Malware Analysis Report

2024-11-15 08:37

Sample ID 240901-xmyvqsyhjp
Target 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
SHA256 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Tags
quasar chrome agilenet discovery evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f

Threat Level: Known bad

The file 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f was found to be: Known bad.

Malicious Activity Summary

quasar chrome agilenet discovery evasion spyware themida trojan

Quasar payload

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 18:58

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 18:58

Reported

2024-09-01 19:01

Platform

win7-20240708-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2116 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 2116 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2116 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2116 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2116 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2884 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2108 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2108 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2644 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2644 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2644 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2644 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2644 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2644 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2644 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2644 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2956 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2956 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1732 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1732 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1732 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 1732 wrote to memory of 716 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 716 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 716 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 716 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 716 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 716 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 716 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 716 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 716 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2200 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lTi7MwCJ5biM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WvMU7EaxVqhO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwTYIMxYgVlB.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\H1P6p4kcCA9w.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ILATv2ws16MT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dj0z4OCd9uY9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\i6EaGakr5OcQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYRjN14ZhLZv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IzsT95DsPSx2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwQZLJh3Tbsk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dNlEnABDzb0B.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\N0f1srjZIuN4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp

Files

memory/2116-0-0x000000007420E000-0x000000007420F000-memory.dmp

memory/2116-1-0x0000000000100000-0x0000000000714000-memory.dmp

memory/2116-2-0x0000000005070000-0x0000000005682000-memory.dmp

memory/2116-6-0x0000000074200000-0x00000000748EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/2116-10-0x00000000739C0000-0x0000000073FC8000-memory.dmp

memory/2116-11-0x00000000739C0000-0x0000000073FC8000-memory.dmp

memory/2116-12-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2116-13-0x00000000739C0000-0x0000000073FC8000-memory.dmp

memory/2116-14-0x0000000074000000-0x0000000074080000-memory.dmp

memory/2116-16-0x0000000005070000-0x000000000567C000-memory.dmp

memory/2116-18-0x0000000005070000-0x000000000567C000-memory.dmp

memory/2116-20-0x0000000005070000-0x000000000567C000-memory.dmp

memory/2116-15-0x0000000005070000-0x000000000567C000-memory.dmp

memory/2116-22-0x0000000005070000-0x000000000567C000-memory.dmp

memory/2116-23-0x00000000057D0000-0x0000000005882000-memory.dmp

memory/2116-24-0x0000000000810000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/2884-37-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

memory/2804-40-0x0000000000290000-0x000000000035C000-memory.dmp

memory/2116-43-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2116-42-0x00000000739C0000-0x0000000073FC8000-memory.dmp

memory/2884-41-0x0000000000B70000-0x0000000000BF4000-memory.dmp

memory/2108-48-0x0000000000E20000-0x0000000000EA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lTi7MwCJ5biM.bat

MD5 6e1a4c22b801fbfd2e1a340f04da563e
SHA1 3240e0169341569a5da830a252c08afcb71ffd13
SHA256 cca28960f65bca17d8465405a943770d92f548e1620fa422e4be509deab4ff24
SHA512 abad1707e65eb81d3eb26955b0458d44bdb2d43d3e6bab85424f3858716a5a938a1cd4285e63989de808bf29e87465d30b1a843cbfbac96ab779d5924e0bde0a

C:\Users\Admin\AppData\Local\Temp\WvMU7EaxVqhO.bat

MD5 d4594a34ee90ad7d5d2141a16ab876cc
SHA1 7262d5cc7cab2ec42afe4b216c46adb58212b358
SHA256 af7d9f5039514c30c62515be74b5f3c2baed991054de7af579980d426cf7fa10
SHA512 0cc99d994e8b6f1d444a61745e068f1899beb2b2fc3c906c5b351434bab1a615b40d511f200b12ac4afc0963a9e61ebff25ac1849271bc11e9f6bff4af257fb8

C:\Users\Admin\AppData\Local\Temp\kwTYIMxYgVlB.bat

MD5 9a8c43550f47a177123742f6ebd83b92
SHA1 41825567352135c97a74d50cb55ad3c73da060e5
SHA256 7d2a95e4604f930ab8422ddfb7feeed336d9c697441aa59e1700cecc8ceae023
SHA512 8a5aef7b0d36866ccdcd6e0c4266d1d3249723a164f369c098d927a76fe488df18646f40aa0a2a7bb256880cd5c75e723f994cebdc8135290bb6a2da62f40a48

