Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Themida packer
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 17:10
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 17:10
Reported
2024-09-01 17:12
Platform
win7-20240704-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bz3AWt8oY2aQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yrbda5kaVozl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xVZDeGPCutad.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\P9YXCd5EWDtV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGLMQktY2KHP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD7ipbXdbMFk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0afyonzdGBtO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEv4f61mmJYv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pzIxfgvrtSPC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4UB414t02g6y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 172.67.200.89:443 | synapse.to | tcp |
Files
memory/1656-0-0x000000007486E000-0x000000007486F000-memory.dmp
memory/1656-1-0x0000000000E80000-0x0000000001494000-memory.dmp
memory/1656-2-0x0000000005270000-0x0000000005882000-memory.dmp
memory/1656-6-0x0000000074860000-0x0000000074F4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/1656-10-0x0000000074100000-0x0000000074708000-memory.dmp
memory/1656-12-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/1656-13-0x0000000074100000-0x0000000074708000-memory.dmp
memory/1656-14-0x0000000074760000-0x00000000747E0000-memory.dmp
memory/1656-11-0x0000000074100000-0x0000000074708000-memory.dmp
memory/1656-16-0x0000000005270000-0x000000000587C000-memory.dmp
memory/1656-15-0x0000000005270000-0x000000000587C000-memory.dmp
memory/1656-18-0x0000000005270000-0x000000000587C000-memory.dmp
memory/1656-20-0x0000000005270000-0x000000000587C000-memory.dmp
memory/1656-23-0x0000000005880000-0x0000000005932000-memory.dmp
memory/1656-24-0x0000000000450000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/1656-22-0x0000000005270000-0x000000000587C000-memory.dmp
memory/1656-40-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2360-38-0x0000000000B90000-0x0000000000C5C000-memory.dmp
memory/1656-41-0x0000000074100000-0x0000000074708000-memory.dmp
memory/2744-42-0x0000000000930000-0x00000000009B4000-memory.dmp
memory/2580-47-0x0000000000CC0000-0x0000000000D44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bz3AWt8oY2aQ.bat
| MD5 | a92ff9225ac6c7b3095ce3f1dbd257a2 |
| SHA1 | 0447c2baa2a037bb5584e35845ccd60170b8cbc7 |
| SHA256 | db39dc625af7b0104db6c8fc198d627bdd317723d90fbe762ca6de187b61e394 |
| SHA512 | d7c02ecbc1213614b38813e5ec9b3ccbf0c9ba618bc5cd20a2a8adb5a7ba7a1bfb98d1b8bec206ac81acd4453152041f945edc7a104885fd1771a86a3ffe810a |
memory/2832-58-0x0000000000130000-0x00000000001B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yrbda5kaVozl.bat
| MD5 | 0772987c71afed1ccaf73ff8c2ec052e |
| SHA1 | a0531185b55c14f137f15fa2d38716c6a978ea6c |
| SHA256 | d235b76f2b33b4ccfa529e82e6b47be732952c7f29c9ef8865a8eea50974df4b |
