Malware Analysis Report

2024-11-15 08:36

Sample ID 240901-sbyndavbmf
Target 03778d811f241e83ccad830372313b3c.zip
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
quasar chrome agilenet discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.

Malicious Activity Summary

quasar chrome agilenet discovery evasion spyware themida trojan

Quasar payload

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Themida packer

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 14:57

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 14:57

Reported

2024-09-01 15:02

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 3776 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 3776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 3776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 3776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4616 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4616 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3332 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3332 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3332 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3332 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2084 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2084 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2084 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2084 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2084 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1440 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1440 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1440 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1440 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4228 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4228 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4228 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4228 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4228 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4228 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3780 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3780 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3780 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3780 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3636 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3636 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3636 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3636 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3636 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3636 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2776 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2776 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2776 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2488 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2488 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2488 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2488 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2488 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2488 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2448 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2448 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2448 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2448 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4804 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4252 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4252 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiO2x4T1iMHw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V5vYhonXox7B.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rrH8RC6Cqb4U.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Jq6v8MQqba6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaDly6luJKfo.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkRfqyzAeuC5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4HPmBq25jFh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wssTq9a2idU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gLS8sxroRDz3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cdiwTGuls5CO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lpZwYkFlSXLZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RPNiXERGK92f.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdcC7oPPZfP2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2xbX3CQyoIF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YhXDXisMRfHD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp
US 8.8.8.8:53 210.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 168.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/3776-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/3776-1-0x0000000000F60000-0x0000000001574000-memory.dmp

memory/3776-2-0x0000000006020000-0x0000000006632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/3776-11-0x0000000071B40000-0x0000000072148000-memory.dmp

memory/3776-10-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3776-12-0x0000000071B40000-0x0000000072148000-memory.dmp

memory/3776-13-0x0000000071B40000-0x0000000072148000-memory.dmp

memory/3776-16-0x0000000006020000-0x000000000662C000-memory.dmp

memory/3776-22-0x0000000006020000-0x000000000662C000-memory.dmp

memory/3776-20-0x0000000006020000-0x000000000662C000-memory.dmp

memory/3776-24-0x0000000005FE0000-0x0000000005FE8000-memory.dmp

memory/3776-23-0x0000000006A00000-0x0000000006AB2000-memory.dmp

memory/3776-18-0x0000000006020000-0x000000000662C000-memory.dmp

memory/3776-15-0x0000000006020000-0x000000000662C000-memory.dmp

memory/3776-14-0x0000000073470000-0x00000000734F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/3776-50-0x0000000071B40000-0x0000000072148000-memory.dmp

memory/4616-51-0x0000000000BB0000-0x0000000000C34000-memory.dmp

memory/4980-52-0x0000000000A30000-0x0000000000AFC000-memory.dmp

memory/4980-49-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/4980-54-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/4980-55-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/4616-53-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/3776-56-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4616-45-0x00007FFEF7F83000-0x00007FFEF7F85000-memory.dmp

memory/3332-62-0x000000001B230000-0x000000001B280000-memory.dmp

memory/3332-63-0x000000001B940000-0x000000001B9F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\TiO2x4T1iMHw.bat

MD5 b6f3d4c6ba905d99aeca54c8864de6ec
SHA1 3b75c3d52ae850cbbe71c8666b2571dca27eac2f
SHA256 a6eb8de8d9dab52ea770d95dac9184f717b06428daa3208261c539249455a343
SHA512 ee493f7e6b476f8921e37816683f532af412e699b58beab903ba636843c05df04699dac2fd149f6b9b8a479ffeea35449b41bd5de4bf1920a8b90cd54a6a59ce

memory/4980-69-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4980-70-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\V5vYhonXox7B.bat

MD5 afdef4dba7493b79d32d251afe2cd794
SHA1 384a56c375565142ba7edc55d39c177ec15cc157
SHA256 6ed84fcad8888d3c1758b3bdfa3e6991c037f09bebf4b5343e4ca4b236e0ce89
SHA512 9bc87d93d85064f2bb82306871c729a4ab3aa4847b39cd8ca060fe6f28f73926b900dc7d3fa90302f0a2478adfc1a5c3d3111e69f9b89ce474518bed1132b64c

