Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks computer location settings
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Themida packer
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 18:58
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 18:58
Reported
2024-09-01 19:01
Platform
win7-20240708-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lTi7MwCJ5biM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WvMU7EaxVqhO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwTYIMxYgVlB.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H1P6p4kcCA9w.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ILATv2ws16MT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dj0z4OCd9uY9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\i6EaGakr5OcQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYRjN14ZhLZv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IzsT95DsPSx2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwQZLJh3Tbsk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dNlEnABDzb0B.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\N0f1srjZIuN4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
Files
memory/2116-0-0x000000007420E000-0x000000007420F000-memory.dmp
memory/2116-1-0x0000000000100000-0x0000000000714000-memory.dmp
memory/2116-2-0x0000000005070000-0x0000000005682000-memory.dmp
memory/2116-6-0x0000000074200000-0x00000000748EE000-memory.dmp
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2116-10-0x00000000739C0000-0x0000000073FC8000-memory.dmp
memory/2116-11-0x00000000739C0000-0x0000000073FC8000-memory.dmp
memory/2116-12-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2116-13-0x00000000739C0000-0x0000000073FC8000-memory.dmp
memory/2116-14-0x0000000074000000-0x0000000074080000-memory.dmp
memory/2116-16-0x0000000005070000-0x000000000567C000-memory.dmp
memory/2116-18-0x0000000005070000-0x000000000567C000-memory.dmp
memory/2116-20-0x0000000005070000-0x000000000567C000-memory.dmp
memory/2116-15-0x0000000005070000-0x000000000567C000-memory.dmp
memory/2116-22-0x0000000005070000-0x000000000567C000-memory.dmp
memory/2116-23-0x00000000057D0000-0x0000000005882000-memory.dmp
memory/2116-24-0x0000000000810000-0x0000000000818000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/2884-37-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp
memory/2804-40-0x0000000000290000-0x000000000035C000-memory.dmp
memory/2116-43-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2116-42-0x00000000739C0000-0x0000000073FC8000-memory.dmp
memory/2884-41-0x0000000000B70000-0x0000000000BF4000-memory.dmp
memory/2108-48-0x0000000000E20000-0x0000000000EA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lTi7MwCJ5biM.bat
| MD5 | 6e1a4c22b801fbfd2e1a340f04da563e |
| SHA1 | 3240e0169341569a5da830a252c08afcb71ffd13 |
| SHA256 | cca28960f65bca17d8465405a943770d92f548e1620fa422e4be509deab4ff24 |
| SHA512 | abad1707e65eb81d3eb26955b0458d44bdb2d43d3e6bab85424f3858716a5a938a1cd4285e63989de808bf29e87465d30b1a843cbfbac96ab779d5924e0bde0a |
C:\Users\Admin\AppData\Local\Temp\WvMU7EaxVqhO.bat
| MD5 | d4594a34ee90ad7d5d2141a16ab876cc |