| SHA512 | e6f82b9ddd323a0bcdd50372da23cd317e7c3fb41b6ba984630bfcaa6849194ce79111faf4c9ea0f0a3f60b790939f713cf5c0a4d0e2a3603bb9284d8e234214 |
memory/936-69-0x00000000012D0000-0x0000000001354000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xVZDeGPCutad.bat
| MD5 | c47f91f5fcbd351eed69862cd2239357 |
| SHA1 | 4afef9d1b10301928fc3a1ed55215f93fb8a7fa9 |
| SHA256 | 1827ffd82850f2bc4801f3c90b0f0799bff251261d825fb4851afcbaea6f7767 |
| SHA512 | cb5aeb1a26573531b6a99b8ea607a442b9d6fd065ee4e0f33d15247f5c121f4d2c659a85275b64b48f04efd81168be4754ef1f2f8941588733edf3e58b5d7375 |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\P9YXCd5EWDtV.bat
| MD5 | cb08fc68c9eeb7ca1e9fbb6a78597cc9 |
| SHA1 | b5a474e155b7786923a177b29ddd00dfc1ef7733 |
| SHA256 | fb2ce2e358188c16876f32cdeb8512714ce0b85dc085e1a2df4b3b1065be8eb7 |
| SHA512 | 95565563393140d97dc0639743b848bcb37180fdafb735d178653f9f51f69728b256ec8d849d75852a819f754c18b60b6704dc3229a1976dac633079c167038c |
memory/2924-91-0x0000000001360000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eGLMQktY2KHP.bat
| MD5 | 60bd35b35434f61cd1d76236ddc63f56 |
| SHA1 | c280aa510fd12c959cfed1e6740fdc16617aca34 |
| SHA256 | db55752be8c5c5dcebec43589d0983932aae86d6bb4ef653e0af4fa1914912d6 |
| SHA512 | 7414a0aa592d7b00c5d041f790439f36b4588311267bab3804377430696ba1e9bf0ce4374d9a66dc96529297860c0dd7fca56cce63c626b014b971bc52763502 |
memory/2636-102-0x00000000000C0000-0x0000000000144000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BD7ipbXdbMFk.bat
| MD5 | 4f254de88fd5602d9e9a36e720060773 |
| SHA1 | 574c40b394a8a9808687ebf3e56f6b2aac858a3a |
| SHA256 | fc8a85e0398a318f34d2356678037786fbd6952ac6237551a9fe796f94d0f59f |
| SHA512 | 3a5f8111a40202cfccf9e86daa8cc0445b49f2990fdb90d59136d3f8d679cbf0e14ee993c2525aa9fa8089887e6c80f6ce52b481e615406c18af0090a04480cb |
memory/808-113-0x00000000002C0000-0x0000000000344000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0afyonzdGBtO.bat
| MD5 | 856c3de8943d7316ab3216c6f585a129 |
| SHA1 | 6fa162257817074089097cfd4cab2e2f9d3ce132 |
| SHA256 | ad2be663aca9cfd157fee05d845c25a26b7d435da22f25c3294f6ef238713836 |
| SHA512 | 835e172f28562f24baf55752e61d2c986019d5b87bcd0c1ca6e6dc03b27f18ab8b1669f278f26e6adcf5b67ca67e88e91e805862769f23d5428dcdffe11bc9c0 |
memory/2964-124-0x00000000000A0000-0x0000000000124000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wEv4f61mmJYv.bat
| MD5 | 6734750f78f7ad332aac0ab53cef0690 |
| SHA1 | 5bfc3c044c738af29357eb21291fff5c0724ddad |
| SHA256 | a5f169c154fc2adbe3193e4aa5fc21da66744df93955fa8afc797fc56ba467f3 |
| SHA512 | 352efc7bc6c21c14775af8e5cc0a89edb7a2ce21e76ad0fc7e54187a94969ed492fe0065d3a730529a1830539b36e2c6814e21675c5fb554142f81f0c62bb0c8 |
memory/1576-135-0x0000000001060000-0x00000000010E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pzIxfgvrtSPC.bat
| MD5 | d2e1beb3b98078a027544e0f62b5b60a |
| SHA1 | 7a12cd50ee30bb28cde72b6d3e5aa5728734f96b |
| SHA256 | c78729003d2dbd2a50c367b4eca68917040b85e6f518b52cda42940716be32a0 |
