Malware Analysis Report

2024-10-19 08:42

Sample ID 240422-bhh3tsdd44
Target 24e7acb706dffb37b3e682424719f5ab.bin
SHA256 285e04c2bb8bd46ab0ba229bb888f386c8fba38be6ab038e8f80929ff207206a
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

285e04c2bb8bd46ab0ba229bb888f386c8fba38be6ab038e8f80929ff207206a

Threat Level: Known bad

The file 24e7acb706dffb37b3e682424719f5ab.bin was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar RAT

Quasar family

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 01:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 01:08

Reported

2024-04-22 01:11

Platform

win7-20240215-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 856 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 856 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 856 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 856 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2636 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2660 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2660 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2660 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2660 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2660 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2660 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2660 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2660 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2440 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1832 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1832 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2008 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2008 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2008 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2008 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2008 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2508 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2508 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2508 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 652 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uzrBa006fule.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Ybc4omaofo1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bqc819dEdlQi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\90DJKwPZojDS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dZBGtzhEetCS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYnIKErDxrG6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RT5hZ6b3rRXH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mhRf9Y5wpgP7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oB3g7KxpaIL8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UcRTnjJsJBrD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWcoZHR84A51.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuEkEbkkAxHQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ax4vSBMK3wcQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UBSQy542EXep.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9YKoC1ZGdjxH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSrJDZQLrhR0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp

Files

memory/2816-0-0x0000000001100000-0x0000000001424000-memory.dmp

memory/2816-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2816-2-0x000000001B160000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uzrBa006fule.bat

MD5 2a2ddbe04a877e4a623591b77783c8c6
SHA1 6280c6e071a19acf708a288a61768e1977069796
SHA256 8aacac3b8aaf806d3efb75a6da340fa8d691ebfc38dc88dad0f70bddc5e5d886
SHA512 e39decbe8e9d5c3a3f3eb305dc2441917401ec4296bc41d37f3301c59799e8ba14d17e3eacc999eb262877b78c965ebc12ed57c812f30ce82fa24f0cbc655e20

memory/2816-11-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2636-13-0x0000000000190000-0x00000000004B4000-memory.dmp

memory/2636-14-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2636-15-0x000000001B350000-0x000000001B3D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8Ybc4omaofo1.bat

MD5 6e5d129976f0f0001b8a9ccc97c5145f
SHA1 f4cfe37f4e1be734b348cb877472b7ccce9ff51f
SHA256 b91ec6f6d0bc6ed2c8e21a169418c6d218deb52554d7e4e7e02d2314e31d4402
SHA512 8ade9749e6583511bbf437218d91614d99495c6286fa3f4768b3ea94b4671843fb32d3fa6602de5a19385d14aabeb7df0d59bef02fb87176f741db20172a4b1b

memory/2636-24-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2440-26-0x0000000001300000-0x0000000001624000-memory.dmp

memory/2440-27-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2440-28-0x000000001AAA0000-0x000000001AB20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bqc819dEdlQi.bat

MD5 4cb7d942e92f1067cc47f84d989605b1
SHA1 141c9cc395f766e626f004a720bfbe5a131c8081
SHA256 fe3978cc871f8b556ced2b4132ec09215b0b3462d1a1c8d4513917c2d3f30628
SHA512 ae3a593cfa1b07fb73ad0d0f29f9faf085708124ae9121cc3fde116a38b6a01bcf5d4e7fdc92475ef7db613999c2bc1e2d3946736b248382f85261cc11f28cdc

memory/2440-38-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2028-39-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2028-40-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90DJKwPZojDS.bat

MD5 df8590143061feeea47a062208a28cdd
SHA1 77e2d074539e3acc099a974075057d69d9ead4bf
SHA256 147aec2ed6a1b650285d82cd9485cfe04e8a32bc4fab7d9bb3e74c234bba8ec2
SHA512 bfb2a6eb5a000cfbad13ab1a22ad353f05a89e774533c9c6b577862dda84f8bb29079a57d4c0ed3d130e221756f891b89a19c88607a5416c10573cfabee7583c

memory/2028-50-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1372-51-0x0000000000110000-0x0000000000434000-memory.dmp

memory/1372-52-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1372-53-0x000000001B260000-0x000000001B2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dZBGtzhEetCS.bat

