Malware Analysis Report

2024-10-19 08:41

Sample ID 240419-pkn9hsda2v
Target Client-built.exe
SHA256 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 12:23

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 12:23

Reported

2024-04-19 12:24

Platform

win7-20240221-en

Max time kernel

6s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 12:23

Reported

2024-04-19 12:26

Platform

win10v2004-20240412-en

Max time kernel

167s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\updale.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File created C:\Windows\system32\SubDir\updale.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A
File opened for modification C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\SubDir\updale.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\updale.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3508 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3508 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\SubDir\updale.exe
PID 3508 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\SubDir\updale.exe
PID 1572 wrote to memory of 2648 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1572 wrote to memory of 2648 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1572 wrote to memory of 4512 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 4512 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4512 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4512 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4512 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4512 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 4512 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 3488 wrote to memory of 3224 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3488 wrote to memory of 3224 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3488 wrote to memory of 448 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 3488 wrote to memory of 448 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 448 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 448 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 448 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 448 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 448 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 3100 wrote to memory of 2040 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3100 wrote to memory of 2040 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3100 wrote to memory of 4392 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 3100 wrote to memory of 4392 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 4392 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2388 wrote to memory of 2928 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2388 wrote to memory of 2928 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2388 wrote to memory of 1564 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2388 wrote to memory of 1564 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 1564 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1564 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1564 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1564 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1564 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 1564 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 2404 wrote to memory of 4556 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2404 wrote to memory of 4556 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2404 wrote to memory of 380 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 2404 wrote to memory of 380 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 380 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 380 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 380 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 380 wrote to memory of 4532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 380 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 380 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 4020 wrote to memory of 648 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4020 wrote to memory of 648 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4020 wrote to memory of 4480 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 4480 N/A C:\Windows\system32\SubDir\updale.exe C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4480 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4480 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4480 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4480 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe
PID 4480 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\updale.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5zfxQv3P3FOm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IByO6bjmGYWG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11zxtJoZP7ko.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yRDmMr2oxmgi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN4rgD6N2kKh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mhMyYoXaA1wg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4i38FtXZqQ2V.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kryaRc1hmuL6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEPBlnW6GfND.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TswFZMvUadHL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KB80t4wqmUjA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKaj9oFFIvr6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\updale.exe

"C:\Windows\system32\SubDir\updale.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 funlink.ddns.net udp
US 8.8.8.8:53 funlink.ddns.net udp

Files

memory/3508-0-0x0000000000320000-0x0000000000644000-memory.dmp

memory/3508-1-0x00007FFD7D4B0000-0x00007FFD7DF71000-memory.dmp

memory/3508-2-0x000000001B3F0000-0x000000001B400000-memory.dmp

C:\Windows\System32\SubDir\updale.exe

MD5 2c1fba8d6624adf6c582fb2d5fb43b28
SHA1 bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512 cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19

memory/1572-9-0x00007FFD7D4B0000-0x00007FFD7DF71000-memory.dmp

memory/3508-10-0x00007FFD7D4B0000-0x00007FFD7DF71000-memory.dmp

memory/1572-11-0x000000001B210000-0x000000001B220000-memory.dmp

memory/1572-12-0x000000001C320000-0x000000001C370000-memory.dmp

memory/1572-13-0x000000001C430000-0x000000001C4E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5zfxQv3P3FOm.bat

MD5 a42e60a92090c57943662d06f82fde12
SHA1 1cba4c3ff6bcb6c28af628d7723102a863e9d667
SHA256 f5343c696bb9c52b48b23ac21285635b8377171d8106dce81dfd05382f9cd926
SHA512 f7497929932d61f6d0ca8fb8ee193fce055fb823b090b478bad607702c218c6404cf7b10bc5ac5e97bd410ca25db6c7c2f55e8085a180dc7d0a0dd4a6b9f6019

memory/1572-19-0x00007FFD7D4B0000-0x00007FFD7DF71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updale.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/3488-22-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/3488-23-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

memory/3488-27-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IByO6bjmGYWG.bat

MD5 cd24b6521d4a01301690019d910098dc
SHA1 7fba29d4989d0a220be7a63472eabadd318e9508
SHA256 779fc465eba0075657f2b4128e1b1207d65dfc6fb678b5b7af5cd13836c597e9
SHA512 8b3a3a025dde91f7dd88580d5be9c257066a0eb9c64aaa954eb50329d59e83f209c4015c730a17590c2e1956658c7c1bc7ede03ac12b341015df0a97be3e8066

memory/3100-30-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/3100-31-0x000000001B940000-0x000000001B950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11zxtJoZP7ko.bat

MD5 ef21d4d800901b5e6326eb60981c7cfd
SHA1 918052088e5c867ad07f2a2413cc69c805e2ef3e
SHA256 251be42dac57bcc39e065e08a20a794cece5736bd48e1e4e35aea15f525d5426
SHA512 4a1388ab68b881b605e2ced0f2c7d30a8c0b95d6058e05ff2ffff481e5f8c29a5697cdf757baff053ff9806946951fe56ce9c476b24bd5060a86950c7e940100

memory/3100-36-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/2388-38-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/2388-39-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yRDmMr2oxmgi.bat