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\H1P6p4kcCA9w.bat

MD5 a2b217d31469eb87ce255a717bd0d835
SHA1 a327633601ffe2b3123127f349fa12232f362c55
SHA256 16ba4e9506d344e088afb8d06392a1b4d3827c8fe885ee939cccfa4a5f94ab53
SHA512 401a2ae4ae0ebb8e9549a76e9f4878b95f8f9c345142872690fc48ef0a44621bfc0f21202c0f6f72a5081964991c22f7f373a8a96f09985f0355bca4b2890d93

C:\Users\Admin\AppData\Local\Temp\ILATv2ws16MT.bat

MD5 df90938b3c0a1ee514b3de5b694ef34f
SHA1 96b272dcaf9b5b83ae5bb1ac6aeec02c2b55b365
SHA256 c93f745cdb1c142c552cead6d90c3464634b006ed600eece918e6f928ca5d54b
SHA512 73ff2e33f6d7f7c5d826a6a693974f3e2716abe3114e15e9a3587bffffa38d555f1cc3e8a8764f060b74b6f80e62a0b6bc74e47eccd54555fdce2c43b349cba5

C:\Users\Admin\AppData\Local\Temp\dj0z4OCd9uY9.bat

MD5 3e46a7533d898a3b8cd01b0409a5ce1d
SHA1 708e135c69dd0ac1d67c7b42eb3e303e4fc8daae
SHA256 2e45c219271da900fe4a8ef975b2b5fce5a51881536268f3f36763aa98e92969
SHA512 ce6423df7949e0f722fd471d51ac0581bc7537f93c6d379a0ea966412485947b7b54e98e9654bdddd50bbf6b478fdf82889917e5d156cfd0687db21d13971798

C:\Users\Admin\AppData\Local\Temp\i6EaGakr5OcQ.bat

MD5 a46cf8df0dcf66ea583150f272a34683
SHA1 a042d1f33652240663e4a2c337e05c9a2c717096
SHA256 1ee5012234004ae141224d34c82c57ec3711086a6d12fb0fbf144d125484a94f
SHA512 dd5af1a1de762c54cfbd7508c94e7b95d4a61b1f17a0ed72893da162b26e605815c400a8c0853d2da74a338e4e3860b4839d78c1ac1fc758042f4eef3fe2b3e5

memory/1884-121-0x0000000000EB0000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hYRjN14ZhLZv.bat

MD5 6303856c1c01edcbc7dbbbd1bd1f08ad
SHA1 b8e735caf5b454d5c049592d4968e1075a514af8
SHA256 31dcb646dda43cb9ae185318d9e23ad7916872eb230c1f9c143a75f52e107adf
SHA512 afc85657695b7563e71957d8afe9ab390d102d662b5d080029fddda4f543c2009a3d60c1a21f94dc76edd85aa6b6a0ff917b385292a05754650360140d82b096

memory/1656-133-0x0000000001000000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IzsT95DsPSx2.bat

MD5 74c4c9cb3bfdc01ef2c8321e67140f11
SHA1 84727ef564958c23d15efe6c809785dbb9ca7a5e
SHA256 af6629eccfe36b4bcb8135cc3ae67fe823cf4b316a97c3e77d4858968e953207
SHA512 ff0c1fc817fd4254e2955420e98f58e789ca13f39b35a610d7e76221bf60dc39daeca68eed526414320d510df8a0b1bb86c8ec6d28592003a4e164fc03bd866b

C:\Users\Admin\AppData\Local\Temp\iwQZLJh3Tbsk.bat

MD5 9150a98df8e7c7c1da4dc5331c07f52b
SHA1 010d689a026208cc8840e61eeeea44dea2edbbf0
SHA256 c42c58e4e21a9db945282e4624ebdf0713a5ae1d95dd795d6145eea39c810181
SHA512 72ad5e5518c9a2abb04ff243039c6e5c78bd915dcbecf406a7c9c96f792f50fb9ab08108c664ad78f51af1bd53ca86766c73d5a52929eeaa6798aa53e280c96c

memory/560-154-0x00000000011C0000-0x0000000001244000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dNlEnABDzb0B.bat