| SHA1 | 7262d5cc7cab2ec42afe4b216c46adb58212b358 |
| SHA256 | af7d9f5039514c30c62515be74b5f3c2baed991054de7af579980d426cf7fa10 |
| SHA512 | 0cc99d994e8b6f1d444a61745e068f1899beb2b2fc3c906c5b351434bab1a615b40d511f200b12ac4afc0963a9e61ebff25ac1849271bc11e9f6bff4af257fb8 |
C:\Users\Admin\AppData\Local\Temp\kwTYIMxYgVlB.bat
| MD5 | 9a8c43550f47a177123742f6ebd83b92 |
| SHA1 | 41825567352135c97a74d50cb55ad3c73da060e5 |
| SHA256 | 7d2a95e4604f930ab8422ddfb7feeed336d9c697441aa59e1700cecc8ceae023 |
| SHA512 | 8a5aef7b0d36866ccdcd6e0c4266d1d3249723a164f369c098d927a76fe488df18646f40aa0a2a7bb256880cd5c75e723f994cebdc8135290bb6a2da62f40a48 |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\H1P6p4kcCA9w.bat
| MD5 | a2b217d31469eb87ce255a717bd0d835 |
| SHA1 | a327633601ffe2b3123127f349fa12232f362c55 |
| SHA256 | 16ba4e9506d344e088afb8d06392a1b4d3827c8fe885ee939cccfa4a5f94ab53 |
| SHA512 | 401a2ae4ae0ebb8e9549a76e9f4878b95f8f9c345142872690fc48ef0a44621bfc0f21202c0f6f72a5081964991c22f7f373a8a96f09985f0355bca4b2890d93 |
C:\Users\Admin\AppData\Local\Temp\ILATv2ws16MT.bat
| MD5 | df90938b3c0a1ee514b3de5b694ef34f |
| SHA1 | 96b272dcaf9b5b83ae5bb1ac6aeec02c2b55b365 |
| SHA256 | c93f745cdb1c142c552cead6d90c3464634b006ed600eece918e6f928ca5d54b |
| SHA512 | 73ff2e33f6d7f7c5d826a6a693974f3e2716abe3114e15e9a3587bffffa38d555f1cc3e8a8764f060b74b6f80e62a0b6bc74e47eccd54555fdce2c43b349cba5 |
C:\Users\Admin\AppData\Local\Temp\dj0z4OCd9uY9.bat
| MD5 | 3e46a7533d898a3b8cd01b0409a5ce1d |
| SHA1 | 708e135c69dd0ac1d67c7b42eb3e303e4fc8daae |
| SHA256 | 2e45c219271da900fe4a8ef975b2b5fce5a51881536268f3f36763aa98e92969 |
| SHA512 | ce6423df7949e0f722fd471d51ac0581bc7537f93c6d379a0ea966412485947b7b54e98e9654bdddd50bbf6b478fdf82889917e5d156cfd0687db21d13971798 |
C:\Users\Admin\AppData\Local\Temp\i6EaGakr5OcQ.bat
| MD5 | a46cf8df0dcf66ea583150f272a34683 |
| SHA1 | a042d1f33652240663e4a2c337e05c9a2c717096 |
| SHA256 | 1ee5012234004ae141224d34c82c57ec3711086a6d12fb0fbf144d125484a94f |
| SHA512 | dd5af1a1de762c54cfbd7508c94e7b95d4a61b1f17a0ed72893da162b26e605815c400a8c0853d2da74a338e4e3860b4839d78c1ac1fc758042f4eef3fe2b3e5 |
memory/1884-121-0x0000000000EB0000-0x0000000000F34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hYRjN14ZhLZv.bat
| MD5 | 6303856c1c01edcbc7dbbbd1bd1f08ad |
| SHA1 | b8e735caf5b454d5c049592d4968e1075a514af8 |
| SHA256 | 31dcb646dda43cb9ae185318d9e23ad7916872eb230c1f9c143a75f52e107adf |
| SHA512 | afc85657695b7563e71957d8afe9ab390d102d662b5d080029fddda4f543c2009a3d60c1a21f94dc76edd85aa6b6a0ff917b385292a05754650360140d82b096 |
memory/1656-133-0x0000000001000000-0x0000000001084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IzsT95DsPSx2.bat
| MD5 | 74c4c9cb3bfdc01ef2c8321e67140f11 |
| SHA1 | 84727ef564958c23d15efe6c809785dbb9ca7a5e |
| SHA256 | af6629eccfe36b4bcb8135cc3ae67fe823cf4b316a97c3e77d4858968e953207 |
| SHA512 | ff0c1fc817fd4254e2955420e98f58e789ca13f39b35a610d7e76221bf60dc39daeca68eed526414320d510df8a0b1bb86c8ec6d28592003a4e164fc03bd866b |
C:\Users\Admin\AppData\Local\Temp\iwQZLJh3Tbsk.bat
| MD5 | 9150a98df8e7c7c1da4dc5331c07f52b |