MD5 b74fe6be7837149660a92f18934d4668
SHA1 970cf47f5baf28659f841b8d6088ffae8dbd6cc4
SHA256 8b7c4073a7a4f3b4babf16207f79ccba798444efc246301f4b218b53e1b0fb2f
SHA512 8bee6cf39b351cdf3fa77abe9aa4314b0e83066d5eb30d4b62caa9326e89261ea8d32ae3b4d8bfb0724d6ffcfb1d6725b0aed49af4521d34d4004ea70aa601fa

memory/2388-43-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/2404-46-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

memory/2404-50-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wN4rgD6N2kKh.bat

MD5 e50fb78689662cbe7f8e7461956e44ea
SHA1 481e12210070a9169bfc4feb7ebde3d970afeb21
SHA256 5b7eca6c154b285568dfd41f904be5e3a67fd925360083477da244c1e27ce08f
SHA512 fc7eb3602054a704f40e2aa9c114a8aa1277dcecd92f26e9d1ad10f55660146616d5b849c6492d482ff98b5e4a41c058b622ed89f47789a5c795b431780241a6

memory/4020-54-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/4020-53-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

memory/4020-58-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mhMyYoXaA1wg.bat

MD5 61e7c0963cdeb85568e65a1f8111d92a
SHA1 9e87c2669baa2ca0e0533e649731a175760eb463
SHA256 ef383e51ef1e3fcd36916f5621e4be4417fb63b2f595e8cac699d97c4b93b9d4
SHA512 f13846c8b095057430a68dc787b3e5e2f4d3ba002669a075e1ac19b59b06ce7f20c1c04ebb7f52fe3caf2f9782d04dff89229f70e0fe13b885e3db323ac4035d

memory/2520-61-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

memory/2520-62-0x0000000000CF0000-0x0000000000D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4i38FtXZqQ2V.bat

MD5 57cc79d6533121f2bd3b9c6e6acea3cd
SHA1 428db93505bcd17edf2348736b9428630533f45b
SHA256 0dc1deb8996604205abac3e08e77148f513f18421caf005193782211419bdc35
SHA512 3ba0c9ba42652bf866713bf09425d2c31afac3ee424f548be721c3e2be15af9f38c5112c91a170daf7dbfaa651525747536448d1f1a5294382ea43f7d9cf77cb

memory/2520-67-0x00007FFD7CF60000-0x00007FFD7DA21000-memory.dmp

memory/1804-69-0x00007FFD7D0B0000-0x00007FFD7DB71000-memory.dmp

memory/1804-70-0x000000001B690000-0x000000001B6A0000-memory.dmp

memory/1804-74-0x00007FFD7D0B0000-0x00007FFD7DB71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kryaRc1hmuL6.bat

MD5 1a22196a0d0889c1115a7ac87cf1dde5
SHA1 2dc0583d644ed0b186438be68d6d55b449850ada
SHA256 880a62edb0cb52319e870619a98783dc7c11907968d08493994dbcc266df0ec7
SHA512 9a62ab9d2459f5087b67e474753d44b6bf68b8cde6fe339c9a09fc926abb78a8b9acc4712335e1c7144c01664132d89f6beb90eb151d7a1c8ce5c2917313d899

memory/368-77-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/368-81-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gEPBlnW6GfND.bat

MD5 21a875d945940a44e1c56f227390de13
SHA1 a2880b5723f4cba3d2184ecdfde37e4f316951b8
SHA256 e50477f41a9e863036c60fd6f4fc16c54ab6b2b76d7b302e406446842554b985
SHA512 aaa119f6550868fba834e950083ce6770dd27abf0a74ea536dd301efcfa4d8ab63829db8117422e1fd4f5553d652f746025a878b3d24b65aa81991b157eea5ee

memory/1424-84-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/1424-85-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TswFZMvUadHL.bat

MD5 7608b75f8543f2566d64404742b0a331
SHA1 e06718e91cb5fe052169eca28604094bdcb423f6
SHA256 af04d59cca3ac595de7f820d7a402d0cf243a601c44fb7a962865fca48d94323
SHA512 6e902ad2443936a18497cb104564bc935a48affb2597a15c1a04c9416c8019f065d2ee00c66b1dad187929dc797fc77358fffac273edce5359d2847fb7ca37bb

memory/1424-90-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/1608-92-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/1608-93-0x0000000002F10000-0x0000000002F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KB80t4wqmUjA.bat

MD5 784c5f59cf27858f4eaa696bc66945ea
SHA1 40f8dc1643c4737a7f0d917a05aeb276c5b2fd6c
SHA256 9f0d75df246229cff7abb951eb3683774c25bac34603a901449c1e08b99eb54d
SHA512 fa6ecedecabae291ebf9be7b3b4a08be13a3e240ed1259754a5733a37726a8547e177f2edfb730cc540a28d9568c78de60b63f65f727874313b6e03e89825d14

memory/1608-98-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/2936-100-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kKaj9oFFIvr6.bat

MD5 f69793efe6d7c7d1da28bb05c8ff9f34
SHA1 a9b060ea70aeb131d6f53979791417441be53d62
SHA256 9d527194dfd7faf4cd9e36be4d358b769577df462f3d5e41ce796cca47846c3a
SHA512 8dac41593bcfcf8cd045f7efe5b7fee35464633bef249188f4b6e32fa4a310931642170c36bbaa51dd47be6fdc5cb6d77705e59e5d86e74afec87c4251e5a63a

memory/2936-105-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp

memory/3624-107-0x00007FFD7D830000-0x00007FFD7E2F1000-memory.dmp