Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Runs ping.exe
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 14:55
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 14:55
Reported
2024-09-01 14:58
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xBLmw1hQvozl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biGXRFR6MXQS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8DjqxB2HOKi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avhp4H7HLRfA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFgWuVug1NHL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5pINGIqQjZL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZM301tlsBqj8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCVnIEh3c97Q.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTI0z71MlcLR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VRPwkoA4zMdP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xc4Puk4MbBFg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EjLMrInu0xGj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6TqJOblx4S91.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyZ4sHm9tzOH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Gfzxcqb0xDB.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 89.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/4640-0-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/4640-1-0x0000000000B20000-0x0000000001134000-memory.dmp
memory/4640-2-0x0000000005A60000-0x0000000006072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/4640-10-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/4640-12-0x00000000718A0000-0x0000000071EA8000-memory.dmp
memory/4640-11-0x00000000718A0000-0x0000000071EA8000-memory.dmp
memory/4640-13-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/4640-14-0x00000000718A0000-0x0000000071EA8000-memory.dmp
memory/4640-15-0x00000000731D0000-0x0000000073259000-memory.dmp
memory/4640-17-0x0000000005A60000-0x000000000606C000-memory.dmp
memory/4640-19-0x0000000005A60000-0x000000000606C000-memory.dmp
memory/4640-23-0x0000000005A60000-0x000000000606C000-memory.dmp
memory/4640-21-0x0000000005A60000-0x000000000606C000-memory.dmp
memory/4640-16-0x0000000005A60000-0x000000000606C000-memory.dmp
memory/4640-25-0x00000000065B0000-0x00000000065B8000-memory.dmp
memory/4640-24-0x00000000060F0000-0x00000000061A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
memory/3916-50-0x00000000747CE000-0x00000000747CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/3800-51-0x0000000000B50000-0x0000000000BD4000-memory.dmp
memory/3800-46-0x00007FFA14F63000-0x00007FFA14F65000-memory.dmp
memory/4640-53-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/4640-52-0x00000000718A0000-0x0000000071EA8000-memory.dmp
memory/3916-54-0x0000000000E50000-0x0000000000F1C000-memory.dmp
memory/3800-55-0x0000000002C30000-0x0000000002C40000-memory.dmp
memory/3916-56-0x0000000005D20000-0x00000000062C4000-memory.dmp
memory/3916-57-0x0000000005810000-0x00000000058A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1788-64-0x000000001B2F0000-0x000000001B340000-memory.dmp
memory/1788-65-0x000000001B970000-0x000000001BA22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xBLmw1hQvozl.bat
| MD5 | d54a610dd84cbfc6c9a9c69e5e1a1e74 |
| SHA1 | c3ecb6603df10c1b3280b9e1b0deafd301354dc1 |