| SHA1 | 010d689a026208cc8840e61eeeea44dea2edbbf0 |
| SHA256 | c42c58e4e21a9db945282e4624ebdf0713a5ae1d95dd795d6145eea39c810181 |
| SHA512 | 72ad5e5518c9a2abb04ff243039c6e5c78bd915dcbecf406a7c9c96f792f50fb9ab08108c664ad78f51af1bd53ca86766c73d5a52929eeaa6798aa53e280c96c |
memory/560-154-0x00000000011C0000-0x0000000001244000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dNlEnABDzb0B.bat
| MD5 | 6df2dddce32cb3ed45a869d24988009c |
| SHA1 | 63fd096d02ee2f9398538eebd2c2dfe48864e379 |
| SHA256 | cd4ff842aceb62d2e56a7f1c9019a43a5e918aa1243904119a92375aca5be019 |
| SHA512 | 5b202a3170ed8ec9826c265a8d84e0939d3a3f2fe7783d2934b34d522960fb2a5ebde82484d45051130c00b37e53b0200d023f29a28deb2b37069de984ef8af7 |
memory/2464-165-0x0000000001260000-0x00000000012E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\N0f1srjZIuN4.bat
| MD5 | 4759f3ce7a37d1a66124db0b335488aa |
| SHA1 | 7b12b30b3374438b071035f2d8904668c633f73e |
| SHA256 | 28432746fde9de7be499176a215646744fff3da0d528def90c23d651b5b63f89 |
| SHA512 | 90d4b2640fc7bbbe0265c88d362824574f038605a93c279aa76fcdfa77431399b5baf9931ef407a192e164615ae8c0735144a81531afdd9b134a7274dc48092d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 18:58
Reported
2024-09-01 19:01
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ngwl50dS0e5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaV3iklJ7O1t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\on0eX2RbPAuw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIPeKwwQjXDp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EJnE5u7WvzkQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prBbNdd02xWX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3ay5nzuvZdc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvM1GdQifK0s.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nNHWV5LPuKWE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3e43vdTaNVkS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8UOABS1HXaN3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DggADSjzcaL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GECQrSvbhFWV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ljQbke1ccJoX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 210.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/4160-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/4160-1-0x0000000000480000-0x0000000000A94000-memory.dmp
memory/4160-2-0x0000000005560000-0x0000000005B72000-memory.dmp
memory/4160-10-0x0000000074A80000-0x0000000075230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/4160-11-0x0000000071B60000-0x0000000072168000-memory.dmp
memory/4160-13-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/4160-12-0x0000000071B60000-0x0000000072168000-memory.dmp
memory/4160-14-0x0000000071B60000-0x0000000072168000-memory.dmp
memory/4160-17-0x0000000005560000-0x0000000005B6C000-memory.dmp
memory/4160-16-0x0000000005560000-0x0000000005B6C000-memory.dmp
memory/4160-15-0x0000000073490000-0x0000000073519000-memory.dmp
memory/4160-19-0x0000000005560000-0x0000000005B6C000-memory.dmp
memory/4160-23-0x0000000005560000-0x0000000005B6C000-memory.dmp