MD5 9c2f97292fc0b46e4b449ebd7d2cbb7b
SHA1 923d3a90c415276309ce1df9e15bed7bc95fe6f2
SHA256 a975fb985ad997cd64f6dc91370e3595914d93c038b60b6b7acece5c04c070bf
SHA512 e558e8e8878fabff45ff9d5c5c70d74d603de128ab5b38e4dec874725a2d988066919668f1ea558e80f8356dc2cf30c849f2a13d25afa62d23e9645c32554b8f

memory/1372-63-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/652-64-0x0000000000DB0000-0x00000000010D4000-memory.dmp

memory/652-65-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/652-66-0x000000001ADF0000-0x000000001AE70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uYnIKErDxrG6.bat

MD5 9afd2f09f9a17793ac94174c2a1f1030
SHA1 5006842b40a683b53c0dcfb249e42c8e65256eca
SHA256 c37beb70a4b6ffb61c1aeb80a10c08d98101e30bca4bd51ad09329131dad7363
SHA512 2068088879a40a0f6bc59fed78b863de0b7226cb32eaf30e82108e63785801e9801cb248b2b85abe0fb35f27f048b60c8f505fd1bd9716bc1c5492f8d6a4387d

memory/652-76-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1312-77-0x0000000000130000-0x0000000000454000-memory.dmp

memory/1312-78-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1312-79-0x000000001AED0000-0x000000001AF50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RT5hZ6b3rRXH.bat

MD5 6229c8908f91eb3056b48d0bdf3e7d5d
SHA1 088d1cb17331f3eeb12dd6ac0bbd2e4cd0e2b652
SHA256 a2e558e569e8fa2e3e3536acc901ad23801936889d7dca7024485f56c288d8ff
SHA512 0a6fe6bdcc55018b54a979de44a03a55872f7af6e17cc0c654cb13c650563fc59b6777405926d62ec9da571bfb164b724b89052a74a8d961d52ae8ffb102945c

memory/1312-89-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/360-90-0x0000000001270000-0x0000000001594000-memory.dmp

memory/360-91-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/360-92-0x000000001B3E0000-0x000000001B460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mhRf9Y5wpgP7.bat

MD5 ef5dc5cbc4400e7f97c9123e3e277223
SHA1 659523aa8dc05eb36b0cbd168381c3653acfc00e
SHA256 98744ae6f59b69d171523d546fd3a09cbb9597c82c726f45db18d9e807f98847
SHA512 6d3395d3e324c53562bd9999ce57ac7c1223c7bd3a80a585c85e6b1d9313806ba0f3b547097ec0b449135d3078c823a6741212830f8a98bc034272ebd6c504fb

memory/360-102-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2204-103-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2204-104-0x000000001B0C0000-0x000000001B140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oB3g7KxpaIL8.bat

MD5 29c0e0ac4163e556d2bcecfaf85be20d
SHA1 20d793a217f1855dbd78c0a71ce3abc57f84288e
SHA256 aa6d5c60103d406d947173651cb642800de865f62e67c03f2060561b7d7626ba
SHA512 1b1fa157e2eaf73409d83c05e916c351e2726e9097c2d280393c5e34026028f14acf16c14c43f4fcd46ab9fff0483d4fea24d5a7f4358d3b1951bb4ddec6d166

memory/2204-114-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2564-115-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UcRTnjJsJBrD.bat

MD5 3638c6c648426d5cf21248a5c0df9aaa
SHA1 8110740832bcea2e26c77bde73a3d797c60ee19d
SHA256 c447a4c0078bbd4ef095fb35cec422d63552d918dabde4258a82a24e211264ba
SHA512 b2d744115f7c8029d2d6fa38b0e94ab339067feebf011e8422ea6166282e85264eed9e3f2facc66211257d21a3956fe6dac3d3d8f55736ef656c2cf7bc94e78a

memory/2564-125-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2660-126-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2660-127-0x0000000001180000-0x0000000001200000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\jWcoZHR84A51.bat