MD5 6df2dddce32cb3ed45a869d24988009c
SHA1 63fd096d02ee2f9398538eebd2c2dfe48864e379
SHA256 cd4ff842aceb62d2e56a7f1c9019a43a5e918aa1243904119a92375aca5be019
SHA512 5b202a3170ed8ec9826c265a8d84e0939d3a3f2fe7783d2934b34d522960fb2a5ebde82484d45051130c00b37e53b0200d023f29a28deb2b37069de984ef8af7

memory/2464-165-0x0000000001260000-0x00000000012E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\N0f1srjZIuN4.bat

MD5 4759f3ce7a37d1a66124db0b335488aa
SHA1 7b12b30b3374438b071035f2d8904668c633f73e
SHA256 28432746fde9de7be499176a215646744fff3da0d528def90c23d651b5b63f89
SHA512 90d4b2640fc7bbbe0265c88d362824574f038605a93c279aa76fcdfa77431399b5baf9931ef407a192e164615ae8c0735144a81531afdd9b134a7274dc48092d

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 18:58

Reported

2024-09-01 19:01

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\S^X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4160 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Roaming\chrome.exe
PID 4160 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4160 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4160 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe C:\Users\Admin\AppData\Local\Temp\S^X.exe
PID 4740 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4740 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4740 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 4740 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\chrome.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 324 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 324 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 324 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 324 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3228 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3228 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3228 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3228 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3228 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 2148 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2148 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2148 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3532 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3532 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3532 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3532 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3532 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3672 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3672 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3672 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3672 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3988 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3988 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3988 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3988 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3988 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 5064 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5064 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5064 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 5064 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 756 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 756 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 756 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 756 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 756 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 756 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 3152 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3152 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3152 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1508 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1508 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1508 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1508 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1508 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
PID 1844 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1844 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1844 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\chrome\chrome.exe C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe

"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"

C:\Users\Admin\AppData\Roaming\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\S^X.exe

"C:\Users\Admin\AppData\Local\Temp\S^X.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ngwl50dS0e5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaV3iklJ7O1t.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\on0eX2RbPAuw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIPeKwwQjXDp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EJnE5u7WvzkQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prBbNdd02xWX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3ay5nzuvZdc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvM1GdQifK0s.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nNHWV5LPuKWE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3e43vdTaNVkS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8UOABS1HXaN3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DggADSjzcaL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GECQrSvbhFWV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\chrome\chrome.exe

"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ljQbke1ccJoX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 synapse.to udp
US 104.21.21.210:443 synapse.to tcp
US 8.8.8.8:53 210.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp
US 8.8.8.8:53 live.nodenet.ml udp

Files

memory/4160-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/4160-1-0x0000000000480000-0x0000000000A94000-memory.dmp

memory/4160-2-0x0000000005560000-0x0000000005B72000-memory.dmp

memory/4160-10-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

MD5 2d86c4ad18524003d56c1cb27c549ba8
SHA1 123007f9337364e044b87deacf6793c2027c8f47
SHA256 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA512 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

memory/4160-11-0x0000000071B60000-0x0000000072168000-memory.dmp

memory/4160-13-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4160-12-0x0000000071B60000-0x0000000072168000-memory.dmp

memory/4160-14-0x0000000071B60000-0x0000000072168000-memory.dmp

memory/4160-17-0x0000000005560000-0x0000000005B6C000-memory.dmp

memory/4160-16-0x0000000005560000-0x0000000005B6C000-memory.dmp

memory/4160-15-0x0000000073490000-0x0000000073519000-memory.dmp

memory/4160-19-0x0000000005560000-0x0000000005B6C000-memory.dmp

memory/4160-23-0x0000000005560000-0x0000000005B6C000-memory.dmp

memory/4160-21-0x0000000005560000-0x0000000005B6C000-memory.dmp

memory/4160-25-0x0000000005530000-0x0000000005538000-memory.dmp

memory/4160-24-0x0000000005C70000-0x0000000005D22000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome.exe

MD5 92479f1615fd4fa1dd3ac7f2e6a1b329
SHA1 0a6063d27c9f991be2053b113fcef25e071c57fd
SHA256 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA512 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

memory/4740-46-0x00007FF958843000-0x00007FF958845000-memory.dmp

memory/4740-51-0x00000000003F0000-0x0000000000474000-memory.dmp

memory/4208-52-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/4160-50-0x0000000071B60000-0x0000000072168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\S^X.exe