| SHA256 | f2a444744f555e2325179308bc119f713ccfaaab1859cd35cbfdefe7db7adfc8 |
| SHA512 | b0386be01a2c40cb110441a12dbb2cc1f7dcd2b92b895facbfa93bc40add708011e0a9b971a59ade43b7eb67f1531b46c82ee8b46e23752cb9e6ae4155ee85af |
memory/3916-70-0x0000000005760000-0x0000000005770000-memory.dmp
memory/3916-71-0x00000000747CE000-0x00000000747CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\biGXRFR6MXQS.bat
| MD5 | a9b10fe626ad626edcfeb5963ec73efa |
| SHA1 | 41d48163e909e37b385c7c640c931a202458f962 |
| SHA256 | 7dcbc10209cd6d043775f10bfaea16426b0048732315f30af309567f01431ce3 |
| SHA512 | f98179d49131390586eee0da26c8756ac4f97e5d42078e8c3e788aaae72dab82c8212d909ab04f98f365cbfb791b1231445f9f5bb18f1e3b57d7a9feeb6e2cd5 |
C:\Users\Admin\AppData\Local\Temp\h8DjqxB2HOKi.bat
| MD5 | 0cfb661bfd8a4bfb72afb6ff4d4a3c7c |
| SHA1 | 3229fec9ffce918529c2342e25850b305eb76ddd |
| SHA256 | 456ec0ba9faf7714a1555d1028d3ca464eee67679c7ad9f9287b127a985718c1 |
| SHA512 | b59fbaedae2206bb330c0e54d444727477c2bb2c0a06b191a1aae2ccd5ab48d7ccb2cc189920600ac18e80a856ab5dfdb9bd7c67e1a5cbbefe3f74f21b1cd445 |
C:\Users\Admin\AppData\Local\Temp\avhp4H7HLRfA.bat
| MD5 | ef4377f80869b1500902d7bf4dd0d314 |
| SHA1 | 7ac13e40e4ee2df2b3a81a9d5bdd90312ed038b8 |
| SHA256 | 4ab34e799e3fce7de8793b07c674845c814251ce85593c80165ff0a2342e7efa |
| SHA512 | d2167adec7b24f10b08b5f8751a079724bc8c330713911e19557581dca3228c1e98dc8e217d0751a69d2cc86fccd18d2abd3f8c22e96b90702d697c1c789e099 |
C:\Users\Admin\AppData\Local\Temp\CFgWuVug1NHL.bat
| MD5 | 522ffcf6aba6d2742c4111733cdc2bed |
| SHA1 | a63a4229471492d4a77bc61d6ef82d3a63e1aefe |
| SHA256 | a7e2ee4bdbdaa430e6a7603619000568073a52883f2a0d2c21524fef518095f5 |
| SHA512 | 06d590cf44f054de5f6273a777618ead9c9f7850286bcc4933aa8bc3993ef389d2f776aaeab03069ae4291ab1e9ab605846902a252dad0f8f6993435dfe4fec7 |
C:\Users\Admin\AppData\Local\Temp\e5pINGIqQjZL.bat
| MD5 | 9128393160f74cff5d12e4230b60d4b8 |
| SHA1 | 7e1905ae73da0b4bea549080457592858b72dc1e |
| SHA256 | 6392ed89dbca8e24e17d6e43c1639c473805f0ef5ccd68778c5796d023723bbf |
| SHA512 | 41c471a186e3a06bc066cc60cd9e1da029b45781a4953d437362de2834fa422221dd6eb8bdbbee4d633205b9a88136e6cf3090d27dab75d76105dc362e3beda6 |
C:\Users\Admin\AppData\Local\Temp\ZM301tlsBqj8.bat
| MD5 | 5be34f90bbbdfb872913b81729713607 |
| SHA1 | 6d91a51cae83929e21fca2d5b7ef2f566d37e0cc |
| SHA256 | e40a1c44e5872fa8303cf80350fbc032d61843cc3dc7ac9edd605af144c09456 |
| SHA512 | 51c5b3d84108e9e50f90f1c80c72704da1e0cabf2e576575dfbfbd40ef1c36cd3e49099a58716ed03035429b8a1ca0caaff50626f98c1cdf9033d14acef0f92a |
C:\Users\Admin\AppData\Local\Temp\vCVnIEh3c97Q.bat
| MD5 | 07b34a10e8cedcea220a21c75b3722eb |
| SHA1 | 7cdddc96ba65add3678330b64bb1564f29a93f44 |
| SHA256 | 2196fac1ed92c9abba1cf80c65360b35837d98e6db839034765ad9532fd0236b |
| SHA512 | 7cff5692fe3651506833ff1ad4934489c8876d84a3835ede8e5ddaae47c50d41d2b06cfe95dabe0efc67e488940d8b5caa897c95e93a60647ce94d8605802f48 |
C:\Users\Admin\AppData\Local\Temp\UTI0z71MlcLR.bat
| MD5 | e18e5f4371248fc450742e9a5c715a39 |
| SHA1 | 4148f19673ef30ca4c69842c04304d2ec20729c0 |
| SHA256 | 7361f8adf31a455334b1b730dc137dc0a884d852eb71c19f155750548f4cc7b2 |
| SHA512 | 382fd891348ba9b00e01e424bb8fa67c6d82fbaed24eddb3daea60b5bb86cda1002f16309f346979661d73000907626f7f4b15b3ef08a4501e5f80307aafca10 |
