Analysis Overview
SHA256
8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567
Threat Level: Known bad
The file Win64Sys.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-03 23:11
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-03 23:11
Reported
2023-01-03 23:17
Platform
win10v2004-20220812-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe
"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxQoVBJfPmZ6.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3660 -ip 3660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1696
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i4xkL2sRqDAs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 112 -ip 112
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqjJIQRmLTbT.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9cKc2Z9RMXiy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2188 -ip 2188
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1640
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBxEC1lMg7lG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2992 -ip 2992
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1664
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S5pcWkhDZE7l.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2008 -ip 2008
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1664
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zi0nNaBYLyjU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1396 -ip 1396
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMoRpvzX8Jj1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4T148ohUgIlw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3880 -ip 3880
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1664
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymNfDeLqQvA9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1512 -ip 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
Files
memory/2732-132-0x0000000000FB0000-0x0000000001014000-memory.dmp
memory/2732-133-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/2732-134-0x0000000005A10000-0x0000000005AA2000-memory.dmp
memory/2732-135-0x0000000005DB0000-0x0000000005E16000-memory.dmp
memory/2732-136-0x00000000069F0000-0x0000000006A02000-memory.dmp
memory/2732-137-0x0000000006E20000-0x0000000006E5C000-memory.dmp
memory/3500-138-0x0000000000000000-mapping.dmp
memory/3660-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4796-142-0x0000000000000000-mapping.dmp
memory/3660-143-0x00000000069E0000-0x00000000069EA000-memory.dmp
memory/2192-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PxQoVBJfPmZ6.bat
| MD5 | bf7cfdcf412fca3c62c24f6756141c0b |
| SHA1 | 41816156589406cd365d49f94055563090bd4662 |
| SHA256 | f6dba0b8323d3c8b02f1c35f4212821dd6294d8e0d42627baba3b852b953552d |
| SHA512 | 151a28a0b2eb9cca0113d300a7fbf1bf2d712e9da34507e18f9bc311e511f6393b966e21ad8c7b40e7ef83911cddfc8741f0df48cef77903f409c010043571be |
memory/680-146-0x0000000000000000-mapping.dmp
memory/4504-147-0x0000000000000000-mapping.dmp
memory/112-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Win64Sys.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
memory/2492-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 3369da65be3db4fc20753e109ea3c206 |
| SHA1 | 9a2197e3b25bc85f853654e81d43100bdf394b80 |
| SHA256 | 093375928b5b23b5bc72b33858e451f2f2a8352236fda5ad06384c781697c08a |
