Malware Analysis Report

2024-10-19 08:41

Sample ID 240421-kczytsfa42
Target 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
SHA256 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d

Threat Level: Known bad

The file 0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar RAT

Quasar payload

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 08:28

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 08:28

Reported

2024-04-21 08:30

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2460 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2460 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2460 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2460 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2460 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2640 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2372 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2372 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2372 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2372 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2372 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2372 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2372 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2372 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 852 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 852 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 852 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2708 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2708 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2708 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2708 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2708 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2708 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2708 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2708 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1912 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1912 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2740 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2740 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2740 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2740 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2740 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2744 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2004 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2004 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2004 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2004 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2004 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2004 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2004 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2004 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 684 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp

Files

memory/2908-0-0x0000000001390000-0x00000000016B4000-memory.dmp

memory/2908-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2908-2-0x000000001B390000-0x000000001B410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uOFfvVrrIsBd.bat

MD5 cb4c618c05794d9e3649f5d676409a56
SHA1 2ba14b87670e3f6bb79d46a16956bb270854e5c9
SHA256 85269ceae894cfe05d513cf2e6c5f9f42c5028d3390a9e426e59dbf28d247610
SHA512 ff30cac47c4b3fee49d1065cb73d75c62a19897fe0838265743f9433ecf0fc3d97b9064aa693583f9dd6612032625edbef90d6cd481ca597bb436b0ecaba1a23

memory/2908-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2640-13-0x00000000013B0000-0x00000000016D4000-memory.dmp

memory/2640-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2640-15-0x000000001B0D0000-0x000000001B150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LJjHvukiq5Ry.bat

MD5 af1ab3dc342fc192ead81650a0ee2a9a
SHA1 0bdbe6906273db0a83045af9acae8dda0d81dd7a
SHA256 cdf10af883e8df8ac1a438bf104a569cf351c44ac9b6e73243161c354756aa12
SHA512 d515e371217c05cb6672da8eb75cd56bfb553394866dbb055a2fb3b761a5c34ad78b80c3b9cf54c4f9036ab4ad6be98a3d6fb0a8df53cd92e902778bd5f89c13

memory/2640-25-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/852-26-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/852-27-0x000000001B5A0000-0x000000001B620000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\0rayHIVNcCgF.bat

MD5 ad6ae24774af0c07ef852cf64742d3ac
SHA1 fcb65db282a3ba8b4c5ced241e02cfcc28bd8919
SHA256 4f9f9d1626531ff4f5f446f3d31098802e78c5b57ede3e972c7803c0e536c827
SHA512 71bbc927b9ad0fc5af1913b211620256bca22370f56abd0a466595ea790aad4232eee8aa75fa9b35ebcde6077713a0ee3cb9638baaa61e10e7ddc3b36752ac2f

memory/852-38-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1912-39-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1912-40-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ipMWbRlmedfm.bat

MD5 8ca1e6e5cc7549cc131a1a08ebc30d35
SHA1 ed890a3b1099d5f27eb4485894429e13c848789c
SHA256 aed77d52c4e4557fc4e19b41eb153091bc6efa31bfba48ea8004673d96baa11c
SHA512 df28d694b66da089796c455cbeb9a64a09234e803426db3a1b645cc61315144bb52fc9107985d07d42b75ba56c3d7def8f606a418f5943fe0496615e5cb93edb

memory/1912-50-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2744-52-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2744-51-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oqgehtR9G3jm.bat

MD5 b7db03e65e3be8e5b82769ab3e42cc90
SHA1 1feb7de0f7ef4e4fd80b28c8d1ae47662461b3c5
SHA256 ff4de53d3edacf189fa9bd34e0458b72838ed3d165e3911c0f0499c05e44ded3
SHA512 c53cc79380245fa9365f97399edfb16261d72cd4f09a14eda00bbeca2825d3bf317d8ea72d522a6e6820d3964ab61376daae8be98103187c4fe63fea10a3cdcc

memory/2744-63-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/684-64-0x00000000003C0000-0x00000000006E4000-memory.dmp

memory/684-65-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/684-66-0x000000001B1F0000-0x000000001B270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\W83WGuHV4mkW.bat

