Malware Analysis Report

2024-11-15 08:36

Sample ID 240901-vptmpaxdkh
Target 03778d811f241e83ccad830372313b3c.zip
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
agilenet quasar chrome discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.

Malicious Activity Summary

agilenet quasar chrome discovery evasion spyware themida trojan

Quasar payload

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 17:10

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 17:10

Reported

2024-09-01 17:12

Platform

win7-20240704-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1656 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1656 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1656 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2744 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2744 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2744 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2580 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2080 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2080 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2080 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2832 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2832 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2832 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2832 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1564 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1564 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1564 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 936 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 936 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 936 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 936 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2632 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2632 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2632 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2632 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2632 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2632 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2632 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2632 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1860 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1860 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bz3AWt8oY2aQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yrbda5kaVozl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xVZDeGPCutad.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\P9YXCd5EWDtV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGLMQktY2KHP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD7ipbXdbMFk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0afyonzdGBtO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEv4f61mmJYv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pzIxfgvrtSPC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4UB414t02g6y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 172.67.200.89:443 synapse.to tcp

Files

memory/1656-0-0x000000007486E000-0x000000007486F000-memory.dmp

memory/1656-1-0x0000000000E80000-0x0000000001494000-memory.dmp

memory/1656-2-0x0000000005270000-0x0000000005882000-memory.dmp

memory/1656-6-0x0000000074860000-0x0000000074F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/1656-10-0x0000000074100000-0x0000000074708000-memory.dmp

memory/1656-12-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/1656-13-0x0000000074100000-0x0000000074708000-memory.dmp

memory/1656-14-0x0000000074760000-0x00000000747E0000-memory.dmp

memory/1656-11-0x0000000074100000-0x0000000074708000-memory.dmp

memory/1656-16-0x0000000005270000-0x000000000587C000-memory.dmp

memory/1656-15-0x0000000005270000-0x000000000587C000-memory.dmp

memory/1656-18-0x0000000005270000-0x000000000587C000-memory.dmp

memory/1656-20-0x0000000005270000-0x000000000587C000-memory.dmp

memory/1656-23-0x0000000005880000-0x0000000005932000-memory.dmp

memory/1656-24-0x0000000000450000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/1656-22-0x0000000005270000-0x000000000587C000-memory.dmp

memory/1656-40-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2360-38-0x0000000000B90000-0x0000000000C5C000-memory.dmp

memory/1656-41-0x0000000074100000-0x0000000074708000-memory.dmp

memory/2744-42-0x0000000000930000-0x00000000009B4000-memory.dmp

memory/2580-47-0x0000000000CC0000-0x0000000000D44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bz3AWt8oY2aQ.bat

MD5 a92ff9225ac6c7b3095ce3f1dbd257a2
SHA1 0447c2baa2a037bb5584e35845ccd60170b8cbc7
SHA256 db39dc625af7b0104db6c8fc198d627bdd317723d90fbe762ca6de187b61e394
SHA512 d7c02ecbc1213614b38813e5ec9b3ccbf0c9ba618bc5cd20a2a8adb5a7ba7a1bfb98d1b8bec206ac81acd4453152041f945edc7a104885fd1771a86a3ffe810a

memory/2832-58-0x0000000000130000-0x00000000001B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yrbda5kaVozl.bat

MD5 0772987c71afed1ccaf73ff8c2ec052e
SHA1 a0531185b55c14f137f15fa2d38716c6a978ea6c
SHA256 d235b76f2b33b4ccfa529e82e6b47be732952c7f29c9ef8865a8eea50974df4b
SHA512 e6f82b9ddd323a0bcdd50372da23cd317e7c3fb41b6ba984630bfcaa6849194ce79111faf4c9ea0f0a3f60b790939f713cf5c0a4d0e2a3603bb9284d8e234214

memory/936-69-0x00000000012D0000-0x0000000001354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xVZDeGPCutad.bat