| SHA512 | 61289c5aac727e721a75d0534cfe3f06e81afd95f2d857ed83ffa89c522254faf8c29af53e6f828fa38d12bebbb6a5f0aac8d7795bf950175fd993335f92a20d |
memory/5080-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\i4xkL2sRqDAs.bat
| MD5 | fe7e5260fe5f82240bf442f6e14e1559 |
| SHA1 | 63d8a0088e22f39ce0d7007f387f27edc8feff4e |
| SHA256 | b62c960662b87e69679587383926652734a1a78a70f730dc070e6b5d730921b4 |
| SHA512 | 594087e7dd284e491d0f040a08d8e771f3a7c06b334c2a4bd640f2f5dd0d230e7304829a939860cf7571fb22846d36ceebdeaebd83404d41773e2945e4ae449c |
memory/2768-155-0x0000000000000000-mapping.dmp
memory/1612-156-0x0000000000000000-mapping.dmp
memory/4568-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1664-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 9c06ae9fa2caf21d8525eec91be22c08 |
| SHA1 | 8298b04e2b45f637c8e04be27d42adce451bf374 |
| SHA256 | 574ad250309f0fbc1f9247de97d6ee3d9d14ddc910682c2eac2b43d5e192bc49 |
| SHA512 | 8eb34485b26e4afee545375c01c199b128b07da404b27c2abb434bd0f5def641dba96da37bb2214e7b21ce418af538abe536062a918c368bc4793382d3c8952f |
memory/1996-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PqjJIQRmLTbT.bat
| MD5 | ac4c21a3f6517d9f4e6b4ed9fc74df22 |
| SHA1 | 82776a4977065db8fb70e32fe16fc5eca43208df |
| SHA256 | 05c5355ef5c8f88ca6c3ff6b7e74a300a1e799332d8969c9f8f4ccd96f584f96 |
| SHA512 | 7ef4e50bc8122df642f5ed1049438cfda02a43b401c7eba9fc1facfff80850b773d69ac9a1c7b2c8afabd78c192d48b42e324d93b9a63d035474b65e0402246a |
memory/1184-163-0x0000000000000000-mapping.dmp
memory/2984-164-0x0000000000000000-mapping.dmp
memory/2188-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/3816-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 730d8f0e9f085eb51ee7f64f821329a6 |
| SHA1 | 1b25bec68cf0af2a2902bda25f86e5db39117a9d |
| SHA256 | 2973a0cfe51d236a41730334fa67f3a947f1c0160ec0477c4b097071cdf03b2f |
| SHA512 | 6ecc65d6158d43c3bbf47707ce770b48f06e7a33947dfc34740aa1437de60eae844108041d4b2915c44eb79af7fdd970c711e8e6b4c46de83b8c332490d7b963 |
memory/1228-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\9cKc2Z9RMXiy.bat
| MD5 | 0a00b3246c9c46aa5a87b2301325e779 |
| SHA1 | f5998b332194d41540d18e4a7d0d779848edd062 |
| SHA256 | 1ed945a28234133e3c68ca9a621a8e4e54bf0ce295656eab45eb164eb709b21b |
| SHA512 | 83290e8ab848dfc2f9fe4b33d7275ef8bf8a5f0e5431c487c48192679343b451b66443c7904fb8519f77ecbd17ed41c8fd96ae2904a261941a3b7ab4e26e9252 |
memory/312-171-0x0000000000000000-mapping.dmp
memory/5096-172-0x0000000000000000-mapping.dmp
memory/2992-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/3200-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 2dadeebcab65323b29b8a22062284f76 |
| SHA1 | 03b1a8b49b87046af3a819c28df419d0c5c3b4b5 |
| SHA256 | 8aaba91bda21a5d6e84136927f5e1c9f48dac973acf1f1bfe057edf2cf370c2c |
| SHA512 | a0a7830411ab4c28ff6c0ee29a5a3e1c7a78c61aec9039128eedbb94b70e295c10ba59b47cf0424aa7d36d07a20bd49ea4ed5afcaf36a9878aa6e69687956518 |
memory/2508-177-0x0000000000000000-mapping.dmp
memory/4188-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PBxEC1lMg7lG.bat
| MD5 | f5b7e4c58ede92627b4d4826dc296503 |
| SHA1 | f13025c96079d647aaea585c618a62ade44e2dd5 |
| SHA256 | c51627842277fc7bf2e08150c0279cec8f12e0622adff636a3f57564ff38144b |
| SHA512 | 911b93d9b308e56c9c9bf70f4dcb1ebc3e44df553091f32170667c0a0012a5cc1d793cb2601b6e31a7b3b84e7eef023d9c373ad91e9fd76360005385753baf19 |