MD5 75d6dd20e4ec2e7ad0e012e154b0132a
SHA1 ace943c9b38fd7f564099e73300b15fc28ee4db7
SHA256 ee7a73627b3dc1b07a0d25b69ee8578fa26e7a5e20714f69d704540b87b80e67
SHA512 def49f172eee71f135ccebcd6e8caccb2c37f889665bbd1dc9437027498c7d91a7f10b748342205a1e8902bd0488d294bfad6a4f651d1255ab623d64bb033885

memory/684-76-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1224-77-0x0000000000030000-0x0000000000354000-memory.dmp

memory/1224-78-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1224-79-0x0000000002310000-0x0000000002390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\q5SfMvKO1LwA.bat

MD5 8e16dc3d02da6d855a07a19813bbe279
SHA1 d61456dca73465210ba1444652b7c97a1e1e5e76
SHA256 8d9137a843dabd538c41f597bde2281941c782b7ec81be39d79a2464314e819c
SHA512 0ddeb5a3ff30367e62b461e2977d01c9d1e9e9f499053111f2b4290ba7c58fc2acbf6489503ec898058a477cb94b570ced50fa9a01bb80ca2bbe3a898eab365a

memory/1224-88-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/856-90-0x00000000003D0000-0x00000000006F4000-memory.dmp

memory/856-91-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/856-92-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pNN3xBZGOC7c.bat

MD5 54fee6e97ef24dcef302ce92971641c6
SHA1 f4fc612c9dfbad280bf56f60faa2b8b840bc0064
SHA256 1feca84d142ff923312d3f1fb2f4ca634bcd5a03677c48b01ea9086e2b952acd
SHA512 7ad978c4040baa3ba0cde78d6ec6716acb19f838a5fa5e57370c7c352be756b7603c9c64b5098cd35038da072ac188c6c6cbfe52d4630d32cba23e772841851f

memory/856-101-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2784-104-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2784-103-0x0000000000150000-0x0000000000474000-memory.dmp

memory/2784-105-0x000000001B240000-0x000000001B2C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bcqHBXWskcxW.bat

MD5 de72f9efaed0cbb2c59b96a9033d2e18
SHA1 1973454e80fb72908289b03e437402095391c311
SHA256 52f9f883adaa89a4c24ec067d8da422378d530a02d3024a7a7d8fd93cf5e4091
SHA512 5c503358ab917f5cccfb322a0177ef5f926a7861101760da2560b242e77753312058e32957d228d0d3b1120b3e3fbe3d6e7636cf68c99249f8c5675fb20ce14d

memory/2784-115-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2476-116-0x0000000000A60000-0x0000000000D84000-memory.dmp

memory/2476-117-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2476-118-0x000000001B190000-0x000000001B210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8sSGlbcwXjOd.bat

MD5 af4e86ae3f7040fab91462faebdd1d38
SHA1 431c9ed4ffd4fe92a9a009a6ab3d0d42ecd1387b
SHA256 9be261d0e1ff707160dd2fd71b9d2a2a07c63928497d865d3030ce363e90e923
SHA512 eb57bbecb878bce0b9b9a9190dff396d518441ae26b516526201fa4d6569a4c520247e38dc010da0b776bfab092554f0b181ddae08d8536fcf7569eead0bdb16

memory/2476-128-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1120-129-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1120-130-0x000000001B2D0000-0x000000001B350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j0b8Lyy5WXa7.bat

MD5 f6a07864e27a16d2ace7af0e9da382ec
SHA1 584d8a508ccd906957aadb7b925e3886cf51a3fb
SHA256 f2af395fc87030c6c2e61369da2b632aac86814999365a625e2a9da5100f19d3
SHA512 af7da8cf1601e47df455d565bbc1c29450a4de041197e780bfa3dbc0ac2ca12da01c2ed56c8aedd973b7adea0cd9cb525d6d888b58012063d3215e9d30c48cf4

memory/1120-139-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/996-141-0x0000000000D00000-0x0000000001024000-memory.dmp

memory/996-142-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/996-143-0x000000001B300000-0x000000001B380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52OXRp3qUgwY.bat

MD5 64bc6daee30bf47baef1ef673a6396c2
SHA1 27cd70cd5c5805cad0dd17d78e2752bd8aaa4741
SHA256 20ef3daf40b27f9f234583397bbd2c6c5e93a00a4040344a60ee6584017d38f5
SHA512 eaea7fbc5a477ac47a5950f9fc5e416838bcabd96e824c604fd27fd2ff4d9eebad7b613b90a2322951f4b85fd75c73071d7c581920d1e179ef595712b054aa0c

memory/996-153-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2036-154-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2036-155-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KCfJJSlnYdXg.bat

