Malware Analysis Report

2025-01-18 04:28

Sample ID 231206-mckj9adf45
Target 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1
SHA256 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1

Threat Level: Known bad

The file 94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar payload

Quasar RAT

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-06 10:19

Reported

2023-12-06 10:21

Platform

win10v2004-20231201-en

Max time kernel

113s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2792 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2176 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3220 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3220 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3220 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3220 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3220 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3220 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3220 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 5064 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3192 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1028 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1028 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1028 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1028 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1028 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1028 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1028 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1028 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3684 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 2212

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3192 -ip 3192

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZExp6vhs0Mq4.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1704

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 2216

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4828 -ip 4828

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat" "

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/2792-0-0x0000000000FE0000-0x00000000010B6000-memory.dmp

memory/2792-1-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/2792-2-0x00000000060C0000-0x0000000006664000-memory.dmp

memory/2792-3-0x0000000005B10000-0x0000000005BA2000-memory.dmp

memory/2792-4-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

memory/2792-5-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

memory/2792-6-0x0000000005C40000-0x0000000005C5A000-memory.dmp

memory/2792-7-0x0000000005C90000-0x0000000005C98000-memory.dmp

memory/2792-8-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

memory/2792-9-0x00000000073A0000-0x0000000007438000-memory.dmp

memory/2792-10-0x0000000009990000-0x0000000009A2C000-memory.dmp

memory/2792-11-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/2176-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2792-15-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/2176-14-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/2176-16-0x0000000005120000-0x0000000005186000-memory.dmp

memory/2176-17-0x00000000057A0000-0x00000000057B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5xo8NZstSVh8.bat

MD5 b77848cd2f970e4be87f0a7a24a015d9
SHA1 1332d30ab73c8f551f85719602b76194189c49ee
SHA256 9adc2117f8ffc971fa44af9ca123c343c1406a41ebcd293ed6ef658d01f81a3a
SHA512 20a2b2302d1a9f4a14778e725fba60e88a8c71d33d2d3bef35c00a8746167440b2399cc6ad274b1978d63652c4f410f98ca125ebac5f9a42afed4bda31056aa3

memory/2176-23-0x0000000074570000-0x0000000074D20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/5064-25-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/5064-26-0x0000000005730000-0x0000000005740000-memory.dmp

memory/5064-27-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/5064-28-0x0000000005730000-0x0000000005740000-memory.dmp

memory/3192-31-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/5064-30-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3192-32-0x0000000005380000-0x0000000005390000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\12-06-2023

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\ZExp6vhs0Mq4.bat

MD5 758b08a5f9dacf0c173a9b5f4cdc5175
SHA1 99bf49f38773215ca2819a60441b14784ef8ed7e
SHA256 d280e2142ecfa497be8e18dc76d05bae8bf0cfbf8cade7e4d141a948a0410839
SHA512 29a05ec3b00bbd07fc32a97bec1d44d25d3f4f9adbd8140169a8baafb99c92329dd88bcd24aa09968d8ea0d6475c2ae4950b05748e2c4d21ca962b124762316f

memory/3192-39-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3684-40-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3684-41-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3684-42-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3684-43-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3684-46-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4828-45-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4828-47-0x00000000055C0000-0x00000000055D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\12-06-2023

MD5 7cf9fd0bb2712da5374c6377c2ae000e
SHA1 dc606622b48cf227f48f1269e8a1f1eeeb39b831
SHA256 69ba63dcc7ea6f6f859a4d86e433b583916c5b356d71cc84d36c86fd30e3c1d3
SHA512 bf7f29f94d51d24ab3d3f1cf6bc31619676b6bc06cd84d502547f01a9d455c937a31d18314bfeed9215bc82da630790374375c62dc264ef41f08923ce091e119

C:\Users\Admin\AppData\Local\Temp\hou6aILpYJCV.bat

MD5 753d86d9020ac6e2742e7bcb0f113bea
SHA1 62dadbcce565c262ab19fded1c2dc414b3559fef
SHA256 c245ff277e382ffebd48f67e0c39e1d773afe89c7945fed07b563d35059b21f7
SHA512 37ab612560a0bff6582c2199b1b9263825948cea3c721856cde3b81f60b7b68ec483cf82d315b8b290e68754940094e33e41848f51c6adb8b468a23f08d35ea3

memory/4828-54-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3640-55-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3640-56-0x0000000005040000-0x0000000005050000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 10:19

Reported

2023-12-06 10:21

Platform

win7-20231130-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 2208 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3044 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3044 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3044 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3044 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3044 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3044 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3044 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3044 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3044 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3044 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 3044 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe
PID 1104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQYRvCRhgNGF.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1472

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe

"C:\Users\Admin\AppData\Local\Temp\94760527e46bc9d39c50660df70b59c6e711cc4d3574ac5499e622fffd9efae1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 labtek.duckdns.org udp

Files

memory/2208-0-0x0000000000170000-0x0000000000246000-memory.dmp

memory/2208-1-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2208-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/2208-3-0x00000000004B0000-0x00000000004CA000-memory.dmp

memory/2208-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/2208-5-0x0000000000520000-0x000000000052A000-memory.dmp

memory/2208-6-0x00000000051D0000-0x0000000005268000-memory.dmp

memory/2208-7-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2208-8-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/3032-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-19-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2208-21-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/3032-20-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/3032-22-0x0000000002010000-0x0000000002050000-memory.dmp

memory/3032-17-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-15-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3032-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3032-23-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/3032-24-0x0000000002010000-0x0000000002050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQYRvCRhgNGF.bat

MD5 28aab5f36c545a2016fd1f5ea3be4fde
SHA1 6cb27bcd5918ab3d5275899ddf6f32eecbcf2ee6
SHA256 f557c0101b62d143917bd6cc0866318680ea818a59cededa89512b9ce059242a
SHA512 44f27ad2d10e0b8a212fea1cc5a6f93287fb58038e633b3c335b701e36a7555f932cb26d6b7c64bd36fa2c3d37d1391e62fa687b41a37889d8dbb9bebfa5626c

C:\Users\Admin\AppData\Local\Temp\AQYRvCRhgNGF.bat

MD5 28aab5f36c545a2016fd1f5ea3be4fde
SHA1 6cb27bcd5918ab3d5275899ddf6f32eecbcf2ee6
SHA256 f557c0101b62d143917bd6cc0866318680ea818a59cededa89512b9ce059242a
SHA512 44f27ad2d10e0b8a212fea1cc5a6f93287fb58038e633b3c335b701e36a7555f932cb26d6b7c64bd36fa2c3d37d1391e62fa687b41a37889d8dbb9bebfa5626c

memory/1104-35-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1104-36-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/1104-37-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1104-38-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/1104-48-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1192-51-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1192-52-0x00000000045F0000-0x0000000004630000-memory.dmp

memory/1192-53-0x0000000074410000-0x0000000074AFE000-memory.dmp