af309567f01431ce3
SHA512 f98179d49131390586eee0da26c8756ac4f97e5d42078e8c3e788aaae72dab82c8212d909ab04f98f365cbfb791b1231445f9f5bb18f1e3b57d7a9feeb6e2cd5

C:\Users\Admin\AppData\Local\Temp\h8DjqxB2HOKi.bat

MD5 0cfb661bfd8a4bfb72afb6ff4d4a3c7c
SHA1 3229fec9ffce918529c2342e25850b305eb76ddd
SHA256 456ec0ba9faf7714a1555d1028d3ca464eee67679c7ad9f9287b127a985718c1
SHA512 b59fbaedae2206bb330c0e54d444727477c2bb2c0a06b191a1aae2ccd5ab48d7ccb2cc189920600ac18e80a856ab5dfdb9bd7c67e1a5cbbefe3f74f21b1cd445

C:\Users\Admin\AppData\Local\Temp\avhp4H7HLRfA.bat

MD5 ef4377f80869b1500902d7bf4dd0d314
SHA1 7ac13e40e4ee2df2b3a81a9d5bdd90312ed038b8
SHA256 4ab34e799e3fce7de8793b07c674845c814251ce85593c80165ff0a2342e7efa
SHA512 d2167adec7b24f10b08b5f8751a079724bc8c330713911e19557581dca3228c1e98dc8e217d0751a69d2cc86fccd18d2abd3f8c22e96b90702d697c1c789e099

C:\Users\Admin\AppData\Local\Temp\CFgWuVug1NHL.bat

MD5 522ffcf6aba6d2742c4111733cdc2bed
SHA1 a63a4229471492d4a77bc61d6ef82d3a63e1aefe
SHA256 a7e2ee4bdbdaa430e6a7603619000568073a52883f2a0d2c21524fef518095f5
SHA512 06d590cf44f054de5f6273a777618ead9c9f7850286bcc4933aa8bc3993ef389d2f776aaeab03069ae4291ab1e9ab605846902a252dad0f8f6993435dfe4fec7

C:\Users\Admin\AppData\Local\Temp\e5pINGIqQjZL.bat

MD5 9128393160f74cff5d12e4230b60d4b8
SHA1 7e1905ae73da0b4bea549080457592858b72dc1e
SHA256 6392ed89dbca8e24e17d6e43c1639c473805f0ef5ccd68778c5796d023723bbf
SHA512 41c471a186e3a06bc066cc60cd9e1da029b45781a4953d437362de2834fa422221dd6eb8bdbbee4d633205b9a88136e6cf3090d27dab75d76105dc362e3beda6

C:\Users\Admin\AppData\Local\Temp\ZM301tlsBqj8.bat

MD5 5be34f90bbbdfb872913b81729713607
SHA1 6d91a51cae83929e21fca2d5b7ef2f566d37e0cc
SHA256 e40a1c44e5872fa8303cf80350fbc032d61843cc3dc7ac9edd605af144c09456
SHA512 51c5b3d84108e9e50f90f1c80c72704da1e0cabf2e576575dfbfbd40ef1c36cd3e49099a58716ed03035429b8a1ca0caaff50626f98c1cdf9033d14acef0f92a

C:\Users\Admin\AppData\Local\Temp\vCVnIEh3c97Q.bat

MD5 07b34a10e8cedcea220a21c75b3722eb
SHA1 7cdddc96ba65add3678330b64bb1564f29a93f44
SHA256 2196fac1ed92c9abba1cf80c65360b35837d98e6db839034765ad9532fd0236b
SHA512 7cff5692fe3651506833ff1ad4934489c8876d84a3835ede8e5ddaae47c50d41d2b06cfe95dabe0efc67e488940d8b5caa897c95e93a60647ce94d8605802f48

C:\Users\Admin\AppData\Local\Temp\UTI0z71MlcLR.bat

MD5 e18e5f4371248fc450742e9a5c715a39
SHA1 4148f19673ef30ca4c69842c04304d2ec20729c0
SHA256 7361f8adf31a455334b1b730dc137dc0a884d852eb71c19f155750548f4cc7b2
SHA512 382fd891348ba9b00e01e424bb8fa67c6d82fbaed24eddb3daea60b5bb86cda1002f16309f346979661d73000907626f7f4b15b3ef08a4501e5f80307aafca10