MD5 6b6b0f39413373c6f2470c925ee0b2d4
SHA1 6f0410f48611941a57de13f8c584e8f377a21ee2
SHA256 7cbeb3c04e6392bbebd34539400f857681c9c8fe55374420886b37062d6d3d14
SHA512 e2a57564e9c3694ba7745a5e31ac07722874c09a84d2e38b1d8ab24a98495071a80e8b155ede670850b3afb57bce5fd4f97c4bc3045a90ed3c0aa98da7abe7db

memory/2036-166-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1932-167-0x0000000001330000-0x0000000001654000-memory.dmp

memory/1932-168-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1932-169-0x0000000001270000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oSqq34TDs5OD.bat

MD5 a38ca59fcb858ced5afb007501195b2e
SHA1 4f2632fd59291ccebc64ec730e099a541f8ae441
SHA256 f3d0dfe20aa0ab78594fe8b9927d826d4e29ebf991c2eefaec4157d41cee60f0
SHA512 6eb294f93f9d6e7da4653b61393f325c8a19235863d2c6faf6990436c46f34e7c5a794e3fc0a62a48e78a32b7c5bfeb64fcf4c9f0b3ec670b035f2bb77714bb0

memory/1932-179-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/956-180-0x0000000000330000-0x0000000000654000-memory.dmp

memory/956-181-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/956-182-0x000000001B140000-0x000000001B1C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j23GB51JMsLt.bat

MD5 4ee7f1dfc35e471fe6b11cb141ba0235
SHA1 c6eef3555be9e9a21e0b30f0950776872df0550f
SHA256 4d1d8dda32a499484fe6fce3fb67e51018aa3fd21d6cee1d5e42cbeb0cbea2b4
SHA512 ea6fd8151ec9c64e652ff574e4bb87a364729c7d6272d3254c97ddbc8af4b74c77ae8f258d618f7f698eadabd0760a32f203a06ce9588e0504dde815a1fc0971

memory/956-192-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2144-193-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2144-194-0x000000001B470000-0x000000001B4F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 08:28

Reported

2024-04-21 08:30

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2540 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2540 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2540 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2424 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2424 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2424 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2424 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2424 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4260 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4260 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3748 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3748 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3748 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3748 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3748 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4564 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2344 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2344 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2344 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2344 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2344 wrote to memory of 4632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4632 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4632 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3492 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3492 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3492 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3492 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3492 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3492 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4060 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4060 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4964 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4964 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4964 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4964 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4964 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3908 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4032 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4032 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4032 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4032 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4032 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4032 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2748 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4412 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4412 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4412 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4412 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4412 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3KQk3tmpXwm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcAlz1FrFZia.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUgQD8fR0YvW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auDM4HqLAjRF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUBwOXrOcha.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmBHU99RhLni.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\drDaaP3uiAO4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fNADFXAmWs8s.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YzPQMnl5pjh4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\me4vO7g5QPse.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5LbzD7dp01xA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FN8zHBs0afkA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSFbXLsBohmm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v21sVDRmH4OA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6LXbjoqgH6c8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 23.62.61.123:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 123.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
BE 2.17.197.240:80 tcp

Files

memory/3588-0-0x0000000000D60000-0x0000000001084000-memory.dmp

memory/3588-1-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

memory/3588-2-0x0000000001930000-0x0000000001940000-memory.dmp

memory/3588-4-0x000000001C100000-0x000000001C1B2000-memory.dmp

memory/3588-3-0x000000001BFF0000-0x000000001C040000-memory.dmp

memory/3588-9-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h3KQk3tmpXwm.bat

MD5 309c155aa3118f88dba9c37dea7c3347
SHA1 f16248043245eac6045857a40250570bded17123
SHA256 be2c1bc79a66390f03c17ae2b44d5879fd71a94dea926e909f3f416482ea59f7
SHA512 21dc857213cd4188d202439a921643804dbd303a6b8ddd31ae668594dfbfb85d346502a2bb59ca34bd2c116fb506fdcde7cf1569b2392469c1469b4b2e96472c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/4752-12-0x00007FFCDA1D0000-0x00007FFCDAC91000-memory.dmp

memory/4752-13-0x000000001B640000-0x000000001B650000-memory.dmp

memory/4752-17-0x00007FFCDA1D0000-0x00007FFCDAC91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pcAlz1FrFZia.bat