memory/4160-21-0x0000000005560000-0x0000000005B6C000-memory.dmp
memory/4160-25-0x0000000005530000-0x0000000005538000-memory.dmp
memory/4160-24-0x0000000005C70000-0x0000000005D22000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
memory/4740-46-0x00007FF958843000-0x00007FF958845000-memory.dmp
memory/4740-51-0x00000000003F0000-0x0000000000474000-memory.dmp
memory/4208-52-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/4160-50-0x0000000071B60000-0x0000000072168000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/4208-53-0x0000000000540000-0x000000000060C000-memory.dmp
memory/4208-55-0x0000000005470000-0x0000000005A14000-memory.dmp
memory/4208-56-0x0000000004F60000-0x0000000004FF2000-memory.dmp
memory/4740-54-0x0000000002430000-0x0000000002440000-memory.dmp
memory/4160-57-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/324-63-0x000000001BB50000-0x000000001BBA0000-memory.dmp
memory/324-64-0x000000001BC60000-0x000000001BD12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6ngwl50dS0e5.bat
| MD5 | 3cd746de8e254b76ef66d55b42f1c66b |
| SHA1 | 76ac9e3e6b41918de079a306b78315a8499fb247 |
| SHA256 | 54019d3cff4f88469799073d2eb507ecd2781d9057b7517ebb01fd93289c6948 |
| SHA512 | cf3be5df0454043284a1002d0e5d27990e1833cc42962163a6d77f59a7e7147ee2a853643e3b2929a964c607710dd9cc18cf5a3b50531b66f38a2e769167474d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4208-70-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/4208-71-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CaV3iklJ7O1t.bat
| MD5 | 5b3a0c0755ec8338caa1ab545c621d2c |
| SHA1 | 55a8c774a92d1720595660eb611ea75557301afb |
| SHA256 | b66aab4af82286d3bbe48589d17f6914bd2b130828d8b193ed533d96205641a2 |
| SHA512 | 6c9e39ac4f1bdada3d8e8413b1ee6236ffc5c77c88d2c92eb3c31aa34721bec6c790d8c9a16b921a39d4f263df9979ff4a3a3711887d8a88d441e0060af608d3 |
C:\Users\Admin\AppData\Local\Temp\on0eX2RbPAuw.bat
| MD5 | 5bf671db639647eee89f514dc8db4258 |
| SHA1 | 59e452ec60cc2e120a92b6ea7f86f3c2c6748112 |
| SHA256 | cbc8d1aaeceb88a4ecceb69faf85814381914d68d7861472ad0b2e4088e4e423 |
| SHA512 | 3f29f5d954f12065c695343d8daf039ffe3cb9dc524a518622c8f0e354d907bcf771543f5b2ad02848fdbf1a8870fc093c7ab0277fafb6bde6165be46bd614db |
C:\Users\Admin\AppData\Local\Temp\XIPeKwwQjXDp.bat
| MD5 | 399be82fe21c1b0decf93aa616e46532 |
| SHA1 | 4dca8902e2e610e8c9a18189086137dead307cb0 |
| SHA256 | d2305ca150dc6c1728ab20c45bea4a42b60ec4fdf2124987991b646e26e8a72f |
| SHA512 | 5b6eab7c77ee8271ab727e354a73f348447f2f7e2094be675db559915b563eb79adca53610f8e3f522e61bfa497cc9cec9793836a8e0e7fef29a72175b6bd7bb |
C:\Users\Admin\AppData\Local\Temp\EJnE5u7WvzkQ.bat
| MD5 | 89edcd346af0e6fced4cbded6421eb10 |
| SHA1 | d09a06462197cd679f07c2ae9a04637c891db870 |
| SHA256 | 61c9d265a24ac0ae838746699600cfcecf1880e004a2f5a19042fdbd301b835f |
| SHA512 | a9267fae43cb2d0df01db40a2dbb6dc1224fbc3c305c9ab2b1557169209293386fbef9d331b794f21c1cf0a43c02156c31929aad2e274e5add9aea660c91573e |
C:\Users\Admin\AppData\Local\Temp\prBbNdd02xWX.bat
| MD5 | 7b25ca46f7767251fc31670cb9800f13 |
| SHA1 | 52bec8d5ab13db26de9fd8b76b84070e8242f8fe |
| SHA256 | 7566a17f35eada34f55158aada36c64c134e3ee56ec9e58787e0f91531e98903 |