C:\Users\Admin\AppData\Local\Temp\VRPwkoA4zMdP.bat
| MD5 | 2e678752cd8414ce4ca3f5ef8c9f1983 |
| SHA1 | 6e098b1b562ab071cbba17f7996e902719ec0db4 |
| SHA256 | 82c05828f6ecc3a39259c2e73836abb20bf4fb97bf956f41f4bbc9e8d0a8ca64 |
| SHA512 | ae4868c2dc9316453a748d09b3c0dabcd3ea425d2746296d63d849bae3f4d39656ff371b8ffa3f47d5ee6f3bb7447b68b32cd5fda15d103e831f39b13328a1c0 |
C:\Users\Admin\AppData\Local\Temp\Xc4Puk4MbBFg.bat
| MD5 | 26f5081e29fab17420f35f147159f2f4 |
| SHA1 | f7ba25855810b73ee95b70fd9a1f14986fa0bc1b |
| SHA256 | 24aa3cbb814638fff7ffcd16cdb92785374542cdd3e5866285a2b2cada5f1e4c |
| SHA512 | a515f4e8d6d66949855918c695b336aac6438738efd1be6f750e7781f44ac6234e6f829da0275f2fe07e3f50a7f1dacbc557594f34daff3988ed7d7d7dfb6c22 |
C:\Users\Admin\AppData\Local\Temp\EjLMrInu0xGj.bat
| MD5 | d7250fd9a25e838da657b6150e71cca3 |
| SHA1 | b25d377eefb008255c31634878b23906c4cc7bac |
| SHA256 | dca569004dd7cfa6b8b575ce99efd61fd1b675bc518affde010fd22517d81219 |
| SHA512 | 372638d27a3336fb4bb9780694017e0ac7a3681c97415305a1dabfcd106d3e10ac2a5f3ab63342f0562bbed1cbc76948d32763771b8058d25d32b6162cd54f61 |
C:\Users\Admin\AppData\Local\Temp\6TqJOblx4S91.bat
| MD5 | 50ff3cc7082255750c2c820babd30c68 |
| SHA1 | ec4a9038e30ebd00fcee58e8fd28e62d09af3925 |
| SHA256 | 8b462bcaaebbebffef1472c78a3c79f0dc728da355455a42966892748583c69d |
| SHA512 | cd84b6af279921fc372a89fa8a22c1d2c80b0ff640904ac0e56fef1764eab107cf411c0bbffd4ade0e7fa1330405ca952ecd14c87be390088ef2a0e29844ff5e |
C:\Users\Admin\AppData\Local\Temp\IyZ4sHm9tzOH.bat
| MD5 | e8a676d7b8e62ea19609a12f1e3d8fc9 |
| SHA1 | de3515d7c061e87a411db0329c61664f3e2ce9af |
| SHA256 | 34ef9dd8c4b59d5456fd55974a9e9ed32e58b103db0196767eeb1aa72b0e0282 |
| SHA512 | 727398b7df8fd4433c70d36a86425ede3fadf1c7b3d5a17f913fa02337a86f5b0d5c4a6d4abf15035dac89641c624f7b672b1172ca77f8f4c35942e441cbff73 |
C:\Users\Admin\AppData\Local\Temp\7Gfzxcqb0xDB.bat
| MD5 | d9abe6eb6f803a17af9b2507a0b8066a |
| SHA1 | 236a94dbcf66dc4bff97115aabce649d55626132 |
| SHA256 | 83a6a2a4ae522efc3911318cc0fe0cdece7f4855eee9459397f999dde061b88c |
| SHA512 | cd8378243f021f7c85bb70f74641e90d573f9ab9854a82b05cb024f5e8d27031089ba774343cfbbdc4fb0d947e71a0777e3118d4dee9aecab446423163b8393c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 14:55
Reported
2024-09-01 14:58
Platform
win7-20240708-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\e9oKJ2zBGeu3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2VOKWRR3fdvx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BnI06RqNvZpP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zaBfDuKGOWZ3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fd1RQsqva95F.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5DfporpZMB3J.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\o4CnitZ1i5DM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C63S5h9WZFZ3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaHnt8sNMUC9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sok6wQ1EBFVi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\47ZfCqBms3T5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IpxqiXMjAxp1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
Files
memory/2644-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/2644-1-0x0000000000F80000-0x0000000001594000-memory.dmp