MD5 c47f91f5fcbd351eed69862cd2239357
SHA1 4afef9d1b10301928fc3a1ed55215f93fb8a7fa9
SHA256 1827ffd82850f2bc4801f3c90b0f0799bff251261d825fb4851afcbaea6f7767
SHA512 cb5aeb1a26573531b6a99b8ea607a442b9d6fd065ee4e0f33d15247f5c121f4d2c659a85275b64b48f04efd81168be4754ef1f2f8941588733edf3e58b5d7375

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\P9YXCd5EWDtV.bat

MD5 cb08fc68c9eeb7ca1e9fbb6a78597cc9
SHA1 b5a474e155b7786923a177b29ddd00dfc1ef7733
SHA256 fb2ce2e358188c16876f32cdeb8512714ce0b85dc085e1a2df4b3b1065be8eb7
SHA512 95565563393140d97dc0639743b848bcb37180fdafb735d178653f9f51f69728b256ec8d849d75852a819f754c18b60b6704dc3229a1976dac633079c167038c

memory/2924-91-0x0000000001360000-0x00000000013E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eGLMQktY2KHP.bat

MD5 60bd35b35434f61cd1d76236ddc63f56
SHA1 c280aa510fd12c959cfed1e6740fdc16617aca34
SHA256 db55752be8c5c5dcebec43589d0983932aae86d6bb4ef653e0af4fa1914912d6
SHA512 7414a0aa592d7b00c5d041f790439f36b4588311267bab3804377430696ba1e9bf0ce4374d9a66dc96529297860c0dd7fca56cce63c626b014b971bc52763502

memory/2636-102-0x00000000000C0000-0x0000000000144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD7ipbXdbMFk.bat

MD5 4f254de88fd5602d9e9a36e720060773
SHA1 574c40b394a8a9808687ebf3e56f6b2aac858a3a
SHA256 fc8a85e0398a318f34d2356678037786fbd6952ac6237551a9fe796f94d0f59f
SHA512 3a5f8111a40202cfccf9e86daa8cc0445b49f2990fdb90d59136d3f8d679cbf0e14ee993c2525aa9fa8089887e6c80f6ce52b481e615406c18af0090a04480cb

memory/808-113-0x00000000002C0000-0x0000000000344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0afyonzdGBtO.bat

MD5 856c3de8943d7316ab3216c6f585a129
SHA1 6fa162257817074089097cfd4cab2e2f9d3ce132
SHA256 ad2be663aca9cfd157fee05d845c25a26b7d435da22f25c3294f6ef238713836
SHA512 835e172f28562f24baf55752e61d2c986019d5b87bcd0c1ca6e6dc03b27f18ab8b1669f278f26e6adcf5b67ca67e88e91e805862769f23d5428dcdffe11bc9c0

memory/2964-124-0x00000000000A0000-0x0000000000124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wEv4f61mmJYv.bat

MD5 6734750f78f7ad332aac0ab53cef0690
SHA1 5bfc3c044c738af29357eb21291fff5c0724ddad
SHA256 a5f169c154fc2adbe3193e4aa5fc21da66744df93955fa8afc797fc56ba467f3
SHA512 352efc7bc6c21c14775af8e5cc0a89edb7a2ce21e76ad0fc7e54187a94969ed492fe0065d3a730529a1830539b36e2c6814e21675c5fb554142f81f0c62bb0c8

memory/1576-135-0x0000000001060000-0x00000000010E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pzIxfgvrtSPC.bat

MD5 d2e1beb3b98078a027544e0f62b5b60a
SHA1 7a12cd50ee30bb28cde72b6d3e5aa5728734f96b
SHA256 c78729003d2dbd2a50c367b4eca68917040b85e6f518b52cda42940716be32a0
SHA512 400353740043760c46a05aea62efaba8d7692d30448cf691a1e8ba63a9664371667d5b1d93bf0c6e0faa990ac3ae115e2102d9be5182ce1aaf267d2a2100d94b