MD5 02757ab55efe0453aa303988dcc2a98a
SHA1 8b2ac63dc9a5d167b2be6164c339738b4091d3e8
SHA256 0d546b2de99123e898446e188fc10dcf16eb4482ee199fa9133e172a056d9af3
SHA512 de6ad71e514f82d43ebda91ac8310b3751e6b7be84c808d89647032ef9d41ddb1411f61cf098315b07fb4eaf095378964a0d4ad4e4cc72bcc0e71d5abaff1bcb

memory/2660-138-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1832-139-0x0000000000040000-0x0000000000364000-memory.dmp

memory/1832-140-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1832-141-0x000000001B530000-0x000000001B5B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuEkEbkkAxHQ.bat

MD5 4a5e30c0fb2f4e55c421ce3fc90d96c8
SHA1 d56b26f17dc0f75b8096d1895df084198a529da4
SHA256 06c920b9d8309ddbc598ba869fd56e0ba57bf2ec36f99d6ec7066a46a9830b33
SHA512 86f92b63af8c0c5820da89fb7febf571cfd7db46450f498415c5b9eec7435fbfd84a165c51444356023e0677044d1d5e619c8e790772850a9406f4c6b4c33e94

memory/1832-151-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1572-152-0x0000000001140000-0x0000000001464000-memory.dmp

memory/1572-153-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1572-154-0x000000001AE40000-0x000000001AEC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ax4vSBMK3wcQ.bat

MD5 dc11a957bb5b61208087c6f8476d52ec
SHA1 9586859f2c9c7006c55a9c0be22590ff435f8bed
SHA256 5364599056959c8e3438b53108fdace2686bee4fb0ff8f3e62cb82b0bfa39126
SHA512 27041379fa1625ab6832b7028a945b21ec99961c8fa8d4366a9ca57c7bc0688e5fd94f1ccb0e38604649aca7ff9ab18cf3cf73b1f0e4e36e081685c32f6972e3

memory/1572-164-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1532-166-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1532-165-0x0000000000350000-0x0000000000674000-memory.dmp

memory/1532-167-0x000000001B0F0000-0x000000001B170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UBSQy542EXep.bat

MD5 f8949f6f8b1091974d659fe9d560b498
SHA1 00f986fea73427c76a367287edb8f47c8a5c8fad
SHA256 3773293d121fd4c870ee09618270568ab5617542c0df42b6928576c6e7a8e40b
SHA512 2783ed7bd26759d207e239b6ab363b45cbe2a328863f870e74b3df518a059aea2fc0f460ec6ab5781ae9ba67bb69dfa56bce9ef6ef895465f696e6f703c8e543

memory/1532-177-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1052-178-0x0000000000F80000-0x00000000012A4000-memory.dmp

memory/1052-179-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1052-180-0x000000001B260000-0x000000001B2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9YKoC1ZGdjxH.bat

MD5 7485e02a9bab2a9a47805fb7936bec79
SHA1 52502f262d463e071f945e01afeefe86f62026ae
SHA256 ca9efe640d2c97d258e126768bf31d924dceb0954f6e95bd5cc070872a0330d9
SHA512 15d2ec8cfc6b1f7f6462def5349933bb2f071d86bdebd8e5f163564a640ec898d6517b08b14b510362685ec8d71d14c1b280bf68d8802749d3afb811b7af4d7a

memory/1052-190-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2236-191-0x00000000000D0000-0x00000000003F4000-memory.dmp

memory/2236-192-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2236-193-0x000000001B3D0000-0x000000001B450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JSrJDZQLrhR0.bat

