Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-tp8k6saa89
Target BLToolsMod.exe
SHA256 305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6
Tags
quasar office04 persistence spyware trojan purecrypter revengerat downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

305cfdd7d464938cabe66fcf3116df431c10742c775a4a588d38349ea18a7fb6

Threat Level: Known bad

The file BLToolsMod.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 persistence spyware trojan purecrypter revengerat downloader loader

Detect PureCrypter injector

PureCrypter

RevengeRAT

Quasar RAT

Quasar payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 16:15

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 16:15

Reported

2023-02-05 16:17

Platform

win10v2004-20221111-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Driver.exe\"" C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1092 set thread context of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 1044 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 1044 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 1092 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3736 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3736 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3736 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3736 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3736 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe

"C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe"

C:\Users\Admin\AppData\Roaming\Updater-File.exe

"C:\Users\Admin\AppData\Roaming\Updater-File.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fY9EA2uCwBak.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 youhackernetpaingodxd.duckdns.org udp
US 192.3.255.150:5557 youhackernetpaingodxd.duckdns.org tcp
AU 104.46.162.226:443 tcp
NL 104.80.225.205:443 tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp

Files

memory/1044-132-0x0000000000170000-0x0000000000234000-memory.dmp

memory/1092-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Updater-File.exe

MD5 be2c9d9f3e9206eb7d809157ea37d0ea
SHA1 79fc984efb6d9e58c21f7c5dee8de2fc44710f62
SHA256 f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79
SHA512 2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

memory/1092-136-0x00000000007B0000-0x00000000007B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Updater-File.exe

MD5 be2c9d9f3e9206eb7d809157ea37d0ea
SHA1 79fc984efb6d9e58c21f7c5dee8de2fc44710f62
SHA256 f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79
SHA512 2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

memory/1092-137-0x00000000063C0000-0x00000000063E2000-memory.dmp

memory/3584-138-0x0000000000000000-mapping.dmp

memory/3584-139-0x00000000023F0000-0x0000000002426000-memory.dmp

memory/3584-140-0x0000000004F90000-0x00000000055B8000-memory.dmp

memory/3584-141-0x0000000005630000-0x0000000005696000-memory.dmp

memory/3584-142-0x0000000005710000-0x0000000005776000-memory.dmp

memory/3584-143-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/3584-144-0x0000000007540000-0x0000000007BBA000-memory.dmp

memory/3584-145-0x00000000061B0000-0x00000000061CA000-memory.dmp

memory/4468-146-0x0000000000000000-mapping.dmp

memory/4468-147-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4468-148-0x0000000005C00000-0x00000000061A4000-memory.dmp

memory/4468-149-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/4468-150-0x00000000063F0000-0x0000000006402000-memory.dmp

memory/4468-151-0x0000000006810000-0x000000000684C000-memory.dmp

memory/4468-152-0x0000000006B80000-0x0000000006B8A000-memory.dmp

memory/3736-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fY9EA2uCwBak.bat

MD5 4ce5fcfe8a00948d11a0a13fa662f60e
SHA1 87e67ff0de0c1498ea243b7e6db7c8152e496166
SHA256 8df3fe0ac24645ae3478b808060c5ef88ec05761ce78bc7982b8b4617ee4a870
SHA512 57b5716081491cc4ec7f73508bc9aa43514f35d53a72d6260d579b4864e721c2354ac8d82870f2391923ce18b42168e9bbb5e5069039e51675f361bfe81ada4d

memory/3096-155-0x0000000000000000-mapping.dmp

memory/2708-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Logs\02-05-~1

MD5 12f9f5bf70ef4de07fa3fc66eaeda84f
SHA1 ad4c4aeac53e8733df60a15dc57de5c445253158
SHA256 01cbdcccd837a2a69a63048c39ab230a0b390a10a24a68b5db2641a0a0e0cac9
SHA512 3a5fbb6a827080048a83f52b7605bbeed90754bbc6d3827dc5cf2391f26ef5b9e10069a26d2cd3bbce842222d8c8cfbc62619190ed3bc9d26c3d9413d1406dc6