C:\Users\Admin\AppData\Local\Temp\4UB414t02g6y.bat

MD5 0781d8ee2df587b5d9afef06413dbe87
SHA1 b2d380dc949cadd99f8ebb3f1283c555358096b5
SHA256 23c484459a068e02a326610ca78c0ca2819a022ae377f6a746c0a04baa9a26f0
SHA512 940f8309ef08e92bcc6dbd80416e52708ee49e9698be2c723206a4cc67db4f4fe46eeb5a76dece2adbe85c18f02a350534995af801d97b07921cd5551c9783f3

memory/2320-157-0x0000000001120000-0x00000000011A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 17:10

Reported

2024-09-01 17:12

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1536 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 1536 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1536 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 1536 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4236 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4236 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4236 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4236 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2900 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2900 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2900 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3452 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3452 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3452 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3452 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3452 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3452 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2816 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2816 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2816 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3296 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3296 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3296 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3296 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3296 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3296 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2024 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2024 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2024 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2024 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2024 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1436 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4236 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4236 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4236 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4236 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4236 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1984 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 116 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 116 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 116 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 116 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 116 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 116 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 116 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2420 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2420 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2420 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAHwsMgIOz9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CxsC39WyHBs6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lNoRR79K7Lhp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwdBmMPJAY7a.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAD1SECwfRK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVWEMd85hHGA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lp8aO7c98pbJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\novjz7wz4GUI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aevjuYchZ1Qz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19XoeLe7pZ8B.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oVV7QK3VHmv9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sekEobJ8H1gY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuS8iIKcvssh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00gyt9fsGQWN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8f1YoER9weCL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp
US 8.8.8.8:53 210.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/1536-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/1536-1-0x0000000000A40000-0x0000000001054000-memory.dmp

memory/1536-2-0x0000000005A10000-0x0000000006022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/1536-10-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/1536-11-0x0000000071E70000-0x0000000072478000-memory.dmp

memory/1536-12-0x0000000071E70000-0x0000000072478000-memory.dmp

memory/1536-13-0x0000000071E70000-0x0000000072478000-memory.dmp

memory/1536-16-0x0000000005A10000-0x000000000601C000-memory.dmp

memory/1536-18-0x0000000005A10000-0x000000000601C000-memory.dmp

memory/1536-22-0x0000000005A10000-0x000000000601C000-memory.dmp

memory/1536-20-0x0000000005A10000-0x000000000601C000-memory.dmp

memory/1536-15-0x0000000005A10000-0x000000000601C000-memory.dmp

memory/1536-24-0x00000000059F0000-0x00000000059F8000-memory.dmp

memory/1536-23-0x0000000006020000-0x00000000060D2000-memory.dmp

memory/1536-14-0x00000000737A0000-0x0000000073829000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/3644-49-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4236-50-0x0000000000610000-0x0000000000694000-memory.dmp

memory/3644-51-0x0000000000460000-0x000000000052C000-memory.dmp

memory/3644-54-0x0000000005410000-0x00000000059B4000-memory.dmp

memory/3644-55-0x0000000004E60000-0x0000000004EF2000-memory.dmp

memory/1536-57-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/1536-56-0x0000000071E70000-0x0000000072478000-memory.dmp

memory/4236-53-0x00000000027B0000-0x00000000027C0000-memory.dmp

memory/4236-45-0x00007FF81F163000-0x00007FF81F165000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/2900-64-0x000000001B320000-0x000000001B370000-memory.dmp

memory/2900-65-0x000000001B430000-0x000000001B4E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsAHwsMgIOz9.bat

MD5 b6bf2c0bd373f2b112f938738a8796d2
SHA1 fa0ad70bff36941f1a33e0c183c9f76e0ca39e73
SHA256 30e8ee1a8b51db2fb957506b255c5987163c27b70f0f2b199070934c7ac47494
SHA512 4e091b6cf496281215e9a92bca298f1a0c8e0bb525fe5a79b7f2c2fbcf89b922b3ad6c9748cd60e29895d6e21066df97879cf28d876a33359c6733a42389a064

memory/3644-70-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/3644-71-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CxsC39WyHBs6.bat

