Malware Analysis Report

2025-04-14 05:07

Sample ID 230107-s23d9ahc5y
Target b5b0a0a082b9f9ed7e1216805dce73dc.exe
SHA256 486a7709a844ef4a1770299b51b3bdd519c8881ea3190705ab7890780998e84a
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

486a7709a844ef4a1770299b51b3bdd519c8881ea3190705ab7890780998e84a

Threat Level: Known bad

The file b5b0a0a082b9f9ed7e1216805dce73dc.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Checks computer location settings

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-07 15:38

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-07 15:38

Reported

2023-01-07 15:40

Platform

win7-20221111-en

Max time kernel

141s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 856 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 856 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1364 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1364 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1364 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1364 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1364 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1364 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1364 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1364 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1608 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1224 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1224 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1224 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1224 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1224 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1224 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1224 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1224 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1308 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1308 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1308 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 960 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 960 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 960 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 960 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 960 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 960 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 960 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 960 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 760 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 760 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 760 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 760 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 760 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 760 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 760 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 760 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YkyHZXGv6TsR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7VbLAAQpN2rk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0LY2d5Tiaab7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGOdG5JQRtBM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jfp5A4Gc3Wpd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\L8lAiZ6HXr4I.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0d0OrJimuLju.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\f23xtBzx7SBw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DU2rtXozgH2L.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QzoNwL5GGTkQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp

Files

memory/1704-54-0x0000000000B10000-0x0000000000B94000-memory.dmp

memory/1704-55-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

memory/856-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YkyHZXGv6TsR.bat

MD5 5fa41d94434097a4877ced62f1560b7b
SHA1 859cd2d711cf7f5051d44862cc49b5a6c6f274b9
SHA256 6bd6afb90db6c381aaf7511f1af41a1b139172eb74eea2ed2123f49684df4487
SHA512 6381bdadea3573cfa8065ee3c87d5246440a72a3f0869144e8942db9e3f5870a162ac3b32e52381869433765c74a87861f456bc2d8fbc56c83282314638a98aa

memory/1904-58-0x0000000000000000-mapping.dmp

memory/472-59-0x0000000000000000-mapping.dmp

memory/1112-60-0x0000000000000000-mapping.dmp

memory/1112-61-0x0000000000FD0000-0x0000000001054000-memory.dmp

memory/1364-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7VbLAAQpN2rk.bat

MD5 2cf6a76968c464a93424251299050c27
SHA1 e8edc3c89689aa68368e19a2f781dbb5dc00789c
SHA256 e54457cfabdc37b18a596cf6bd0a07a574b4ce8e5f152a2e00b6391e4a3b5b5d
SHA512 bdd173a5ac84f1ef4791a259241dc5854b765c7c342e812b01146074d6e8f7670d9ebf64095e9098d38e7edee39417fe90a936d3a2a6d1e0853a5844763df55f

memory/1856-65-0x0000000000000000-mapping.dmp

memory/1020-66-0x0000000000000000-mapping.dmp

memory/1608-67-0x0000000000000000-mapping.dmp

memory/1224-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0LY2d5Tiaab7.bat

MD5 380812886c3ab0761efeda0128ffb7e2
SHA1 fb289352c8aafaadd7911a906db0c47cec1a064b
SHA256 1f627971a27d8865483cbf2e76e70b6bf8b50416d2f84473ffa8dae35c4a36a2
SHA512 c0fbce0ca1cd28a8b2f16c7116eb0a9a4ba4b521ede17bda51828bfab75cd2c7d6158aee3fe0714d17965c5b1ff1bace0ed83ed18876d4ff8772c4297d5353c4

memory/1376-71-0x0000000000000000-mapping.dmp

memory/2008-72-0x0000000000000000-mapping.dmp

memory/1308-73-0x0000000000000000-mapping.dmp

memory/1308-74-0x00000000002D0000-0x0000000000354000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/960-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xGOdG5JQRtBM.bat