| SHA512 | 400353740043760c46a05aea62efaba8d7692d30448cf691a1e8ba63a9664371667d5b1d93bf0c6e0faa990ac3ae115e2102d9be5182ce1aaf267d2a2100d94b |
C:\Users\Admin\AppData\Local\Temp\4UB414t02g6y.bat
| MD5 | 0781d8ee2df587b5d9afef06413dbe87 |
| SHA1 | b2d380dc949cadd99f8ebb3f1283c555358096b5 |
| SHA256 | 23c484459a068e02a326610ca78c0ca2819a022ae377f6a746c0a04baa9a26f0 |
| SHA512 | 940f8309ef08e92bcc6dbd80416e52708ee49e9698be2c723206a4cc67db4f4fe46eeb5a76dece2adbe85c18f02a350534995af801d97b07921cd5551c9783f3 |
memory/2320-157-0x0000000001120000-0x00000000011A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 17:10
Reported
2024-09-01 17:12
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAHwsMgIOz9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CxsC39WyHBs6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lNoRR79K7Lhp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwdBmMPJAY7a.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAD1SECwfRK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVWEMd85hHGA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lp8aO7c98pbJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\novjz7wz4GUI.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aevjuYchZ1Qz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19XoeLe7pZ8B.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oVV7QK3VHmv9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sekEobJ8H1gY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuS8iIKcvssh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00gyt9fsGQWN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8f1YoER9weCL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 210.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/1536-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/1536-1-0x0000000000A40000-0x0000000001054000-memory.dmp
memory/1536-2-0x0000000005A10000-0x0000000006022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/1536-10-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/1536-11-0x0000000071E70000-0x0000000072478000-memory.dmp
memory/1536-12-0x0000000071E70000-0x0000000072478000-memory.dmp
memory/1536-13-0x0000000071E70000-0x0000000072478000-memory.dmp
memory/1536-16-0x0000000005A10000-0x000000000601C000-memory.dmp
memory/1536-18-0x0000000005A10000-0x000000000601C000-memory.dmp
memory/1536-22-0x0000000005A10000-0x000000000601C000-memory.dmp
memory/1536-20-0x0000000005A10000-0x000000000601C000-memory.dmp
memory/1536-15-0x0000000005A10000-0x000000000601C000-memory.dmp
memory/1536-24-0x00000000059F0000-0x00000000059F8000-memory.dmp
memory/1536-23-0x0000000006020000-0x00000000060D2000-memory.dmp
memory/1536-14-0x00000000737A0000-0x0000000073829000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/3644-49-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/4236-50-0x0000000000610000-0x0000000000694000-memory.dmp
memory/3644-51-0x0000000000460000-0x000000000052C000-memory.dmp
memory/3644-54-0x0000000005410000-0x00000000059B4000-memory.dmp
memory/3644-55-0x0000000004E60000-0x0000000004EF2000-memory.dmp