MD5 6d13f91e40d5e7306ce769973cadc020
SHA1 ef423471df3dba6572b67940b7ee21b36e78331a
SHA256 f16b6cb2e08c39a8edcf23ed249ba52f5bb52062265be68b2a287e8a97b55ddf
SHA512 71eef0eedf9e9860998ff4db0770b5f7aa634a2683c7bd4c240a2e4b5e6419292c60fa08d9a6c3c4d2065adb093cabb1ca6598c42c2acb3a4a1d2fe165c6f519

memory/2236-203-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-22 01:08

Reported

2024-04-22 01:11

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3660 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3660 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3660 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3660 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3660 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3660 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4200 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 5116 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5116 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5116 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5116 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5116 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 5116 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3600 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3600 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1532 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1532 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1532 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1532 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1532 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1532 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3232 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3232 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2388 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2388 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2388 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2388 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2388 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2388 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1604 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 216 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1480 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4776 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4776 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4776 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4776 wrote to memory of 344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 4776 wrote to memory of 344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 344 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 344 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 1520 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1520 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1520 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1520 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1520 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 1520 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 3720 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2232 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2232 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2232 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2232 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe
PID 2232 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZxhL8XxZI7DC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SS4PQujQyOxd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujWzwWWjMyMd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilmcCVHJxEqJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhPLqedx5Woe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meUnP5wWZn2Y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4B9SDuTH3dC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gw5gkKXU1DyV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1WttLNFQVACq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOkdQsqFpLRZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H1bMgaGJO1sy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0agnF48wud31.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U5RAxoiKq1Vy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1t2iyHgQuYX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe

"C:\Users\Admin\AppData\Local\Temp\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCk0rgR8Is4b.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp
US 8.8.8.8:53 Kneegrowless-33547.portmap.host udp

Files

memory/2440-0-0x0000000000810000-0x0000000000B34000-memory.dmp

memory/2440-1-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp

memory/2440-2-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

memory/2440-3-0x000000001BB10000-0x000000001BB60000-memory.dmp

memory/2440-4-0x000000001BC20000-0x000000001BCD2000-memory.dmp

memory/2440-9-0x00007FFE22E80000-0x00007FFE23941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZxhL8XxZI7DC.bat

MD5 deee4de2b361d6677ed095649cf42dcc
SHA1 b4195f569604b90c03203341e3f68d88fccab7d8
SHA256 210ac4b15f9b1f4a69b3ca51f98f6942276116f30bf7f35dc5f32996b1640421
SHA512 1e49417778d57100e121cfac25e2ef207e2f5a1568a47e67ecec423642ebf38703c740c5823cfcda3b747ace728966ccc4b49a728313b4c151b5545843bb4cde

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0972bb0ba1caff7adc92bb35f645b5e0d825fa74fb1b76ff822dce8c200ab30d.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/4200-12-0x00007FFE21DB0000-0x00007FFE22871000-memory.dmp

memory/4200-13-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

memory/4200-17-0x00007FFE21DB0000-0x00007FFE22871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SS4PQujQyOxd.bat

MD5 53eefa787cace21dfe06b3a4cf38fde4
SHA1 071a53ac3399cf49be990a59c23a31e250a310bb
SHA256 06d3ab7bbc862c10255c09f74bb2efee3eda91a09ccb976459173c39ec0db28c
SHA512 2692055687e20f6018f0c45a2ec95aed4dfb38d8be13b43ce1a709bbcb177169d02a070d128e4e47a738439d2640b8fa9d8259838e9312f84afc453d8443a7f3

memory/3600-19-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

memory/3600-20-0x000000001B470000-0x000000001B480000-memory.dmp

memory/3600-24-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ujWzwWWjMyMd.bat

MD5 5a5aa673d2af5cd2434c37b9cc5b97fa
SHA1 eb0899d3b2dbe0270319d87da903c7b96c47da46
SHA256 6159b3dc262ceee84a11b53ed888fa982958f574bf39671b9e165555b43462a5
SHA512 bd259fea2de62e1f9be40e9c07b37a4e52e646c2484102e99392dcd1a63af769d57b97e082d0ba537e3dd292f7815879043ca710b7b166af7a848a70b9a83ea5

memory/3232-26-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

memory/3232-30-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ilmcCVHJxEqJ.bat

MD5 cedf91aef7d92a75a532e95f11746cfe
SHA1 6f0af95c143368a9ee2d4ab781ddb56c44a31b1d
SHA256 9d0a407c20a6de81073464cc15bb93fd3798fb75362131e16a32fbb2ac70cea4
SHA512 b8156256c821c2b34066b6ed3835db414f66e172a99084328ae596f61380aa41b2733a1ae635b0d10673a083842d4b93016a1d43d55e761b74f90a21048e3eb8

memory/1604-32-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fhPLqedx5Woe.bat