MD5 cd55f74a62d556a87a61d5aebad8a1c1
SHA1 296451e9a9ab89477bae557fd1888678dc270acf
SHA256 aac4b080555a69fb77a1842459fe153f8a5ca583e5be1cce63afc93d288b4ba1
SHA512 eaca5921be3222ea529a246a82e7afafa054b78c603bbae01a571fc29fb4a9c344ff902fc8c2be1383cf010d1684f8e0205d7c34425210e78e5ef96012a638b1

memory/1560-79-0x0000000000000000-mapping.dmp

memory/1752-80-0x0000000000000000-mapping.dmp

memory/1668-81-0x0000000000000000-mapping.dmp

memory/1668-82-0x00000000012A0000-0x0000000001324000-memory.dmp

memory/760-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Jfp5A4Gc3Wpd.bat

MD5 b786555f80f1fc43d5ea9a1077cb3ccc
SHA1 49e2a771099adea53ea571845b71a46ce95d32d3
SHA256 b5b7a8dfd063fea057e89004ed708dbeaea6d32a75a04b400cf2358416633e47
SHA512 92c06123f42a3b21cb44e0cbab5adf597b426fb93b22468f3471c5c76fec543285384c4dba387dac4bd720a7658b3cf3667aa4f57d8effb3ef45c5191cdb144a

memory/1716-86-0x0000000000000000-mapping.dmp

memory/1616-87-0x0000000000000000-mapping.dmp

memory/316-88-0x0000000000000000-mapping.dmp

memory/916-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\L8lAiZ6HXr4I.bat

MD5 1e7f748b6bd6ab549c9290a0a100face
SHA1 1b53ead68e7ad676ae2284d7b76295da4d35913c
SHA256 31c1fca669515d77804e1394096ee4133eb1673a62ab3d95090d22ba5a9cb613
SHA512 b48a046c6dd08e9dd8435704ae407827ad7bd314af00dd2b1f2dbc9ef59237b429276af6951a42607998794b74e6583ade6f80fd44c3af812cc7d9b06557bb9d

memory/616-92-0x0000000000000000-mapping.dmp

memory/1780-93-0x0000000000000000-mapping.dmp

memory/360-94-0x0000000000000000-mapping.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1608-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0d0OrJimuLju.bat

MD5 fc16046049e28a70616b7250c950e721
SHA1 d9bdebe1a209067205d1899fd9e47f7e8927c437
SHA256 639433c6119f8031e796654be8ec32eb1308bf437e7f5a96b677159e355d6dfc
SHA512 56aca8ed785f08b4aef31cc11d20da1e9bec6a7b712aa380d5cb5048745e3b265a22f4dd01c3e6f997fa7b40edb3d496721b90f0bd7391d461df326bc6f87aa4

memory/852-99-0x0000000000000000-mapping.dmp

memory/1788-100-0x0000000000000000-mapping.dmp

memory/1192-101-0x0000000000000000-mapping.dmp

memory/1764-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\f23xtBzx7SBw.bat

MD5 1edf9995ac0f9162d2395b39e1501983
SHA1 b43f18c3781cb2237f4d2f1913968c6645136015
SHA256 3e6d0d6d16b8fe15bfe5caa978dcf25d4f8b7e6fc96db11d601cce0f28a5b588
SHA512 eb87f94bbaadbf93dd5a24095ca2aff284952fc9dda5b82f5143f73fb84ffaf1e632d065498965aa7297be0dc8b25e5c7f1790b7906f8c5beb3cb014b5d82f07

memory/1688-105-0x0000000000000000-mapping.dmp

memory/528-106-0x0000000000000000-mapping.dmp

memory/960-107-0x0000000000000000-mapping.dmp

memory/960-108-0x0000000000200000-0x0000000000284000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1160-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DU2rtXozgH2L.bat

MD5 0061bef0579ad82c9464479b770e36ca
SHA1 ff186a9595b1f3c819d0ae21905d8f9f43ad6f11
SHA256 049868ebc586754a35d767cb9fc167a09ca2b39ef39cd26a527b99dfe0e5720a
SHA512 02033856441d0289d2da90fa8bd501968a0af29ce8eb2f73fdd253a322380d2ab8e8b407f167ab3c58ff64bff9a60f07b5612ba6364b7cc221022dfc87a984f5

memory/1716-113-0x0000000000000000-mapping.dmp

memory/1352-114-0x0000000000000000-mapping.dmp

memory/1712-115-0x0000000000000000-mapping.dmp

memory/1712-116-0x0000000001270000-0x00000000012F4000-memory.dmp

memory/1032-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QzoNwL5GGTkQ.bat