MD5 20a908ad6915eb284f377c7bfd67900f
SHA1 48b34666995f3fa4decbb68656f745595e4cf88e
SHA256 4f980d4bb45f4abad4ef6b378b37f01106740a6aa2a193bba3bed9b81765fa6d
SHA512 c303444360242c2b8c7ca892b70ebb77a7826aa389864e5f5a8bc51f39b68b66830146a1ebbd9589d3ddbb4f9563df0029122d15b30ea27e36b0fca8e4ab6fec

memory/4260-19-0x00007FFCD9990000-0x00007FFCDA451000-memory.dmp

memory/4260-23-0x00007FFCD9990000-0x00007FFCDA451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HUgQD8fR0YvW.bat

MD5 9ce3bbdfb904dde5b71a23a944151596
SHA1 f2d6c088a3a8c8832593cd4e90b52309bd64472b
SHA256 f4b7511c568b9aad659ad049557cad133382de6bbce1914524a2a8fcb0e9c8ff
SHA512 51f51d3b8cb739dfcdd6c3da432a331253c489eb43da7ba5abbf4cf2b1f8c80dc3209f476c3c4aecc4b27254d0ed70d67a89d7e4981d31e1125a723769758fcf

memory/4564-25-0x00007FFCD9940000-0x00007FFCDA401000-memory.dmp

memory/4564-29-0x00007FFCD9940000-0x00007FFCDA401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\auDM4HqLAjRF.bat

MD5 6245a85655979483d03e83afe72e9d94
SHA1 04824ed4b2c699756db8f0fe65f26d7a98b5429d
SHA256 6261b7a15fa6b23353da9160f9c9c23403f977c1bf612ee9d4d2ab3ec0b9f240
SHA512 b0d62b2ee99af8bd1317f405432b228288493be1bb3918a68d5825ee38d60290ff7d035ed31f101b0dba0422a16ddb7dc297915696485057584b73966610df06

memory/4632-31-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/4632-35-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HAUBwOXrOcha.bat

MD5 1b47ee3a07eac0c65b606bebc2894098
SHA1 21cf856d7ece442620cee37406f1cb1e168728b2
SHA256 195d30503fc702b870bf91aa303777842319c8c34a17f2cc916e7ed0df516edd
SHA512 2f0cf117d8e59dfb0f03d7bb027860034ffdc29a183dc33e736cc2ca91e6729006c2fae58684538ed7dfa0b32c44922431d406087b54d042ff0e17dc8a3dc5ef

memory/4060-37-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/4060-41-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmBHU99RhLni.bat

MD5 edbb0f9f0f7c3a683af3ff8118ba15dd
SHA1 4cf1d27b63ae433f3779e7063a337ce432ebfbf5
SHA256 6c3bd81d5c3e712f6174f94de56cfc24d73cef7d9b76544aa46b71dafb867f67
SHA512 c910cf3c14ea3a2f6e8937f37909465f3f33c192680bf68e2299e0ed649f6fe5e06edf3630c8c4ba9b0e36755323e1cf715e80be70e18805d5cd7058109afdae

memory/3908-43-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/3908-47-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\drDaaP3uiAO4.bat

MD5 cabe5979daf5138f88a7938cf9fae9c9
SHA1 6d6e5fb1dd2eb3b20f2ec0d486188aee22327bf0
SHA256 256dbe03803a7166e2a8a73c2525658bd7929cd0a57d6601d9b253a265f2bac0
SHA512 5e0011dbaae8ec7ccefce42d53cc79fe4d3f9d4fe9e56e63018585c70a639313f810052d970ac0cd49ba024ee96b334c46a3997d34a2304a53ef014cd16b0d52

memory/2748-49-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/2748-53-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fNADFXAmWs8s.bat

MD5 92a6075d5b7e432a11b8fa99345c1c67
SHA1 6f90a94817ec42a9cb1ffa59f158ec5d8aad1226
SHA256 e9623096ea4438e35a84719039c2b2dab4de3d1f901c17e7db164841e55f1f09
SHA512 3a8cc06ee84ac3418bc7e1f294491b0085e8478e8b2da9e68ee0b45185c14bc8b45100977f8b8ec320eb0d4eae747dd33e774071416191b2c548181d20552fb9

memory/2376-55-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/2376-59-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YzPQMnl5pjh4.bat