C:\Users\Admin\AppData\Local\Temp\VRPwkoA4zMdP.bat

MD5 2e678752cd8414ce4ca3f5ef8c9f1983
SHA1 6e098b1b562ab071cbba17f7996e902719ec0db4
SHA256 82c05828f6ecc3a39259c2e73836abb20bf4fb97bf956f41f4bbc9e8d0a8ca64
SHA512 ae4868c2dc9316453a748d09b3c0dabcd3ea425d2746296d63d849bae3f4d39656ff371b8ffa3f47d5ee6f3bb7447b68b32cd5fda15d103e831f39b13328a1c0

C:\Users\Admin\AppData\Local\Temp\Xc4Puk4MbBFg.bat

MD5 26f5081e29fab17420f35f147159f2f4
SHA1 f7ba25855810b73ee95b70fd9a1f14986fa0bc1b
SHA256 24aa3cbb814638fff7ffcd16cdb92785374542cdd3e5866285a2b2cada5f1e4c
SHA512 a515f4e8d6d66949855918c695b336aac6438738efd1be6f750e7781f44ac6234e6f829da0275f2fe07e3f50a7f1dacbc557594f34daff3988ed7d7d7dfb6c22

C:\Users\Admin\AppData\Local\Temp\EjLMrInu0xGj.bat

MD5 d7250fd9a25e838da657b6150e71cca3
SHA1 b25d377eefb008255c31634878b23906c4cc7bac
SHA256 dca569004dd7cfa6b8b575ce99efd61fd1b675bc518affde010fd22517d81219
SHA512 372638d27a3336fb4bb9780694017e0ac7a3681c97415305a1dabfcd106d3e10ac2a5f3ab63342f0562bbed1cbc76948d32763771b8058d25d32b6162cd54f61

C:\Users\Admin\AppData\Local\Temp\6TqJOblx4S91.bat

MD5 50ff3cc7082255750c2c820babd30c68
SHA1 ec4a9038e30ebd00fcee58e8fd28e62d09af3925
SHA256 8b462bcaaebbebffef1472c78a3c79f0dc728da355455a42966892748583c69d
SHA512 cd84b6af279921fc372a89fa8a22c1d2c80b0ff640904ac0e56fef1764eab107cf411c0bbffd4ade0e7fa1330405ca952ecd14c87be390088ef2a0e29844ff5e

C:\Users\Admin\AppData\Local\Temp\IyZ4sHm9tzOH.bat

MD5 e8a676d7b8e62ea19609a12f1e3d8fc9
SHA1 de3515d7c061e87a411db0329c61664f3e2ce9af
SHA256 34ef9dd8c4b59d5456fd55974a9e9ed32e58b103db0196767eeb1aa72b0e0282
SHA512 727398b7df8fd4433c70d36a86425ede3fadf1c7b3d5a17f913fa02337a86f5b0d5c4a6d4abf15035dac89641c624f7b672b1172ca77f8f4c35942e441cbff73

C:\Users\Admin\AppData\Local\Temp\7Gfzxcqb0xDB.bat

MD5 d9abe6eb6f803a17af9b2507a0b8066a
SHA1 236a94dbcf66dc4bff97115aabce649d55626132
SHA256 83a6a2a4ae522efc3911318cc0fe0cdece7f4855eee9459397f999dde061b88c
SHA512 cd8378243f021f7c85bb70f74641e90d573f9ab9854a82b05cb024f5e8d27031089ba774343cfbbdc4fb0d947e71a0777e3118d4dee9aecab446423163b8393c

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 14:55

Reported

2024-09-01 14:58

Platform

win7-20240708-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2644 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2644 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2644 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2644 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2644 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2644 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2644 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2684 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2684 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2684 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2684 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2680 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 556 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 556 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 556 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 556 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 556 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 556 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 556 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2940 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2940 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1092 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1092 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1092 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1092 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1092 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1092 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1092 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1092 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2096 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2096 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2504 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2504 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1784 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1784 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1784 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1784 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\e9oKJ2zBGeu3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2VOKWRR3fdvx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BnI06RqNvZpP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zaBfDuKGOWZ3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fd1RQsqva95F.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5DfporpZMB3J.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\o4CnitZ1i5DM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\C63S5h9WZFZ3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaHnt8sNMUC9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sok6wQ1EBFVi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\47ZfCqBms3T5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IpxqiXMjAxp1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp

Files

memory/2644-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2644-1-0x0000000000F80000-0x0000000001594000-memory.dmp

memory/2644-2-0x00000000052B0000-0x00000000058C2000-memory.dmp

memory/2644-6-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2644-10-0x00000000743F0000-0x00000000749F8000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2644-11-0x00000000743F0000-0x00000000749F8000-memory.dmp

memory/2644-13-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2644-12-0x00000000743F0000-0x00000000749F8000-memory.dmp

memory/2644-15-0x00000000052B0000-0x00000000058BC000-memory.dmp

memory/2644-18-0x00000000052B0000-0x00000000058BC000-memory.dmp

memory/2644-20-0x00000000052B0000-0x00000000058BC000-memory.dmp

memory/2644-16-0x00000000052B0000-0x00000000058BC000-memory.dmp

memory/2644-14-0x0000000074A50000-0x0000000074AD0000-memory.dmp

memory/2644-22-0x00000000052B0000-0x00000000058BC000-memory.dmp

memory/2644-23-0x0000000005C00000-0x0000000005CB2000-memory.dmp

memory/2644-24-0x00000000004D0000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/2836-38-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2836-39-0x0000000001380000-0x000000000144C000-memory.dmp

memory/2644-41-0x00000000743F0000-0x00000000749F8000-memory.dmp

memory/2684-43-0x0000000000C40000-0x0000000000CC4000-memory.dmp

memory/2644-42-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2680-48-0x0000000000170000-0x00000000001F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e9oKJ2zBGeu3.bat

MD5 397ecf23756b46b4f2ff9a6cb220318d
SHA1 d4b6da2da4e693dc6857770d98c234c47176b808
SHA256 566b7a5bb64e071060adf750dce0d915d5627f7e15114884d9e369d5b9f9c619
SHA512 eb8c91b4ddb86ee51f050c28bfe357ebf0f3a73f374ac205ad9b3ef85e42a6598cc0ba33ff18eedf3d97baec001d9f0e1822174e5a2d5571113a56a28812dde8

memory/2836-58-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2836-59-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2940-61-0x0000000000AB0000-0x0000000000B34000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2VOKWRR3fdvx.bat

MD5 0a093b594b9e1074020e5441e958ea99
SHA1 0afe9ac2057463b47a23f53ecf65c8d147121543
SHA256 8230492b077de6e11914b0bf38d24434efec6914cddbeb1e0a46fb9a51def779
SHA512 5d39f24a07744361435b2087d607538e953e3b7b25e70388153da35175853115f3a9e901e1ce0ec9a6558d2761e898ffeb9356f20042c8b501be82fdd3f9a2e4

memory/2096-73-0x0000000000E00000-0x0000000000E84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BnI06RqNvZpP.bat

MD5 73cc7a1cb59bfd36571c3fa50c347184
SHA1 bb32cf508e968e12dec78168f822082d542f20ad
SHA256 4c70ca62b4a6f73ee2594b890fc23cb32c565f72ea359e034960237f0b2580f0
SHA512 7fafda6611b195a51e016833c9164d211c7250d0606d8b29ca2219b065a4b1582835dae19c08eab60d583a326c35fc1aeef4928d1c4595434180d9449ce53bb9

memory/1784-84-0x0000000000EE0000-0x0000000000F64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zaBfDuKGOWZ3.bat

MD5 013c6c20fc505da42ead85c0a625d032
SHA1 b964ba61ad2234a1b28e56ea3fab9fbb694a72ce
SHA256 0a559bd7f064772e8a473117ff6169a01366ad82ad2038df478b0c7b41977ec4
SHA512 34e256775a933e36fc19c476de635ac5b86912f9ff6866a8e15b3c906ea898e5306f65888050121c05628a22d775b692121627d84f41400ef65a395546a882a9

memory/1632-96-0x0000000001030000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fd1RQsqva95F.bat

MD5 8dd980e1619105242c220a0030c5eb19
SHA1 7acb79ee004754259484d3127515519ac5de8227
SHA256 4dbc99d3f18a380eece8fdc0ddce0bd7f7580b0dbcfcc0784edf0806b41e506b
SHA512 b6b944fe6bf86b39beeece6062996c6feea5d2826fecaa08aaebb6b4a57a315e6252f2d586e2951de1ae03570a958258fba048b96d412d343eea3851bb02cb53