memory/4748-180-0x0000000000000000-mapping.dmp
memory/2008-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/3044-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 13c0a1ee513e3952342cfe03eaa8f31b |
| SHA1 | 1a1b24cc24266146ca7ccf795acfb7a488a3b854 |
| SHA256 | ecb76e778699238375644b69c504bae3c349ba313ae781d849e54ff6e2ff656b |
| SHA512 | 562e750e79da50a4668666965841d688c34d6641d6322eb2ecd4561699050ac20102381c888ba132e1a84406b54adee16d07bfd7072abff219f67330041a8b98 |
memory/1884-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\S5pcWkhDZE7l.bat
| MD5 | f02c032808cc042c78df5117615c21bd |
| SHA1 | 119d8fb3a258d7b04f7534064420ae4234fd6900 |
| SHA256 | 30cdad1dd1fbb9daa66fb5362e3284ffd20b9ab7370b9b6cd959561914d499a6 |
| SHA512 | ab984078caaca819864a8ed8a5298726f88da66eb74b75a81373113f0076ebe75ffb5472bbaeb829e01bcd5a9c28addfdf294ab2738cd9b93289f7b6312c1f1b |
memory/4568-187-0x0000000000000000-mapping.dmp
memory/4512-188-0x0000000000000000-mapping.dmp
memory/1396-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/2932-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 27573779c615e2e97b39e68a9f7572bb |
| SHA1 | e5a2687e887bddddf921136ccc2598bfb2b42de7 |
| SHA256 | 44b0a3982cbc80e77c6d936a407423fea1640a71108b63a7524c72ffc47469df |
| SHA512 | 5a565d1b3783343b6bd8d1971e579d7fa3a944c5bf403ca76ee0975893f43810cc6fd32b0787660d242886dea004cae3b5c81fd560b462f3c978bfca6a111811 |
memory/1748-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\zi0nNaBYLyjU.bat
| MD5 | 377511d0e0c329c9253864c4075d9ceb |
| SHA1 | 8dd4e09f2eb5348a93e52542699344b36a5aee92 |
| SHA256 | b0177a6e7059afaf7c1faf12d5b4b880263b2ea7163ce0e810bcf59029be57e0 |
| SHA512 | 1126d8f69b122cd3c7800fcea319d50fcdef7055f2c71558b6859f01ba25dd00bd23f5c33061e036c505106b36b1cc4369230d605908eb3cbae639d17b7e22da |
memory/1760-195-0x0000000000000000-mapping.dmp
memory/2160-196-0x0000000000000000-mapping.dmp
memory/4452-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/2732-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 65d0d44ef37e9436278eda200fa79790 |
| SHA1 | a88bdfa49e5fdf1bc5594c49cd58b2b319c68dd7 |
| SHA256 | 7494547997bb89042bd5d520a17698c77d5daf7bb91dea5866db2d02276354cb |
| SHA512 | e7952c6447974583076fb27e90114b8e9374a6a5b25d4a042bbdbb506d6462f326226e83ff8b149c92e339ecc513f500fb692c19f59c55753aa3f1ef25b55013 |
memory/3564-201-0x0000000000000000-mapping.dmp
memory/3744-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dMoRpvzX8Jj1.bat
| MD5 | ad763c94ed7ff972c5f0b996f1ada3b9 |
| SHA1 | da5a60a5ae835e0c1bf53c15349573d619b644e0 |
| SHA256 | 5cfcdad20fb36691a1311a85a3b94276cbc2ef70d2a3ec99b358d5734da26008 |
| SHA512 | 863a4f2a9a6e806abf933ea9c2669b575d8660a5d6fdd72248beabbd9fa698b27620fce8971c23ed58cd020e8b027fe11e571a20b6d242eec00d58d01ee0eadb |
memory/2516-204-0x0000000000000000-mapping.dmp
memory/3880-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4564-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | 7b4ba48ebdc19fb27225c133b49fd621 |
| SHA1 | eed49882275ea5a9cd0f4f5d52126d065a558f77 |
| SHA256 | f215c4f767b71d45b06e9f943add09760ec16649518e86a4899cae9d35b6b74c |
| SHA512 | a00da5695501f29fcfd20c2a3f4b95665e5c6a522a24eb6f551a2af69d9c1ea6c310d46ff8eeac424d41bbb6b2a13ba706e29303a8dec1b3b1884ec738231457 |
memory/3804-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4T148ohUgIlw.bat