memory/2644-2-0x00000000052B0000-0x00000000058C2000-memory.dmp
memory/2644-6-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2644-10-0x00000000743F0000-0x00000000749F8000-memory.dmp
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2644-11-0x00000000743F0000-0x00000000749F8000-memory.dmp
memory/2644-13-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2644-12-0x00000000743F0000-0x00000000749F8000-memory.dmp
memory/2644-15-0x00000000052B0000-0x00000000058BC000-memory.dmp
memory/2644-18-0x00000000052B0000-0x00000000058BC000-memory.dmp
memory/2644-20-0x00000000052B0000-0x00000000058BC000-memory.dmp
memory/2644-16-0x00000000052B0000-0x00000000058BC000-memory.dmp
memory/2644-14-0x0000000074A50000-0x0000000074AD0000-memory.dmp
memory/2644-22-0x00000000052B0000-0x00000000058BC000-memory.dmp
memory/2644-23-0x0000000005C00000-0x0000000005CB2000-memory.dmp
memory/2644-24-0x00000000004D0000-0x00000000004D8000-memory.dmp
\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/2836-38-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2836-39-0x0000000001380000-0x000000000144C000-memory.dmp
memory/2644-41-0x00000000743F0000-0x00000000749F8000-memory.dmp
memory/2684-43-0x0000000000C40000-0x0000000000CC4000-memory.dmp
memory/2644-42-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2680-48-0x0000000000170000-0x00000000001F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e9oKJ2zBGeu3.bat
| MD5 | 397ecf23756b46b4f2ff9a6cb220318d |
| SHA1 | d4b6da2da4e693dc6857770d98c234c47176b808 |
| SHA256 | 566b7a5bb64e071060adf750dce0d915d5627f7e15114884d9e369d5b9f9c619 |
| SHA512 | eb8c91b4ddb86ee51f050c28bfe357ebf0f3a73f374ac205ad9b3ef85e42a6598cc0ba33ff18eedf3d97baec001d9f0e1822174e5a2d5571113a56a28812dde8 |
memory/2836-58-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2836-59-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2940-61-0x0000000000AB0000-0x0000000000B34000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\2VOKWRR3fdvx.bat
| MD5 | 0a093b594b9e1074020e5441e958ea99 |
| SHA1 | 0afe9ac2057463b47a23f53ecf65c8d147121543 |
| SHA256 | 8230492b077de6e11914b0bf38d24434efec6914cddbeb1e0a46fb9a51def779 |
| SHA512 | 5d39f24a07744361435b2087d607538e953e3b7b25e70388153da35175853115f3a9e901e1ce0ec9a6558d2761e898ffeb9356f20042c8b501be82fdd3f9a2e4 |
memory/2096-73-0x0000000000E00000-0x0000000000E84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BnI06RqNvZpP.bat
| MD5 | 73cc7a1cb59bfd36571c3fa50c347184 |
| SHA1 | bb32cf508e968e12dec78168f822082d542f20ad |
| SHA256 | 4c70ca62b4a6f73ee2594b890fc23cb32c565f72ea359e034960237f0b2580f0 |
| SHA512 | 7fafda6611b195a51e016833c9164d211c7250d0606d8b29ca2219b065a4b1582835dae19c08eab60d583a326c35fc1aeef4928d1c4595434180d9449ce53bb9 |
memory/1784-84-0x0000000000EE0000-0x0000000000F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zaBfDuKGOWZ3.bat
| MD5 | 013c6c20fc505da42ead85c0a625d032 |
| SHA1 | b964ba61ad2234a1b28e56ea3fab9fbb694a72ce |
| SHA256 | 0a559bd7f064772e8a473117ff6169a01366ad82ad2038df478b0c7b41977ec4 |
| SHA512 | 34e256775a933e36fc19c476de635ac5b86912f9ff6866a8e15b3c906ea898e5306f65888050121c05628a22d775b692121627d84f41400ef65a395546a882a9 |
memory/1632-96-0x0000000001030000-0x00000000010B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fd1RQsqva95F.bat