MD5 d23005eebc7680b24fb6656452214733
SHA1 e3451363c3aa1cfbf0a27f31a300efc6923ceef0
SHA256 edf90cfc160dce780f7e75f2c9fe6086c228546d2986da74fcb575d006607c69
SHA512 8d566de776982d91a40d014508fd35c13029d616850853cdfeff72ac925585ab5e2d3e1e1fa60b29da8826b7b17e58131ed793ddf8044c03786edd749ddc89f5

C:\Users\Admin\AppData\Local\Temp\lNoRR79K7Lhp.bat

MD5 0a64233a149736e56e51cd25334f135b
SHA1 cd9393e1610438a3ac226884dec1993a76d9d33e
SHA256 01d93af1bf217d9bd9e75b808b718f6a129ee634e7e9d5e93b9fc88aa50b5f9a
SHA512 2c5b72ae9864c0d26256c905314241dc3fe87c55bf70c06ca5a68631028fa6120df5c08b0d12fb0e1ccecee6ed994e110b1ff1228e3b88250065c04b3287ac19

C:\Users\Admin\AppData\Local\Temp\nwdBmMPJAY7a.bat

MD5 09ba13e95caf0a71e79ad2393431d9dd
SHA1 6a8e4048aed92ddab60177f54d127959bbf2ce0d
SHA256 2850a5b3fa3191c518a4a771a7a5340576358a5096fe29b4af955c4636d6084b
SHA512 3ee2db255fe447bd75b3ddabc04d53bd4c4b939cae3c5825e7f353699d3d2d2d52610c5020d9a089fc4e093673cef6d4c1623f841d422e5815bb7ccf34a8858a

C:\Users\Admin\AppData\Local\Temp\IYAD1SECwfRK.bat

MD5 97d5594256fe4fcad5a52336a92e68ee
SHA1 32fe0db049ecc8a855865b5a8a504f0c247ef2ad
SHA256 555de5552f7912be973fbac72495e6ee06bb7b7ebb026cfd5cacc1c9746749b3
SHA512 5ae8ae369b6ac6d8b2616d14a9db94382a6fa1136d5d9d408ae1915a2f20193a8a36ea56b3060161e4495657ef95d0ebfd357565093ea950782c75fcf95a44de

C:\Users\Admin\AppData\Local\Temp\rVWEMd85hHGA.bat

MD5 22b1d7d271f199e8c7f121446c776a39
SHA1 d5ba93cfc2e30bcc9ccd3e33a70960ff7824fb10
SHA256 dceeaafa8c42651715242f533bbb010381de209cbf62af044a216b157aa433b9
SHA512 f0d0f7eadc21b8d0648275088e09a78b8a29a6aaf3983f53be1ef54aa2ea3ab1c7ecf24ae0348aec620c8e0a2a3a3b353ac637353387bbaf1710e6add5664c7b

C:\Users\Admin\AppData\Local\Temp\Lp8aO7c98pbJ.bat

MD5 c6659a83e25d0e6771096bdf877743c7
SHA1 70ade31ca748386dcfa679a55f302364ad3b0395
SHA256 9bbbc01d6a78696505716a06e090d21c6a78e4442c71746d0aafdfc7272d2cc2
SHA512 48a836bae138289749c341b73e446e250cd47d4906f01eae2adabf80d54c713cd7a4015068ab77513bb8e2f5609ec7e0f02614a5f0ff26d861faf4fcaee9cbf0

C:\Users\Admin\AppData\Local\Temp\novjz7wz4GUI.bat

MD5 e71563080885961fffc83c7a9e8155cb
SHA1 cd8a5126df9045b610688e751aaa9c6a886155a4
SHA256 41ba777007278d6b4261b860745cde0670b45552652893d55268fab6a664c30e
SHA512 e6a2a4e2c37ff7d06fb46fbcb7181a7f9a61a155ed06c37d951a2d18ce106de029771337916da13a80245a3480feacfc6c15e28f84be4ca7a7a1ca211f93eafc