C:\Users\Admin\AppData\Local\Temp\5DfporpZMB3J.bat

MD5 0af4e1609872bdcbe2b0fc93ed389eee
SHA1 c1e233d6fb2d049d1e1f4e159962780ba2aa36cd
SHA256 9d0e65eccd0f0e1fb15abf6adfef42e4a5c8f5cf5073818d6c2ff9a9dcc927cf
SHA512 5db4d83c8c24c9baf69ba7f419f9c79cf73d07656d63b6ea08dcaa8b62070efe579883e99d26d712bdc6e5377333b56b674ea848425cf186fda88cfd60d26d81

memory/3068-118-0x00000000000A0000-0x0000000000124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o4CnitZ1i5DM.bat

MD5 187764d298935c6a71386420ff86fb4c
SHA1 28b6e6d5319953a068118fddcfc1768f55509ae2
SHA256 afc9a771bbab5fcd30f03e5564dfd62834df1dca463caba051961540b07bf1e8
SHA512 9821386ca90a9539a5464d80c2daf56fde646053b0d2b943c43270a8f8fee74285b8cd2f29e5060c03b1e655f0a9e4f78254de2f33f0d0e98eb85c3736f3ee6f

memory/2896-129-0x0000000001160000-0x00000000011E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C63S5h9WZFZ3.bat

MD5 3d26bdc8f3a6c236947d5666cf447b5e
SHA1 c4aa7dfe779fe21353d5923c86823a3339c107ac
SHA256 6de9d150db61f29cdd8cc82e98f3f82b079e52b5663127338680b34bbe74631c
SHA512 0e54e3b059d197c945e9b6c098512aa726a8e064fe22d6406b826e75533347527e6976a010c57184a31a2b25674cbe9a4df9ad9dbe36fef5f84f7b832ec56d0c

memory/1668-141-0x0000000000300000-0x0000000000384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EaHnt8sNMUC9.bat

MD5 57c505dc7f4df47d1180be2140e6938c
SHA1 07a0256b282d2ac62f6a98039e12e495c3fad163
SHA256 e037d3f2968860c371572d744a31d1ff172006c8c6c53e0edcc33eea1a63eb71
SHA512 4142ad869a5bb15f8d7795f68c575c252f2a903e4a47a146e6a16fc2536afda5113898c706a0160b0393433f5a7f420e4af5b464eec667645c9660b6dcdf9947

memory/692-152-0x0000000000240000-0x00000000002C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sok6wQ1EBFVi.bat

MD5 809ee8106cf6197be02b1be219c6dd50
SHA1 f2705ec6c395725f56672bc7205cb4727bd8dcb5
SHA256 b66f7a8dd30c17826358dab68cb1dd82c1ffdb83234724a720e10a3efd7ee1f5
SHA512 909c819a67bac0104a1d5e55b1cbe673547da35d8b454ece78ed1c0e89757f82ef9ce8d9a55ef27b7892934b828a246f33ddf06db3e902d47c4f80ad212a5490

C:\Users\Admin\AppData\Local\Temp\47ZfCqBms3T5.bat

MD5 acaf1a07091bbcb3f0e2b0ccfe8d40fd
SHA1 687ecd117b990b166840e186cf244455af803acb
SHA256 c4ce5cb470da0dc191d828e1b31fcd1fdc9c0e78bdc2c9a38d5e4eb1af6b9ddb
SHA512 2c2e9dae4b3fafcd41c7102e71d6688150eee26593c91d1ee01cb25a372b758f261e51d60eb3177b2734c35f71223e028a3493d3e5cd8bb97c3a571a39ed9e0d

memory/2332-173-0x0000000000090000-0x0000000000114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IpxqiXMjAxp1.bat

MD5 9495c5f2e1dd1284600931d0841e6e4f
SHA1 28fc1cf7817300f7e1623c58ee30a6d77116d5c7
SHA256 961af974886e244103a10faa4ac02ce2783948fd75970bb9faa8fb1851a0389f
SHA512 2974108f6f61e4e907a6096e67d5b796b179a1a78655923c122ba0fcf29afcd31f9ad255e6244018b16ed77420ee48824c8ef9b547673372b87de0cc81183efe