MD5 e2437ac017506bbde9a81fb1f618457b
SHA1 adef2615312b31e041ccf700b3982dd50b686c7f
SHA256 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA512 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

memory/4208-53-0x0000000000540000-0x000000000060C000-memory.dmp

memory/4208-55-0x0000000005470000-0x0000000005A14000-memory.dmp

memory/4208-56-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/4740-54-0x0000000002430000-0x0000000002440000-memory.dmp

memory/4160-57-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/324-63-0x000000001BB50000-0x000000001BBA0000-memory.dmp

memory/324-64-0x000000001BC60000-0x000000001BD12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ngwl50dS0e5.bat

MD5 3cd746de8e254b76ef66d55b42f1c66b
SHA1 76ac9e3e6b41918de079a306b78315a8499fb247
SHA256 54019d3cff4f88469799073d2eb507ecd2781d9057b7517ebb01fd93289c6948
SHA512 cf3be5df0454043284a1002d0e5d27990e1833cc42962163a6d77f59a7e7147ee2a853643e3b2929a964c607710dd9cc18cf5a3b50531b66f38a2e769167474d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4208-70-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/4208-71-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CaV3iklJ7O1t.bat

MD5 5b3a0c0755ec8338caa1ab545c621d2c
SHA1 55a8c774a92d1720595660eb611ea75557301afb
SHA256 b66aab4af82286d3bbe48589d17f6914bd2b130828d8b193ed533d96205641a2
SHA512 6c9e39ac4f1bdada3d8e8413b1ee6236ffc5c77c88d2c92eb3c31aa34721bec6c790d8c9a16b921a39d4f263df9979ff4a3a3711887d8a88d441e0060af608d3

C:\Users\Admin\AppData\Local\Temp\on0eX2RbPAuw.bat

MD5 5bf671db639647eee89f514dc8db4258
SHA1 59e452ec60cc2e120a92b6ea7f86f3c2c6748112
SHA256 cbc8d1aaeceb88a4ecceb69faf85814381914d68d7861472ad0b2e4088e4e423
SHA512 3f29f5d954f12065c695343d8daf039ffe3cb9dc524a518622c8f0e354d907bcf771543f5b2ad02848fdbf1a8870fc093c7ab0277fafb6bde6165be46bd614db

C:\Users\Admin\AppData\Local\Temp\XIPeKwwQjXDp.bat

MD5 399be82fe21c1b0decf93aa616e46532
SHA1 4dca8902e2e610e8c9a18189086137dead307cb0
SHA256 d2305ca150dc6c1728ab20c45bea4a42b60ec4fdf2124987991b646e26e8a72f
SHA512 5b6eab7c77ee8271ab727e354a73f348447f2f7e2094be675db559915b563eb79adca53610f8e3f522e61bfa497cc9cec9793836a8e0e7fef29a72175b6bd7bb

C:\Users\Admin\AppData\Local\Temp\EJnE5u7WvzkQ.bat

MD5 89edcd346af0e6fced4cbded6421eb10
SHA1 d09a06462197cd679f07c2ae9a04637c891db870
SHA256 61c9d265a24ac0ae838746699600cfcecf1880e004a2f5a19042fdbd301b835f
SHA512 a9267fae43cb2d0df01db40a2dbb6dc1224fbc3c305c9ab2b1557169209293386fbef9d331b794f21c1cf0a43c02156c31929aad2e274e5add9aea660c91573e

C:\Users\Admin\AppData\Local\Temp\prBbNdd02xWX.bat

MD5 7b25ca46f7767251fc31670cb9800f13
SHA1 52bec8d5ab13db26de9fd8b76b84070e8242f8fe
SHA256 7566a17f35eada34f55158aada36c64c134e3ee56ec9e58787e0f91531e98903
SHA512 e60f5c57ce6fc21e55df6d45e96c2c08ba591ebc556e7937abba8f0557303fd2e3c33e01336bae6f910e5e7c8528b6f88625735a93c1e5969e84ae80e483bb95