MD5 9927c04f3a0274f4857ec9c6ac39e385
SHA1 3671b3327904e3b3245ab343ba052556871c8912
SHA256 0c2c78c03f6b82c3cc4c84268cfc3d558ab8e914ae8516508458890a163e66da
SHA512 dd86f5f94bd8a39c2c2e0ee137ea0b89d75025c534ebb15c1d09d32a5802bcbc64a7aa86fafce6d61c026f7b3cb2c6eaf03afb83081908c92d91e92d7ee6b418

memory/3724-61-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

memory/3724-65-0x00007FFCD9420000-0x00007FFCD9EE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\me4vO7g5QPse.bat

MD5 2bdc01b553462bf9dfa842a6903a2dc5
SHA1 efcda5c7a432376c5a9cc5e374032dde9f4f2b5d
SHA256 9ed413ef0669ff13db9344c3585cb7a1e910b176898fc9c37813bae1c23b17e3
SHA512 ce1989c50f647cb8ce974026806c7699ea64ffdd893c80ed4c671329a75deac762c40450977eae48c5718a9f35d3c893837c81584c67213bae47226627198403

memory/4472-67-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp

memory/4472-71-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5LbzD7dp01xA.bat

MD5 fc7f21f016c12cc477c705287cc6fe43
SHA1 33f0dae29457932a4a2b6784625560565209f424
SHA256 85793ad1977f93da9a2f6af16a7f17ddbfc3e1f94eabf94220994fcabd50c6eb
SHA512 c3f31aa0fb194644d26bc9dce4b23e03791367fea1680e037792bef2e390dcc2f967fffd5c0574e53b98621302f988a2a664fd18387bfffbf678cc8bb9492872

memory/4424-73-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp

memory/4424-77-0x00007FFCD9180000-0x00007FFCD9C41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FN8zHBs0afkA.bat

MD5 f33ec1172e16d4af403b20051ad7d34f
SHA1 415d1f5fa64a5ff36262a439fd92d61d0ef74f75
SHA256 efbaaca56bad4a859387043c9e96a8a2555d6e9d473e94c2a04d4aeec8912d94
SHA512 83f1bdc136cc007eb7fdbb024021f596101120fdf01bca380168f84568b4d677bd78c95ac97cb5abc014c1c5e14e29783e64dad6793b9eddd7109841c83f3a6a

memory/3852-79-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

memory/3852-83-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XSFbXLsBohmm.bat

MD5 bbb4081b0aa65aa30e60547d0addf02e
SHA1 9929006fe4cac0ffde932d51cc931ad097aa1d8a
SHA256 33022b05c96a7e3ef3516fdf54047521dbe764d6f825f13b160997995f00bcdc
SHA512 16f5b13043491c08ff5db54b449040bf0a515e373534fa78b47bd729f6265064af63365dee4fd1daff9dd3934409b4bb1bcff0bebbefcd8a866edab1788e27b2

memory/2944-85-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

memory/2944-89-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v21sVDRmH4OA.bat

MD5 400839890e6dfa8e6c3b50f848b412f7
SHA1 75fded159706d796d97d0a721472cffe5169aedc
SHA256 3a8d5dee07b6955fe48cc7820c0434306015a6bb9c96e599a8efe78b5d885388
SHA512 8b7a792e6455d0b1f1832174233bf296d74f59e0d7b868b583e793a6c3d04ed63e5fa9a87f39a466e0a62161c4a1eef26a2b1c75654cf92ec12fff4e475fc8d3

memory/3724-91-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

memory/3724-95-0x00007FFCD92D0000-0x00007FFCD9D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6LXbjoqgH6c8.bat

MD5 d9240491f65ed7937d17fff8d3243099
SHA1 3093ca8fd107d0daa8f0c672b5980b0714bae1dc
SHA256 75b03a65fe71394cb71680db1417650836ee48dbec7a7146359a0f7014ea7d81
SHA512 f1360c9324a134339eab6685226a13275e5bd10b79aab2bbea2eee437df061a66b671f8bba49860f852e5769a2063ceb44203a801bedcdc81c19ce03a1486774