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 16:15

Reported

2023-02-05 16:17

Platform

win7-20221111-en

Max time kernel

144s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RevengeRAT

trojan revengerat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Driver.exe\"" C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 928 set thread context of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Users\Admin\AppData\Roaming\Updater-File.exe
PID 532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Windows\SysWOW64\WerFault.exe
PID 532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Windows\SysWOW64\WerFault.exe
PID 532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Windows\SysWOW64\WerFault.exe
PID 532 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe C:\Windows\SysWOW64\WerFault.exe
PID 928 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Updater-File.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1552 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1552 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1552 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1552 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1552 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1552 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1552 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe

"C:\Users\Admin\AppData\Local\Temp\BLToolsMod.exe"

C:\Users\Admin\AppData\Roaming\Updater-File.exe

"C:\Users\Admin\AppData\Roaming\Updater-File.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1skF01T86D8g.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 youhackernetpaingodxd.duckdns.org udp
US 192.3.255.150:5557 youhackernetpaingodxd.duckdns.org tcp

Files

memory/532-54-0x00000000003E0000-0x00000000004A4000-memory.dmp

memory/532-55-0x0000000004AC0000-0x0000000004C16000-memory.dmp

memory/532-56-0x0000000000310000-0x0000000000316000-memory.dmp

memory/532-57-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

\Users\Admin\AppData\Roaming\Updater-File.exe

MD5 be2c9d9f3e9206eb7d809157ea37d0ea
SHA1 79fc984efb6d9e58c21f7c5dee8de2fc44710f62
SHA256 f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79
SHA512 2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

memory/928-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Updater-File.exe

MD5 be2c9d9f3e9206eb7d809157ea37d0ea
SHA1 79fc984efb6d9e58c21f7c5dee8de2fc44710f62
SHA256 f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79
SHA512 2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

C:\Users\Admin\AppData\Roaming\Updater-File.exe

MD5 be2c9d9f3e9206eb7d809157ea37d0ea
SHA1 79fc984efb6d9e58c21f7c5dee8de2fc44710f62
SHA256 f07ca31e483745ac9fe74da53f939a797f3f8868717eb29f9f0d1286b89f6b79
SHA512 2510583a2690be0c48614fa21d24c2919d6c4f704d897ed4bb5a523d0bbc3616bd2aba7a6b22120068a24aa756a9b6f37feeb2b8eb461b86c2eacde935478d4b

memory/928-62-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/996-64-0x0000000000000000-mapping.dmp

memory/532-65-0x0000000004A85000-0x0000000004A96000-memory.dmp

memory/928-66-0x0000000007430000-0x000000000769E000-memory.dmp

memory/1912-67-0x0000000000000000-mapping.dmp

memory/1912-69-0x000000006C9E0000-0x000000006CF8B000-memory.dmp

memory/1912-70-0x000000006C9E0000-0x000000006CF8B000-memory.dmp

memory/1912-71-0x000000006C9E0000-0x000000006CF8B000-memory.dmp

memory/928-72-0x0000000004F00000-0x0000000004F5E000-memory.dmp

memory/1512-73-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-74-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-76-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-77-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-79-0x00000000004494BE-mapping.dmp

memory/1512-81-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-78-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1512-83-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1552-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1skF01T86D8g.bat

MD5 42b8ed6afe608da6a252b8fefa1646f4
SHA1 38e671f7d13b927f2a896feabcd8471d138d7c7d
SHA256 4ae55012f9f6b335343b84eb3b4494486bde5f66f38fd0e2ed1b1435537d1fd3
SHA512 5071c7950b7ee459776e2830b32c429be2d2554cfd63c78a30453e0cadb56b5d71aae883f2beb1332dfe788f746be05116688b063ab6918154944d7dea90786d

memory/1772-87-0x0000000000000000-mapping.dmp

memory/1072-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Logs\02-05-~1

MD5 1272c8b533acd1cf96ee6a0caad8c9ad
SHA1 43131c6b3b4ba5b27fa4c4e1794913a89e5a548d
SHA256 5f7c96867d2136a5dbdcc9bfd145d221455306f0a8932fb7c3f49805fae375bb
SHA512 8266aaa7e8b06968e8754d7a823d777b953e6481a0b7fe1b19131165642417739ccb469f86a6d9b370404f47ab2ad254e2a4d1df93edd750c77412827749caf0