| MD5 | 699d73adfd3a854ba40cc50bde1dc2e9 |
| SHA1 | 5c15a079480256c0983df2c994bd81f352fc6334 |
| SHA256 | 3fb29a6c16e23b0647c22ffb18d7212c4c9b278ce9f92d40979d105608d65957 |
| SHA512 | b01ef46f14319930897a21ab9d82a3ab7650451a5dcea01ddc65c8565b841592dd93a7ed5c88e336d8ac21c94c84c073a8ff997071faefe634ce23e56a4a8dce |
memory/2100-211-0x0000000000000000-mapping.dmp
memory/5080-212-0x0000000000000000-mapping.dmp
memory/1512-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/4896-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Keys\01-04-2023
| MD5 | b8b1b2ecac8a5d069faaccac24274ecd |
| SHA1 | 8e144da6f25c7ffb6db43644aa0df1bb629ad3d7 |
| SHA256 | 5082420ad90723718a472b72147f68e2d0716a15f71e5f7dd1824a3f83b1205e |
| SHA512 | 9d56be68424273cdedb9d743a8cd8abe32ba50157fb03562fbbb3990962f5eac53dabc2b74ff8446aa0ed26097f1caad68d1024a775cd0bcdb47b8d88a021dfd |
memory/4704-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ymNfDeLqQvA9.bat
| MD5 | 80608e54c9d6f59779dc426298fa2532 |
| SHA1 | 7c2925e9b21afbd9797ebd47b26cb7509a681b06 |
| SHA256 | 2c610b825eda21227911a30ef5515f60875fc14b81d73b522cdbcd86964e809d |
| SHA512 | d8a1407df42ea261dbef6152b491a52465c67f79ff0eb681834faad7b352855bcfe842f96b6ec590ea981a74861c0c6e04b672a614e63d74fb79a4933a91d88a |
memory/4740-219-0x0000000000000000-mapping.dmp
memory/1836-220-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-03 23:11
Reported
2023-01-03 23:17
Platform
win7-20220901-en
Max time kernel
45s
Max time network
103s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe
"C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Win64Sys.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows x64 System Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LHDWie8J9eNQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1480
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
"C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | stuhowe.ddns.net | udp |
Files
memory/1496-54-0x0000000000370000-0x00000000003D4000-memory.dmp
memory/1496-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
memory/1648-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/524-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/524-61-0x00000000003F0000-0x0000000000454000-memory.dmp
memory/1640-63-0x0000000000000000-mapping.dmp
memory/1336-64-0x0000000000000000-mapping.dmp
memory/1220-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LHDWie8J9eNQ.bat
| MD5 | 7b49c3185933f598d25cab7834210b37 |
| SHA1 | 7d9f46db0bce6fb89329e1065c509ff601f50cde |
| SHA256 | 5b76d5be3de5f26f42326d13c70e17a499ec7973b02b977e87b0b657229317c1 |
| SHA512 | c71acc7e28ca385152aa88f97c5842cbbf2a075435b8c59345ca6adadf452c4cecae2ed3f57d549d5930e12acbf660f831b22d36ef67098d5717a15682455a79 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/2004-69-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/2040-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
C:\Users\Admin\AppData\Roaming\Micosoft\Win64Sys.exe
| MD5 | 361ee66ffa93eda7d78eb4a5d14bfd57 |
| SHA1 | e8157e8283a3f8eb7390d45b98ae4d32c53ce273 |
| SHA256 | 8f42439424657a1b5f08a2ec107041b5a7e01129dd40bb08fa04659b70d90567 |
| SHA512 | 19fd3a727bdd1222e8cb859fa09f89fcd075c761ffeaa0a5b69c20faa4782de26157e446f6d548da5c3b2bf203d9aace78d963b7566c3fbbbe9a3c5c26d9f0d6 |
memory/1960-74-0x0000000000000000-mapping.dmp