C:\Users\Admin\AppData\Local\Temp\h3ay5nzuvZdc.bat

MD5 a98c7752132ef0f7a9bbda2a3fcad0d0
SHA1 367c1ee03cb1968703c91337eb9a8914383a6b6c
SHA256 aaa559afc48f70be38ea132cd46ae7ab3491dc385d6ae213f14e0a4c13c1af7c
SHA512 6da18834b3e46f9350a26e533a650804379e03146b7c06c46616ac696bfeadb3e34361e190c62200c41f309148048555f9eecff57d9b2286b612c6d64c282abf

C:\Users\Admin\AppData\Local\Temp\YvM1GdQifK0s.bat

MD5 1cda4f348dadc55b693f4fff55bdef22
SHA1 26f206d4660203d87c54744b18dc06f38167f0ec
SHA256 20d71473d25c52966721ccced1f6493c561309df67a8a5e00d6536129ceec777
SHA512 e0c4f84878daf54a5ac6b5f98dfb4653ce65e3ac48adc447a700b9e966ac3bfab33bba7eeea825fce69215b68ff086f2d741e4578941c27d62cd562d3de2bd72

C:\Users\Admin\AppData\Local\Temp\nNHWV5LPuKWE.bat

MD5 f3095c1045c5c420181d1dc105e7fa23
SHA1 ea313d2170920da6411c1cd1459a68b2fadaf04d
SHA256 c708bec67398af611b31fb13a7347834972e841bc924ae88ebce058a987c11a6
SHA512 041284fbad40df40fe60bc682600d4bfc9315be0c908cf9ef9a2735a452ef51829dd85d2ce2e75973169bf56b9f1b80e771030ac9ac3d40c323d66492579451b

C:\Users\Admin\AppData\Local\Temp\3e43vdTaNVkS.bat

MD5 2849ae243b33d7bfc329b7cb1d1a14c9
SHA1 aa2883e962b7f15ecd6a576b41c7092924ffaaf5
SHA256 a93570f9116e72d8ad0ae0a31c664d078044dab24e96baf207b033565c2db3b9
SHA512 12df856c4622c9c25438770720b465e5bf1d8c5051f0939ee6be0fc3087f08b77ff64975ac839d56c704905e27cceafc71fa1406b27c8f1e3b2d2ff707b97e16

C:\Users\Admin\AppData\Local\Temp\8UOABS1HXaN3.bat

MD5 88f5d190e68a92cf366d16caad0d1d91
SHA1 a2ffa05ac2cdb324645135baeffd61fdb663dc34
SHA256 c9050809de8382ce73c2e0596383df307748470f07e351b2095b7c1dc41ec374
SHA512 cba168b42c06612106d98f8937f6f53c982cdc1bee24c9d885a89abc96ac84b05270623a6dacc20764316ebb4959f9c3f7d91ae327fcccddb157e0d310e6d1ed

C:\Users\Admin\AppData\Local\Temp\4DggADSjzcaL.bat

MD5 a951ce161eff3911b2f94ab013342036
SHA1 34f5da8e6bc958108b1311ab953ada08661f42df
SHA256 a5fc071d6397e349064a359fae17c1d104376f875458c95d6d8af98a6ff33f13
SHA512 33ed547a2d28238e316c4007ab5b8a680bf901c3fcc5fd75a1e2402492f1afb5bc0366bdaf9e3f005411b2e77330dec71b9eaaf95878009a766f95b7c384f68b

C:\Users\Admin\AppData\Local\Temp\GECQrSvbhFWV.bat

MD5 89a2d8dd1c489d7404e4ef6e655cd291
SHA1 8673864fb5742f013fa07a5d9c368de92f1a9c57
SHA256 baa0ea99959ce97028b820482d2eaf4fc10e56490cb9d05369abebe837e4cc4e
SHA512 9497cd40cee3bd9719fc25190bcda823d74c6cd462aae9491eb4a21744478579c097681e82ee905510c64ad848d00c5cd54757e956837195bc24032eac2fa654

C:\Users\Admin\AppData\Local\Temp\ljQbke1ccJoX.bat

MD5 7e353cb901aa68b7cd1e5ea6354de0b7
SHA1 80308546171cc111ccdfdc02d11a4c687b847a56
SHA256 c11457b1d7ba1a0edd77816892485bc90e8ec071765adf62ad28d0c06c5668d4
SHA512 46d8ec223cab1005e7f6072b9c9ffebb2f29cae8b2568dd10ad0758f316df4a91d5c5a3ff83bbb34644292738304aba3cd851b967c1fdb9b1a19401fd6b57b29