MD5 c1cd380e43107175b23b5a73396244ff
SHA1 b8778e75f1f5eb329428fde45f3c240f81c3d537
SHA256 efa152c728ab1237d6e911c5fdd767ddf9bad20fc7c1f8ce70e82d11bf8a702f
SHA512 5cb15de29f1f65d83bb09788663acd466eb238374ac0c308bd72d1bf2398b7545e84718c0df7c046b7257d1ee0a50b84c41ce100da2be1e19e94dc0853715c27

memory/1760-120-0x0000000000000000-mapping.dmp

memory/1924-121-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-07 15:38

Reported

2023-01-07 15:40

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2860 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2860 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2860 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2860 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 2860 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 4720 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 4720 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 4168 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4168 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4168 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4168 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4168 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 4168 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 5056 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 5056 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1992 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1992 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1992 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1992 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1992 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1192 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 3692 wrote to memory of 3892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3692 wrote to memory of 3892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3692 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3692 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3692 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 3692 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 4828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1308 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1308 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1308 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1308 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1308 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1308 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 2784 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4584 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4584 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4584 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4584 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 4584 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 4532 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 4532 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 724 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 724 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 724 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 724 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 724 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 724 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 3664 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 3664 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1860 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1860 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1860 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1860 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe
PID 1860 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QlBWeGUfTaF0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3uJzLaFNua54.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQt7P3eQ00Vg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pa0ft07xdwyA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v3XbqbwgbC0i.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJp0g8n8FMVJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsv8rWOGxLRz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xd667c9NiRNU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ylGrbuxHDroT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxu7JOJaNrss.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3MJa3slgjilP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8z33Hy6vCmlI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZLPiOsWW9LI6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe

"C:\Users\Admin\AppData\Local\Temp\b5b0a0a082b9f9ed7e1216805dce73dc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ZmdwM2ztVV0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.73.26:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp
N/A 8.8.8.8:53 xsaz3412.duckdns.org udp

Files

memory/3144-132-0x0000000000520000-0x00000000005A4000-memory.dmp

memory/3144-133-0x00007FF852980000-0x00007FF853441000-memory.dmp

memory/3144-134-0x000000001B190000-0x000000001B1E0000-memory.dmp

memory/3144-135-0x000000001C2D0000-0x000000001C382000-memory.dmp

memory/2860-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QlBWeGUfTaF0.bat

MD5 3701679af3203177e3b5dfd35072d395
SHA1 00958c86b8cb574b40a7bcc93498d31573f051bc
SHA256 f2e72cfd365b458afee4b083b6863154755ed68d43cc54df6869d2980dffaa16
SHA512 148f062fd971bd31dff33141a0d29b4ff94fe569e599f4a174f9fa0aaa53f0eff67ed4a492bbb5a89c678e9a31e1ca6b1a6440614a80713d53ba10b0f2f08ce0

memory/2724-138-0x0000000000000000-mapping.dmp

memory/3144-140-0x00007FF852980000-0x00007FF853441000-memory.dmp

memory/3556-139-0x0000000000000000-mapping.dmp

memory/4720-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b5b0a0a082b9f9ed7e1216805dce73dc.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/4720-143-0x00007FF852670000-0x00007FF853131000-memory.dmp

memory/4168-144-0x0000000000000000-mapping.dmp

memory/4720-145-0x00007FF852670000-0x00007FF853131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3uJzLaFNua54.bat

MD5 089c7fe596487967be328b58a39026af
SHA1 f137d86d394ef4aadd4ea323e59cfc86ac77c9b2
SHA256 b1acde7152f57909ace13a82763b4255a98b9b5718e248c36b8c07caecf6e63f
SHA512 7c6ed7d0d5b68f55031025f62daec1a592b55f22b6a2c4775899aa9f7ce0516a1e58b86da90c8834620043d6c0f66654188cdda3408442acf1c159eaacf8f203

memory/5104-147-0x0000000000000000-mapping.dmp

memory/392-148-0x0000000000000000-mapping.dmp

memory/5056-149-0x0000000000000000-mapping.dmp

memory/5056-150-0x00007FF8526E0000-0x00007FF8531A1000-memory.dmp

memory/1992-151-0x0000000000000000-mapping.dmp

memory/2968-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UQt7P3eQ00Vg.bat

MD5 f4b818a00a3027a821fea62fc03103cc
SHA1 50be68a1b30e787c9214011b149d2afba0dc0f5b
SHA256 262a48072c0821fff9d72d7538ae5d9553d6241b4173ec84ba00490f2fdfe907
SHA512 f273fc9e47e5a315b1ce44f54b9f2c229ce55dd41e798b4bb8bebc495bba66946989244a90b8ec1634e3fd8552ed6acc5d9120a73fb8bafabcf45434e3350a7b

memory/4204-154-0x0000000000000000-mapping.dmp

memory/5056-155-0x00007FF8526E0000-0x00007FF8531A1000-memory.dmp

memory/1192-156-0x0000000000000000-mapping.dmp

memory/1192-157-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3692-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pa0ft07xdwyA.bat