C:\Users\Admin\AppData\Local\Temp\rrH8RC6Cqb4U.bat

MD5 01ed264a01942d159c428e62cabf2543
SHA1 7fb7ca8c4a7acb4ed6d3a3cc64514e26f7d67dfe
SHA256 c43bc14b24811cd901fb437a334e2f67beb0594f7a97e9a78f4ef255fffc7b60
SHA512 bbd49c870137544c25996d6ce1626eefe0c77910f67842ca87057c2b42b0619098eb3a9f6dfcf16807727454c1ac2c10f5e52bd5ed33237809bbd204afe2aad1

C:\Users\Admin\AppData\Local\Temp\0Jq6v8MQqba6.bat

MD5 f32de3802c6cbf6d3aba7f57874d7352
SHA1 0ed829a6c433534236fb57d99db723a820e6990c
SHA256 fdb810e759620151d6d662fca1ef22d3c43b2b08d200fc939caf031ddbf70d5d
SHA512 f100e127021b4aaa8c93366f20920a6d392abde3c6d2cc0c93c0f8fba59ea4af8b5ade09d72326bdcb328caba3917ed01c21ee99a13de8226fd7203403e5211b

C:\Users\Admin\AppData\Local\Temp\GaDly6luJKfo.bat

MD5 43ebd6e866d007f5c1a5301433fb3ca7
SHA1 cfc91b26b54685342ace9366b54ccd8a9d9b7109
SHA256 8719916f0748a73dc37dd193e38ff8785f664fb0fbd926062e53832d2ed0da0b
SHA512 3f52192218db1de75c42a6764645d2c87fd1f84e0c5da155a9c695113f762fac4f1855cf756fe01bcf2cc2067b36aa517769986ee0b6f56c0a659814118606c7

C:\Users\Admin\AppData\Local\Temp\HkRfqyzAeuC5.bat

MD5 d439eeaf720b1bc0e786f50f345f0418
SHA1 b12de7a5791ab234714b840aa0f172b8ed4de282
SHA256 9d026d48a6cc04a568446fc003728fcf78903840f8e5c448852a930a55a0f562
SHA512 cf5b26da49245132ed1dc91b3fcc0f94f0213e5c39b57e978cf4dc2347e3b5c6b18a6042287b72ee87110f3fb487437aaaad639895dc70ec546b587c87f9fa26

C:\Users\Admin\AppData\Local\Temp\b4HPmBq25jFh.bat

MD5 442e9156b557f1eb3b0e15e5964c05b4
SHA1 c5278a33b21b1b639f8bcef1e23a70ff5d090ff8
SHA256 6a2c8161d1b771747a3c0fefbb8713e6fed01d0b8d3e3a49ff64945846e975e9
SHA512 9d4a2c14e2d6474f5e4e90971cf1cf436c4461d7d771d00eedba05a3243548fa8c951be9140444dc4de463e6459caf1237fdcdf96d243ca8768e1ed394090016

C:\Users\Admin\AppData\Local\Temp\7wssTq9a2idU.bat

MD5 1099cd0f80bcfd025ea4ca95d423b552
SHA1 5eabd8742e7484e08cf8c79316c7028e36d4aa16
SHA256 b90f4d040240c821577bc7bf7baaa9b2697158405a6b7cc10177ce303f2c852e
SHA512 ae2c2106ae2968832fc924020b45ffcd60a99a9c92e70c4641625c4499fe7b37912f84bbf1ae0674ca23f3223b507921577a016743d1cf2fa05144c262ad143d

C:\Users\Admin\AppData\Local\Temp\gLS8sxroRDz3.bat

MD5 c73f161d233f51c299aaae240a535b3f
SHA1 321f0c8b9deae1a9b0749f4f0e5a7cc92a285ccd
SHA256 22381321819aebac6f48759195bbf5e048d4f7680195a9a2af2473750fb4db2a
SHA512 a63d16a7b3d8ab291c6472ab048ef5b0dbe745e7394f5edabf30f2d2f3046cb21b99232644b899dcadc89cdce1b1be4cccab7e2f5a1da9fda7b84dcd2e970020