| SHA512 | e60f5c57ce6fc21e55df6d45e96c2c08ba591ebc556e7937abba8f0557303fd2e3c33e01336bae6f910e5e7c8528b6f88625735a93c1e5969e84ae80e483bb95 |
C:\Users\Admin\AppData\Local\Temp\h3ay5nzuvZdc.bat
| MD5 | a98c7752132ef0f7a9bbda2a3fcad0d0 |
| SHA1 | 367c1ee03cb1968703c91337eb9a8914383a6b6c |
| SHA256 | aaa559afc48f70be38ea132cd46ae7ab3491dc385d6ae213f14e0a4c13c1af7c |
| SHA512 | 6da18834b3e46f9350a26e533a650804379e03146b7c06c46616ac696bfeadb3e34361e190c62200c41f309148048555f9eecff57d9b2286b612c6d64c282abf |
C:\Users\Admin\AppData\Local\Temp\YvM1GdQifK0s.bat
| MD5 | 1cda4f348dadc55b693f4fff55bdef22 |
| SHA1 | 26f206d4660203d87c54744b18dc06f38167f0ec |
| SHA256 | 20d71473d25c52966721ccced1f6493c561309df67a8a5e00d6536129ceec777 |
| SHA512 | e0c4f84878daf54a5ac6b5f98dfb4653ce65e3ac48adc447a700b9e966ac3bfab33bba7eeea825fce69215b68ff086f2d741e4578941c27d62cd562d3de2bd72 |
C:\Users\Admin\AppData\Local\Temp\nNHWV5LPuKWE.bat
| MD5 | f3095c1045c5c420181d1dc105e7fa23 |
| SHA1 | ea313d2170920da6411c1cd1459a68b2fadaf04d |
| SHA256 | c708bec67398af611b31fb13a7347834972e841bc924ae88ebce058a987c11a6 |
| SHA512 | 041284fbad40df40fe60bc682600d4bfc9315be0c908cf9ef9a2735a452ef51829dd85d2ce2e75973169bf56b9f1b80e771030ac9ac3d40c323d66492579451b |
C:\Users\Admin\AppData\Local\Temp\3e43vdTaNVkS.bat
| MD5 | 2849ae243b33d7bfc329b7cb1d1a14c9 |
| SHA1 | aa2883e962b7f15ecd6a576b41c7092924ffaaf5 |
| SHA256 | a93570f9116e72d8ad0ae0a31c664d078044dab24e96baf207b033565c2db3b9 |
| SHA512 | 12df856c4622c9c25438770720b465e5bf1d8c5051f0939ee6be0fc3087f08b77ff64975ac839d56c704905e27cceafc71fa1406b27c8f1e3b2d2ff707b97e16 |
C:\Users\Admin\AppData\Local\Temp\8UOABS1HXaN3.bat
| MD5 | 88f5d190e68a92cf366d16caad0d1d91 |
| SHA1 | a2ffa05ac2cdb324645135baeffd61fdb663dc34 |
| SHA256 | c9050809de8382ce73c2e0596383df307748470f07e351b2095b7c1dc41ec374 |
| SHA512 | cba168b42c06612106d98f8937f6f53c982cdc1bee24c9d885a89abc96ac84b05270623a6dacc20764316ebb4959f9c3f7d91ae327fcccddb157e0d310e6d1ed |
C:\Users\Admin\AppData\Local\Temp\4DggADSjzcaL.bat
| MD5 | a951ce161eff3911b2f94ab013342036 |
| SHA1 | 34f5da8e6bc958108b1311ab953ada08661f42df |
| SHA256 | a5fc071d6397e349064a359fae17c1d104376f875458c95d6d8af98a6ff33f13 |
| SHA512 | 33ed547a2d28238e316c4007ab5b8a680bf901c3fcc5fd75a1e2402492f1afb5bc0366bdaf9e3f005411b2e77330dec71b9eaaf95878009a766f95b7c384f68b |
C:\Users\Admin\AppData\Local\Temp\GECQrSvbhFWV.bat
| MD5 | 89a2d8dd1c489d7404e4ef6e655cd291 |
| SHA1 | 8673864fb5742f013fa07a5d9c368de92f1a9c57 |
| SHA256 | baa0ea99959ce97028b820482d2eaf4fc10e56490cb9d05369abebe837e4cc4e |
| SHA512 | 9497cd40cee3bd9719fc25190bcda823d74c6cd462aae9491eb4a21744478579c097681e82ee905510c64ad848d00c5cd54757e956837195bc24032eac2fa654 |
C:\Users\Admin\AppData\Local\Temp\ljQbke1ccJoX.bat
| MD5 | 7e353cb901aa68b7cd1e5ea6354de0b7 |
| SHA1 | 80308546171cc111ccdfdc02d11a4c687b847a56 |
| SHA256 | c11457b1d7ba1a0edd77816892485bc90e8ec071765adf62ad28d0c06c5668d4 |
| SHA512 | 46d8ec223cab1005e7f6072b9c9ffebb2f29cae8b2568dd10ad0758f316df4a91d5c5a3ff83bbb34644292738304aba3cd851b967c1fdb9b1a19401fd6b57b29 |