memory/1536-57-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/1536-56-0x0000000071E70000-0x0000000072478000-memory.dmp
memory/4236-53-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/4236-45-0x00007FF81F163000-0x00007FF81F165000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/2900-64-0x000000001B320000-0x000000001B370000-memory.dmp
memory/2900-65-0x000000001B430000-0x000000001B4E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GsAHwsMgIOz9.bat
| MD5 | b6bf2c0bd373f2b112f938738a8796d2 |
| SHA1 | fa0ad70bff36941f1a33e0c183c9f76e0ca39e73 |
| SHA256 | 30e8ee1a8b51db2fb957506b255c5987163c27b70f0f2b199070934c7ac47494 |
| SHA512 | 4e091b6cf496281215e9a92bca298f1a0c8e0bb525fe5a79b7f2c2fbcf89b922b3ad6c9748cd60e29895d6e21066df97879cf28d876a33359c6733a42389a064 |
memory/3644-70-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/3644-71-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CxsC39WyHBs6.bat
| MD5 | d23005eebc7680b24fb6656452214733 |
| SHA1 | e3451363c3aa1cfbf0a27f31a300efc6923ceef0 |
| SHA256 | edf90cfc160dce780f7e75f2c9fe6086c228546d2986da74fcb575d006607c69 |
| SHA512 | 8d566de776982d91a40d014508fd35c13029d616850853cdfeff72ac925585ab5e2d3e1e1fa60b29da8826b7b17e58131ed793ddf8044c03786edd749ddc89f5 |
C:\Users\Admin\AppData\Local\Temp\lNoRR79K7Lhp.bat
| MD5 | 0a64233a149736e56e51cd25334f135b |
| SHA1 | cd9393e1610438a3ac226884dec1993a76d9d33e |
| SHA256 | 01d93af1bf217d9bd9e75b808b718f6a129ee634e7e9d5e93b9fc88aa50b5f9a |
| SHA512 | 2c5b72ae9864c0d26256c905314241dc3fe87c55bf70c06ca5a68631028fa6120df5c08b0d12fb0e1ccecee6ed994e110b1ff1228e3b88250065c04b3287ac19 |
C:\Users\Admin\AppData\Local\Temp\nwdBmMPJAY7a.bat
| MD5 | 09ba13e95caf0a71e79ad2393431d9dd |
| SHA1 | 6a8e4048aed92ddab60177f54d127959bbf2ce0d |
| SHA256 | 2850a5b3fa3191c518a4a771a7a5340576358a5096fe29b4af955c4636d6084b |
| SHA512 | 3ee2db255fe447bd75b3ddabc04d53bd4c4b939cae3c5825e7f353699d3d2d2d52610c5020d9a089fc4e093673cef6d4c1623f841d422e5815bb7ccf34a8858a |
C:\Users\Admin\AppData\Local\Temp\IYAD1SECwfRK.bat
| MD5 | 97d5594256fe4fcad5a52336a92e68ee |
| SHA1 | 32fe0db049ecc8a855865b5a8a504f0c247ef2ad |
| SHA256 | 555de5552f7912be973fbac72495e6ee06bb7b7ebb026cfd5cacc1c9746749b3 |
| SHA512 | 5ae8ae369b6ac6d8b2616d14a9db94382a6fa1136d5d9d408ae1915a2f20193a8a36ea56b3060161e4495657ef95d0ebfd357565093ea950782c75fcf95a44de |
C:\Users\Admin\AppData\Local\Temp\rVWEMd85hHGA.bat
| MD5 | 22b1d7d271f199e8c7f121446c776a39 |
| SHA1 | d5ba93cfc2e30bcc9ccd3e33a70960ff7824fb10 |
| SHA256 | dceeaafa8c42651715242f533bbb010381de209cbf62af044a216b157aa433b9 |
| SHA512 | f0d0f7eadc21b8d0648275088e09a78b8a29a6aaf3983f53be1ef54aa2ea3ab1c7ecf24ae0348aec620c8e0a2a3a3b353ac637353387bbaf1710e6add5664c7b |
C:\Users\Admin\AppData\Local\Temp\Lp8aO7c98pbJ.bat
| MD5 | c6659a83e25d0e6771096bdf877743c7 |
| SHA1 | 70ade31ca748386dcfa679a55f302364ad3b0395 |
| SHA256 | 9bbbc01d6a78696505716a06e090d21c6a78e4442c71746d0aafdfc7272d2cc2 |