C:\Users\Admin\AppData\Local\Temp\cdiwTGuls5CO.bat

MD5 007b524401a4e293868e5706d69079f2
SHA1 a1ba39298b6c8b7ba4abf5f60959208057a394b9
SHA256 4bc9994a35c11b1f78a55078403eb20ec3619e46da0d6958c013691f73df6a6c
SHA512 f3efec4df7da7b859b855396166c01c6cfbbc9b5fed95ea107e7510ad0e1eb91736e93648a0af9945f4706be45b530495e50866034b911d6429d610b96a365ee

C:\Users\Admin\AppData\Local\Temp\lpZwYkFlSXLZ.bat

MD5 9ff22bfff9b76d0d0f018c41b6cf075f
SHA1 3c300bd8b08f44efa89a6439755ad794a9722f19
SHA256 3112a35c44ff78b51c439b5746f73a09ff623e5bcb64950e68e3b948c3ede5e1
SHA512 580e1142a8131d1f8ff0e21c6eaba6d401248a61a2946ddc7ce9c9bd9bf98c09726d47c8a72e020ed91c32860d90ed75d72cfdb2af5c9182b0ad6b4059c002f1

C:\Users\Admin\AppData\Local\Temp\RPNiXERGK92f.bat

MD5 898acd16a042ed1677d257cfedcde4c2
SHA1 e72c2856ea32bb6579ce88fa6d015252ae2052d4
SHA256 858ad82fa85c24efbb56c53fd975026b0a7281cebe5f5c3a271d78b433347f05
SHA512 5b8b660d80d6526d63586d1a3cb9a27516063af09a8955ffde477b924d3481e0d008c79c3c060320179f83fb673004e54c6a5b6577f622a05d0c15d66879f1a7

C:\Users\Admin\AppData\Local\Temp\TdcC7oPPZfP2.bat

MD5 ee4b372d11bd9cfdb97a1a956640a9a7
SHA1 042042b747966bc2cef0aa71aa61aedf8949d1d2
SHA256 8fd4ed1bc683e0238b5aaf0346d4f4ad2c38f40fc0cd5cddbdee6959cec1d4f8
SHA512 ab5afe2afa9060ec380c1c2440be2d932d0271d4e7a87f87f614911212b3b5f5c5db835a032dddef1f8d913558182a783c58050449366b0c82448071c3a274a1

C:\Users\Admin\AppData\Local\Temp\B2xbX3CQyoIF.bat

MD5 91e74abf3c49522f88ad2c44eec276e8
SHA1 5324d3da7bc1850eca13bdafd1e88b1b80a42773
SHA256 52d0d5357cbc0979462c70d7376259cea3b18d0ae8e8b8eb88d1dee5145ced91
SHA512 dabf95210618bec848217b7f6023c460ff7440ce6ddad893e465d11db99043aeb6a8bba39a904799bd299186acc4356433a09fa26f056af78e898a5faf9d7263

C:\Users\Admin\AppData\Local\Temp\YhXDXisMRfHD.bat

MD5 27f2a94137619ccdbb7858d263410058
SHA1 aa558a6da002d5738139c66c8583784c44291d8a
SHA256 628ff10c33fb53e5e4403304523bca9d413d5350a56ac678623f0798c0d308f0
SHA512 f4f344796e00554014c229fc3bb410c4e8305b495db2292e2cec0d303e3120f612fd3f27905e0ed10bce5b7a31273bdca3883ecdd27aa53698935b2b310f9752

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 14:57

Reported

2024-09-01 15:02

Platform

win7-20240704-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2088 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2088 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2088 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2088 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2088 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2088 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2088 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2328 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2328 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2328 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2328 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2328 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2328 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3032 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3032 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3032 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3032 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3032 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3032 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3032 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3032 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1312 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1312 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1312 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1312 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1312 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1312 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1796 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1796 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1796 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1796 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1796 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1796 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1796 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1796 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1796 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1600 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1600 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 800 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 800 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 900 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\i0eLT3CDrcsP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgy77yBnfgd4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\x1sOgQvrmJpW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcB5uutlq6lA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ExnliY9lQHH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RXsEs3akRUBY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMpbiBvEGy5W.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7xUK3UEXFuny.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aA0V4lxnv0tG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cHWIGHONmkPF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CtAV2ZffacSe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rv3TtwJUxUYx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp

Files

memory/2088-0-0x000000007427E000-0x000000007427F000-memory.dmp

memory/2088-1-0x00000000003D0000-0x00000000009E4000-memory.dmp

memory/2088-2-0x0000000005180000-0x0000000005792000-memory.dmp

memory/2088-5-0x0000000074270000-0x000000007495E000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2088-10-0x0000000073C10000-0x0000000074218000-memory.dmp

memory/2088-11-0x0000000073C10000-0x0000000074218000-memory.dmp

memory/2088-12-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2088-13-0x0000000073C10000-0x0000000074218000-memory.dmp

memory/2088-14-0x0000000074AC0000-0x0000000074B40000-memory.dmp

memory/2088-16-0x0000000005180000-0x000000000578C000-memory.dmp

memory/2088-18-0x0000000005180000-0x000000000578C000-memory.dmp

memory/2088-20-0x0000000005180000-0x000000000578C000-memory.dmp

memory/2088-15-0x0000000005180000-0x000000000578C000-memory.dmp

memory/2088-22-0x0000000005180000-0x000000000578C000-memory.dmp

memory/2088-24-0x00000000002B0000-0x00000000002B8000-memory.dmp

memory/2088-23-0x0000000005890000-0x0000000005942000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/804-38-0x0000000000320000-0x00000000003EC000-memory.dmp

memory/2328-39-0x0000000000F60000-0x0000000000FE4000-memory.dmp

memory/2088-41-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2088-40-0x0000000073C10000-0x0000000074218000-memory.dmp

memory/2716-46-0x0000000000FB0000-0x0000000001034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i0eLT3CDrcsP.bat

MD5 11a3f682422c894ffcf7ff74c8c37777
SHA1 253f00d9e3ced673f70ec75e2e19d49afaa02c19
SHA256 441165aaf4c7c750fa4da7a221c44f42c8115c8ae8c5c8f01aee6e544ccceda7
SHA512 00db475985b59547f05ce05ad0c4cb8ae9c67a10254d110e2e12e64354cf6af8a53c2dd4caa15731a1f8ff94d51a25f74e0ab03356ef65516d08142f61889f20

memory/1312-57-0x0000000001370000-0x00000000013F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgy77yBnfgd4.bat

MD5 f5d9bab7e7b3b084f68bfc2b9958f518
SHA1 a9490386eecc066bf08b7ac431eb9be09229cee5
SHA256 e3f68651641bd4e2e14c61bfb017c46f00b97ea93d4cc3602cbcc6a41c56ad4f
SHA512 d40b0716a1ab6bc2fc6113db29ab623ecfd9e7ee6eb1a2cd45f9bf36ea138a2c1b92c9813eed7ac59dbd454bbf137c96b6e1c486e7a65850a80f7ee4e6717fd0

memory/1212-68-0x0000000000320000-0x00000000003A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x1sOgQvrmJpW.bat

MD5 9d5f4362a6e6f39153f3f9fd8cc7175c
SHA1 f57260683217119d914f80b7d3f74109edc79f4c
SHA256 0b88ce448aceae0aa135272d3561f6ebd152ec7123c9b6aca438e5356006ec56
SHA512 695b6d149ff857aeb125e11785bdfce2084fe3712181db2e46a4a76f57ffe734a69118bbc0930b8561e9c7ed16c47910f3dfcbfd54b19af47b8cd4106b29a967

memory/800-79-0x00000000008B0000-0x0000000000934000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zcB5uutlq6lA.bat

MD5 228e49854952a287beaafbac94a1b658
SHA1 7d29e116e3228d2589a6e7c1525b85f034f0406f
SHA256 a4e268c4ae6d8c8e64417c80d50990229426371847e48cc295b955625a37f54c
SHA512 a5e80bd757e48f1bf36602bd054b7dde836bcaf89845e16c5bc9a2b07bc861eda016a925a52f9681ba5a1c718e276078084a5f7eec9d1ffe70e2f43b36633504

memory/1568-90-0x00000000003D0000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ExnliY9lQHH.bat

MD5 99b55040d0399e8dd71c1d658b40ccff
SHA1 e55c100b87205b691de629d5afee08ba685a00b2
SHA256 f639b2d28b1ae89d668b74c561026b3686c4e5c82825dbc9427f0a930d573c06
SHA512 19a83e37960171d263321d93359ff726cee30feacedac354dd0ccc6dce750ac48050ca9d3ae097b52c0765104e9730e7a482dcae7955688bc7862aa8b59d0a9f

memory/112-101-0x00000000011C0000-0x0000000001244000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RXsEs3akRUBY.bat