MD5 23595b8e965bcf4576f6269cbb899d02
SHA1 e61a98cde8cb2c4ed6241be2f6eb370703a18cf1
SHA256 5407695536e9b395e46e04bdf28d60da8b24b598f6d9f49ac5a46cfef6cf800d
SHA512 592f33b3436c96b72a65c256c2bf9eaffdf65f108353224e1581e3f802f725c92195a503b52bf5c32f5c9406d8a2c163d05a63ce2424101d039df8e970539c1a

memory/1192-161-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3892-160-0x0000000000000000-mapping.dmp

memory/2240-162-0x0000000000000000-mapping.dmp

memory/4828-163-0x0000000000000000-mapping.dmp

memory/4828-164-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/1308-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\v3XbqbwgbC0i.bat

MD5 12e42dcca182d66b53e7adc40d90be2f
SHA1 88b81ffb0a2f9898539f2e2c78d8b1b404310c5b
SHA256 ace54be51d591c6792f2e70f940aaea7ce22f5c759cc7eb8201da7336bab927f
SHA512 92df3670484203c7ef33faedc37943bbdbefa9b1288747d20bfbdc99efcf2c0fd23fb90dcac11f8db8c560b725899b427de93457aac4ad7e527de24f0695f5ce

memory/4828-168-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/4500-167-0x0000000000000000-mapping.dmp

memory/5100-169-0x0000000000000000-mapping.dmp

memory/2784-170-0x0000000000000000-mapping.dmp

memory/2784-171-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/4584-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BJp0g8n8FMVJ.bat

MD5 58cbbc17bb9b180092ada63f3b36d6ad
SHA1 1b2c67eb4914821e99b9311a0e94fe8733d9e055
SHA256 dc1f0d6935d4d98910cc3449ee5199e661d8a83ea085bcf7c86e1e8c4f3378ec
SHA512 bb4262286e22c4e6581398716010637ba5cf7883e8e6b83b67e539f8105f9059a2e4fb9f673412e5dd458814b2375385de0293757771ff28868f3ceccb15d70c

memory/2784-175-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/4940-174-0x0000000000000000-mapping.dmp

memory/4216-176-0x0000000000000000-mapping.dmp

memory/4532-177-0x0000000000000000-mapping.dmp

memory/4532-178-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/724-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wsv8rWOGxLRz.bat

MD5 fb7218c8e909e63ffe314c11c491650a
SHA1 f247b1a2d642f7202753286eb692a50a55a38444
SHA256 0f3fc1c19b3f1ff3633676370a788918f85ca2150f4cd14e1dbbc51aea7193d2
SHA512 3c0f33eeb882a30ca95ff9627cdfb2643f8ddf8b311457187ea9d0cab2a7abb7b7069ca8ff2e15ccb5502922ae9373c191e9cbb7f8a0bd66cc0f6fa03d809fd5

memory/4532-182-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/1372-181-0x0000000000000000-mapping.dmp

memory/4700-183-0x0000000000000000-mapping.dmp

memory/3664-184-0x0000000000000000-mapping.dmp

memory/3664-185-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/1860-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xd667c9NiRNU.bat

MD5 442e1bc80599269a7bb114dcfed1d3a3
SHA1 4403f1898ce83796d0394588e08fcc844ee1f38a
SHA256 d15616d4fd974749a2bb3f8e88dcb5511002b53373c548da21b64b08cb88bfe0
SHA512 2e91559c512190d6a07bf520e9c9ba976403348ff3f25655cf6fc9d49468f804b2402464fd0e3dbf915b2e395f9daa5d5ac02c7a618a6d2969b359ac8944f25d

memory/1880-188-0x0000000000000000-mapping.dmp

memory/3664-190-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3220-189-0x0000000000000000-mapping.dmp

memory/2972-191-0x0000000000000000-mapping.dmp

memory/2972-192-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/1432-193-0x0000000000000000-mapping.dmp

memory/2756-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ylGrbuxHDroT.bat