| SHA512 | 48a836bae138289749c341b73e446e250cd47d4906f01eae2adabf80d54c713cd7a4015068ab77513bb8e2f5609ec7e0f02614a5f0ff26d861faf4fcaee9cbf0 |
C:\Users\Admin\AppData\Local\Temp\novjz7wz4GUI.bat
| MD5 | e71563080885961fffc83c7a9e8155cb |
| SHA1 | cd8a5126df9045b610688e751aaa9c6a886155a4 |
| SHA256 | 41ba777007278d6b4261b860745cde0670b45552652893d55268fab6a664c30e |
| SHA512 | e6a2a4e2c37ff7d06fb46fbcb7181a7f9a61a155ed06c37d951a2d18ce106de029771337916da13a80245a3480feacfc6c15e28f84be4ca7a7a1ca211f93eafc |
C:\Users\Admin\AppData\Local\Temp\aevjuYchZ1Qz.bat
| MD5 | 785c073c48bf600f2f572a449e07ead4 |
| SHA1 | 3023e1bec9b8295dab2fe74a60bbba684957d543 |
| SHA256 | 3c8659252f7db53cf1cf84a3f585100e7da3211bf7ccc4b7106f107f3181a461 |
| SHA512 | 7cdfa5a16d753fa7d6a1f8ae12d0fc8731f1a93902626fc4e134fae8965480a18095f2c3c099ed1798b6cadf056d0cd04fbc840897e332683f1d3872bd47cffa |
C:\Users\Admin\AppData\Local\Temp\19XoeLe7pZ8B.bat
| MD5 | 6bcc5cda54337b12235246789316162a |
| SHA1 | c0f4788bd78541637cf4774c96d9f262521a8f34 |
| SHA256 | a38f0c61e74a501159cfa19083f605bd7b3185555cd8034852c4f245e44698d2 |
| SHA512 | bf7240e545fdbe7c7f0c63642ab2ef9825dc02a358d2ffac01354d55ad3dc2c7febffb5c4615136f0acc64edd9459d65c608ad9beac96619f039a236a7064e85 |
C:\Users\Admin\AppData\Local\Temp\oVV7QK3VHmv9.bat
| MD5 | e5c5a665c0c6f2daf4efb097262a4d8d |
| SHA1 | ac7e6193e4e7b066bfd3bafee59ec918aead7750 |
| SHA256 | 5388f29900faa36b0b9466938a356c86adceaecb453f58d32e9c139efbc1e221 |
| SHA512 | 03e79593edc06b9f43bf294df643c8b02c466cba9377dd207ce24a6089ca45d4e1a3d4d7ad12b97fc651950fe58cf8b2f0286eb37b69a91f791e9f48a115cad7 |
C:\Users\Admin\AppData\Local\Temp\sekEobJ8H1gY.bat
| MD5 | e547092f53907b17b5617ac94c0bcb21 |
| SHA1 | 7af8e54c35c8e22d6f27eaee0dc2e373849c93a3 |
| SHA256 | 263c11b06d9e4d9b26da6491d444f602f21c47087474f0cb79cea33566d623eb |
| SHA512 | b642585639139ad48e0d1e987394395ad33ea712b632c5745ad9058ff6419c45cbd01b2a2d595ab6f9ca984a98c5001b8f007962daf67f3cf1653454688a7961 |
C:\Users\Admin\AppData\Local\Temp\GuS8iIKcvssh.bat
| MD5 | 05bdde5e765d6962da68b8c87976cb1c |
| SHA1 | fcbfb3c823e0b7bbd2c61572df94fb005f3c5867 |
| SHA256 | bd468bb54c1fb7d18f73d4d74ff4c7b70924296835b13628c80df44065c0d95f |
| SHA512 | c3b451d1b465e34c25073e6d043a9cf9ebfdabf5215536c7fe67fcfc538df67b47e2eff8deced854214f8f99cae1ffc96554ba4da62812ac4db186d5e8fb294a |
C:\Users\Admin\AppData\Local\Temp\00gyt9fsGQWN.bat
| MD5 | 2f88367dad174db0f7d8bf618f3b1aeb |
| SHA1 | 100b9be15c0fb31e1f9c26c6d675129b2968c719 |
| SHA256 | 7bfbbf66250dbd17da43e68dc2c7f278ba7d4087d320dd93dff7966e15a55d5d |
| SHA512 | 3c27c92404b3d0dac41d56f6db681a37de6c6452d1df77503203c3a9af1d77f317367acfde5ebc587492ae8aa64b675c23773feb974311c6c1af06dab5f00091 |
C:\Users\Admin\AppData\Local\Temp\8f1YoER9weCL.bat
| MD5 | e94397e2d040010564608f2976d2bd97 |
| SHA1 | 0dde2f93feebbe8a432f96a42ab1066ec4ae3480 |
| SHA256 | fb04730176e552680208e3a1a94d69abe8b9eb60078b007fa8226aeec81b9871 |
| SHA512 | 3add6c76d6d7cc35cf0ba4570b0d7e17c0504bcac6ac35f5c0e97410945afb678a2e9c8f79f010793a53557317c0ef53413fa90172cb44975c5f6068a98f3dc1 |