C:\Users\Admin\AppData\Local\Temp\aevjuYchZ1Qz.bat

MD5 785c073c48bf600f2f572a449e07ead4
SHA1 3023e1bec9b8295dab2fe74a60bbba684957d543
SHA256 3c8659252f7db53cf1cf84a3f585100e7da3211bf7ccc4b7106f107f3181a461
SHA512 7cdfa5a16d753fa7d6a1f8ae12d0fc8731f1a93902626fc4e134fae8965480a18095f2c3c099ed1798b6cadf056d0cd04fbc840897e332683f1d3872bd47cffa

C:\Users\Admin\AppData\Local\Temp\19XoeLe7pZ8B.bat

MD5 6bcc5cda54337b12235246789316162a
SHA1 c0f4788bd78541637cf4774c96d9f262521a8f34
SHA256 a38f0c61e74a501159cfa19083f605bd7b3185555cd8034852c4f245e44698d2
SHA512 bf7240e545fdbe7c7f0c63642ab2ef9825dc02a358d2ffac01354d55ad3dc2c7febffb5c4615136f0acc64edd9459d65c608ad9beac96619f039a236a7064e85

C:\Users\Admin\AppData\Local\Temp\oVV7QK3VHmv9.bat

MD5 e5c5a665c0c6f2daf4efb097262a4d8d
SHA1 ac7e6193e4e7b066bfd3bafee59ec918aead7750
SHA256 5388f29900faa36b0b9466938a356c86adceaecb453f58d32e9c139efbc1e221
SHA512 03e79593edc06b9f43bf294df643c8b02c466cba9377dd207ce24a6089ca45d4e1a3d4d7ad12b97fc651950fe58cf8b2f0286eb37b69a91f791e9f48a115cad7

C:\Users\Admin\AppData\Local\Temp\sekEobJ8H1gY.bat

MD5 e547092f53907b17b5617ac94c0bcb21
SHA1 7af8e54c35c8e22d6f27eaee0dc2e373849c93a3
SHA256 263c11b06d9e4d9b26da6491d444f602f21c47087474f0cb79cea33566d623eb
SHA512 b642585639139ad48e0d1e987394395ad33ea712b632c5745ad9058ff6419c45cbd01b2a2d595ab6f9ca984a98c5001b8f007962daf67f3cf1653454688a7961

C:\Users\Admin\AppData\Local\Temp\GuS8iIKcvssh.bat

MD5 05bdde5e765d6962da68b8c87976cb1c
SHA1 fcbfb3c823e0b7bbd2c61572df94fb005f3c5867
SHA256 bd468bb54c1fb7d18f73d4d74ff4c7b70924296835b13628c80df44065c0d95f
SHA512 c3b451d1b465e34c25073e6d043a9cf9ebfdabf5215536c7fe67fcfc538df67b47e2eff8deced854214f8f99cae1ffc96554ba4da62812ac4db186d5e8fb294a

C:\Users\Admin\AppData\Local\Temp\00gyt9fsGQWN.bat

MD5 2f88367dad174db0f7d8bf618f3b1aeb
SHA1 100b9be15c0fb31e1f9c26c6d675129b2968c719
SHA256 7bfbbf66250dbd17da43e68dc2c7f278ba7d4087d320dd93dff7966e15a55d5d
SHA512 3c27c92404b3d0dac41d56f6db681a37de6c6452d1df77503203c3a9af1d77f317367acfde5ebc587492ae8aa64b675c23773feb974311c6c1af06dab5f00091

C:\Users\Admin\AppData\Local\Temp\8f1YoER9weCL.bat

MD5 e94397e2d040010564608f2976d2bd97
SHA1 0dde2f93feebbe8a432f96a42ab1066ec4ae3480
SHA256 fb04730176e552680208e3a1a94d69abe8b9eb60078b007fa8226aeec81b9871
SHA512 3add6c76d6d7cc35cf0ba4570b0d7e17c0504bcac6ac35f5c0e97410945afb678a2e9c8f79f010793a53557317c0ef53413fa90172cb44975c5f6068a98f3dc1