MD5 f04e69d8c9229c5231f8fe68aaab5617
SHA1 bd2136d155d309b3631f84bf89e6ac7e9b768699
SHA256 c6ca074c8f3efeb7b93405a8cb138688c268e7a0b71c160e5f844850261c6254
SHA512 45f32568b5797c8ddfa3b7f25db63cd030d76e9c95d86e819010ed1ff218888292ae257a07172068d26eb03fb81b9a29bd63055462706442367a1cf3bfcc69f2

C:\Users\Admin\AppData\Local\Temp\kMpbiBvEGy5W.bat

MD5 bbd031c13d05fff36ecc3cdb6b054cca
SHA1 418ce242b351c90086101000202c2dc8ed4a5fe3
SHA256 308ec0ddc5bcccee8a5fb1e87be74f77139a75e7af36d502c5d6018120490a02
SHA512 c106f5a707e8fecc84e205497ca07329b4f6c6826c77f0a4e81ef2b327bbb0ad1224575f6a99f0917a79ce32421842406965c60190c0e841282aac6de23af4b9

memory/1292-123-0x0000000001340000-0x00000000013C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7xUK3UEXFuny.bat

MD5 ccfd20748cc6e3bdfba753c06bd18e31
SHA1 0cf83fac723a86c0787c72bef5ae69e6fb9614c7
SHA256 bac21b88ffb6fe287e48b4f2b9d4edb06a6e5251f6668c5484bd70bd2add1b5a
SHA512 2c026068276e04675c9f5ab3fe113dea707841d057780699e47677797ba5eb4b9248f846fff4076bc3502eebfdf2bda90cb2f7682f459b2f02abd82cab0f1897

C:\Users\Admin\AppData\Local\Temp\aA0V4lxnv0tG.bat

MD5 fb604e0650254fbdcde4eeed7c0cee4f
SHA1 8b37a0023668390d4d1863955aa2fc585229a5cb
SHA256 e422cdcfdb5a166ca1e9f17e49fcefe74a843fc8928c617f7821d7f455bc1dda
SHA512 53e0c842a76261dcd222deb5d1b272fa759aab948a6e88029fe03b03bdb09ee3880ccadcda32f8137ba5b9d1f2d3fb35ae7542ed3ea6a29d6a5a2d3c4edc33e1

memory/2928-145-0x0000000000110000-0x0000000000194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cHWIGHONmkPF.bat

MD5 05d0c9fa24f3849c7d4ab0810628ace7
SHA1 69eac2cf3602157d7f612888c954ba3ac238a13a
SHA256 95ab3743a40e2a7c3b8146077ea5d045b5f3d443d4036d966d0bb6d817eed916
SHA512 9793e8000331a944258f1269bd4984757eb3e5d5ebef54d8702b7d44d75d08f4a843ca6cd885c03f6516bfc2e5078097b28a2c3376358d169177716cbe813f99

memory/2204-156-0x0000000000180000-0x0000000000204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CtAV2ZffacSe.bat

MD5 af249ed787f0cd9656c005fab6863fb0
SHA1 985116a66ecc5ae92dfd366aded082eb2667e84f
SHA256 a86d69dcb9b6b0cbe1240c1dbc3b7eae31f7d340d38e2fb9598822f0e271ef95
SHA512 82fce7466aaa53bbcc349bb90d24a791141eb1855cd8183eefc0e45c808f69deb5b00b46e4b18c4465fec7923e0b2b7da383e86ed029dbaeedd45c3753857eb1

memory/988-167-0x00000000013C0000-0x0000000001444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rv3TtwJUxUYx.bat

MD5 5248c136f1e5632c8ee8811dc90bfd8f
SHA1 51f64cefe26036e2ea83b362a1c57afaa0f7742c
SHA256 36db850314f0e075baa65631ef5c72244d7e0b9771fe0ff6a62181181f5753cd
SHA512 29a8bad4962f6277f000e3d5fabfb14f8a3f69fdb00551d39780b126d3c8f076545be8913f4891ff870cc92ff3999bdbd746216bb430ff803ad5fbc7f5ac9d8b