| MD5 | 8dd980e1619105242c220a0030c5eb19 |
| SHA1 | 7acb79ee004754259484d3127515519ac5de8227 |
| SHA256 | 4dbc99d3f18a380eece8fdc0ddce0bd7f7580b0dbcfcc0784edf0806b41e506b |
| SHA512 | b6b944fe6bf86b39beeece6062996c6feea5d2826fecaa08aaebb6b4a57a315e6252f2d586e2951de1ae03570a958258fba048b96d412d343eea3851bb02cb53 |
C:\Users\Admin\AppData\Local\Temp\5DfporpZMB3J.bat
| MD5 | 0af4e1609872bdcbe2b0fc93ed389eee |
| SHA1 | c1e233d6fb2d049d1e1f4e159962780ba2aa36cd |
| SHA256 | 9d0e65eccd0f0e1fb15abf6adfef42e4a5c8f5cf5073818d6c2ff9a9dcc927cf |
| SHA512 | 5db4d83c8c24c9baf69ba7f419f9c79cf73d07656d63b6ea08dcaa8b62070efe579883e99d26d712bdc6e5377333b56b674ea848425cf186fda88cfd60d26d81 |
memory/3068-118-0x00000000000A0000-0x0000000000124000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o4CnitZ1i5DM.bat
| MD5 | 187764d298935c6a71386420ff86fb4c |
| SHA1 | 28b6e6d5319953a068118fddcfc1768f55509ae2 |
| SHA256 | afc9a771bbab5fcd30f03e5564dfd62834df1dca463caba051961540b07bf1e8 |
| SHA512 | 9821386ca90a9539a5464d80c2daf56fde646053b0d2b943c43270a8f8fee74285b8cd2f29e5060c03b1e655f0a9e4f78254de2f33f0d0e98eb85c3736f3ee6f |
memory/2896-129-0x0000000001160000-0x00000000011E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C63S5h9WZFZ3.bat
| MD5 | 3d26bdc8f3a6c236947d5666cf447b5e |
| SHA1 | c4aa7dfe779fe21353d5923c86823a3339c107ac |
| SHA256 | 6de9d150db61f29cdd8cc82e98f3f82b079e52b5663127338680b34bbe74631c |
| SHA512 | 0e54e3b059d197c945e9b6c098512aa726a8e064fe22d6406b826e75533347527e6976a010c57184a31a2b25674cbe9a4df9ad9dbe36fef5f84f7b832ec56d0c |
memory/1668-141-0x0000000000300000-0x0000000000384000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EaHnt8sNMUC9.bat
| MD5 | 57c505dc7f4df47d1180be2140e6938c |
| SHA1 | 07a0256b282d2ac62f6a98039e12e495c3fad163 |
| SHA256 | e037d3f2968860c371572d744a31d1ff172006c8c6c53e0edcc33eea1a63eb71 |
| SHA512 | 4142ad869a5bb15f8d7795f68c575c252f2a903e4a47a146e6a16fc2536afda5113898c706a0160b0393433f5a7f420e4af5b464eec667645c9660b6dcdf9947 |
memory/692-152-0x0000000000240000-0x00000000002C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sok6wQ1EBFVi.bat
| MD5 | 809ee8106cf6197be02b1be219c6dd50 |
| SHA1 | f2705ec6c395725f56672bc7205cb4727bd8dcb5 |
| SHA256 | b66f7a8dd30c17826358dab68cb1dd82c1ffdb83234724a720e10a3efd7ee1f5 |
| SHA512 | 909c819a67bac0104a1d5e55b1cbe673547da35d8b454ece78ed1c0e89757f82ef9ce8d9a55ef27b7892934b828a246f33ddf06db3e902d47c4f80ad212a5490 |
C:\Users\Admin\AppData\Local\Temp\47ZfCqBms3T5.bat
| MD5 | acaf1a07091bbcb3f0e2b0ccfe8d40fd |
| SHA1 | 687ecd117b990b166840e186cf244455af803acb |
| SHA256 | c4ce5cb470da0dc191d828e1b31fcd1fdc9c0e78bdc2c9a38d5e4eb1af6b9ddb |
| SHA512 | 2c2e9dae4b3fafcd41c7102e71d6688150eee26593c91d1ee01cb25a372b758f261e51d60eb3177b2734c35f71223e028a3493d3e5cd8bb97c3a571a39ed9e0d |
memory/2332-173-0x0000000000090000-0x0000000000114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IpxqiXMjAxp1.bat
| MD5 | 9495c5f2e1dd1284600931d0841e6e4f |
| SHA1 | 28fc1cf7817300f7e1623c58ee30a6d77116d5c7 |
| SHA256 | 961af974886e244103a10faa4ac02ce2783948fd75970bb9faa8fb1851a0389f |
| SHA512 | 2974108f6f61e4e907a6096e67d5b796b179a1a78655923c122ba0fcf29afcd31f9ad255e6244018b16ed77420ee48824c8ef9b547673372b87de0cc81183efe |