MD5 834700ec23e264cb8db8e3e7c5abbe1c
SHA1 d672a4f4066b75108074845be8edf85195a30647
SHA256 073747b08070baf54cc1660488a8ac8c11afe167e91d0fcb26856cfc060b87db
SHA512 673f3276f4f3850ff6a619ff6b84240539800271ad920221fff4903e829009c33468b19c5bf05fc5c242e04b0f1567bbb68fc1269abf4d8f901cb7dc8a7212a7

memory/4396-196-0x0000000000000000-mapping.dmp

memory/2972-197-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3024-198-0x0000000000000000-mapping.dmp

memory/3024-199-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3804-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bxu7JOJaNrss.bat

MD5 a4d8a5a4125ce79e49520aa6d40d6d3d
SHA1 57472e97e0028fe95f644c503b729dec346c85b5
SHA256 29932427355c6653358c82235a01de7c680347628bf76bb5ade99fa11d046629
SHA512 c3791cd5f62484a260e79fe33fd7ebde9ca75153b66f99469f9a557d43649840fc15a2fddae6d086c6296d82ace5ce47664187461a6e4ebbd5d2bc4760812104

memory/3024-201-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/4564-203-0x0000000000000000-mapping.dmp

memory/2180-204-0x0000000000000000-mapping.dmp

memory/2188-205-0x0000000000000000-mapping.dmp

memory/2188-206-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3660-207-0x0000000000000000-mapping.dmp

memory/2188-210-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/3620-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3MJa3slgjilP.bat

MD5 c2852738056735d6f23f56d48053de18
SHA1 114c86c416d60eb7f5c44e1560d60d52108be9ac
SHA256 c98904ba9372e5957304786f66ae71b23e33918384182d1902562aa9dd574c97
SHA512 6f083424eddd809f461b8ef934749cae12ded92f30dbbc3b349794d4804653d61f3cfc8184a883c4403b8f2a8cf70a4fee79c366215e315e71187a12b5e658c2

memory/4836-211-0x0000000000000000-mapping.dmp

memory/2084-212-0x0000000000000000-mapping.dmp

memory/2084-213-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/4768-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8z33Hy6vCmlI.bat

MD5 50f98e384987bed46c4c9b3d0c7c606d
SHA1 c1fa1be0fa1f4e29627670b3f041d4d9a60cd9c7
SHA256 2bdc793509262205d2dee664a079cb5aafb46f81767e5325501c0c0042e9d5e5
SHA512 8ef48a08f58d4125910d280ccc24c894df050143db91319544463499f40c9f94b083ddd9f75b4f7f1a5b7c85dfd3e5b88f9db02fffb1f951d3ebfa534c8744f7

memory/4296-216-0x0000000000000000-mapping.dmp

memory/2980-217-0x0000000000000000-mapping.dmp

memory/2084-218-0x00007FF852790000-0x00007FF853251000-memory.dmp

memory/1992-219-0x0000000000000000-mapping.dmp

memory/1992-220-0x00007FF853070000-0x00007FF853B31000-memory.dmp

memory/376-221-0x0000000000000000-mapping.dmp

memory/1916-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZLPiOsWW9LI6.bat

MD5 f741e130fc08e9595ad406a01e32e937
SHA1 61dbcd90b4da73a2fba40ed4f7beded7f9b83959
SHA256 fd0de66f21da247481c5a0361061a2c4c0446449863e194c370fe98ab886be76
SHA512 aafb27ff5d7795bdbca6963ef48a06375b66eb47bf2d4f120eaddcaf3e10eea55e2eb8f8f3a4a3a41573fc13a6a1ca01cb7aad8aef742e2c29a835eb6529c796

memory/1664-224-0x0000000000000000-mapping.dmp

memory/1992-225-0x00007FF853070000-0x00007FF853B31000-memory.dmp

memory/2744-226-0x0000000000000000-mapping.dmp

memory/2744-227-0x00007FF853070000-0x00007FF853B31000-memory.dmp

memory/4556-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9ZmdwM2ztVV0.bat

MD5 2744d6c38d4e2088fc4472b23133c52f
SHA1 a677a4d2aa1c5304a24f4d526138c614855f1307
SHA256 18fc16568b0d3f44cc16ce8a4069ee91f1dcac23f79e141b10f265da54bcf770
SHA512 88471486cbf8d595d488a4bf17185e65fe4ef9dec56389d0e48bb5d7ba502e90b433e2d984d9b70a6d4278f4e0a92d358aaf00169ae9dea5c13ed99803ab1cf5

memory/3796-230-0x0000000000000000-mapping.dmp

memory/2744-231-0x00007FF853070000-0x00007FF853B31000-memory.dmp

memory/4460-232-0x0000000000000000-mapping.dmp