MD5 5d133e5a40cbd7e77dffdb92942224d8
SHA1 18e43e4bc079ca91c90b721e737cda2ec8dfc738
SHA256 fbc7f9656b7d3347cbc856818720126d552990d8b1b7418ab2d8bb04ff6a327b
SHA512 d5509053bb32db017b93bfc1e058d7cdaac3fd672183f1936701576bc1cfa613698691a547bdea80b547e182c8b2f53c652564c93ff9a0ecf722297502dfaca9

memory/1604-36-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

memory/1480-38-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

memory/1480-42-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\meUnP5wWZn2Y.bat

MD5 efbd784d104f77abfc681c15b45288df
SHA1 212d598b6c0406cf5e0ea0704dfa5bf63d02fa96
SHA256 22a7f5275e02555a4fadd3a6a9f84637c40902b87801a8e28b7e1787c56946b7
SHA512 cdf3efcfee043ea3c57339270949031b499fa061987010998617428ed13e9f9be6dadda5ca66a57dfbec7c90eb2355039466783e696640f4a94d9a6ece83bc2b

memory/344-44-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

memory/344-48-0x00007FFE21C50000-0x00007FFE22711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4B9SDuTH3dC.bat

MD5 53b6ad4c470486aa8544cf7d91afae4a
SHA1 826b49471159bef41e0722a60046ea82122675b3
SHA256 07c5dc09bcf65838cdf386184b3c840c5e0e5dfe6faaf51040d069d7161a9f5b
SHA512 56d14c7f0da9768b284f668309c80bd1e2680552d50532e740bebc11675756ad4711b29f8e4a89cdb279448995b2eb41f4c48901845bc7aeda9cc43ee52154a2

memory/3720-50-0x00007FFE21BE0000-0x00007FFE226A1000-memory.dmp

memory/3720-54-0x00007FFE21BE0000-0x00007FFE226A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gw5gkKXU1DyV.bat

MD5 592a782b8dab9ee0d830518ffc507076
SHA1 1836d8f4af3f4b6a92ee5597b22077147ec43a51
SHA256 dec46edb42debbeecde945b74ea94f91571bb7b9daf606284f96464ecf81f138
SHA512 cc97d6d4631270eda1bf805866af10280225508def18b63e7a0b6f3793c8c82db7d38bbb38ef2604d9224d09e2dde5f02701b617e4b4920214900d5c8ef00039

memory/3632-56-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/3632-60-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1WttLNFQVACq.bat

MD5 36713f9270419e27dc38c791999d980e
SHA1 3dc114f10e3f9103af7b6d29abe3cd6089a6f192
SHA256 e13cd3bf18e4bf1c3e4eedff6d455dfd8430e698970ee1f9ba52aa983ca2605d
SHA512 a51e3354a2e2fc0cc200cbfc9a604de9c43506f2540d28e281c931b0145b2ab0d3e22da0e80cee0d82bd50b8966faa4f1b8f93af99b05afa607bf8fc120d29bc

memory/3088-62-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/3088-66-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gOkdQsqFpLRZ.bat

MD5 697a6c0c57d3f185b5779f86ec32e79b
SHA1 198edde59011469630829f5f8de94d0428f9ffc6
SHA256 17b5b8773072a60033831906241fc5551b7a924fa476d0f1fce2132ce35842d5
SHA512 0a578f462311f0c98b8ff97031f731f73013b6ac2660ec693e1cad2d54a6cb4afa3adb276bbe1b8d84315b2dc765f25c45cbeb4fcfc4cfc587588aa3aba33631

memory/1436-68-0x00007FFE21840000-0x00007FFE22301000-memory.dmp

memory/1436-72-0x00007FFE21840000-0x00007FFE22301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\H1bMgaGJO1sy.bat

MD5 4c7556d01b6723fc166e54da3cdf3080
SHA1 3e2bc9cc4006c1b2719914a461cb1a9aba5d7dbe
SHA256 66e4bbfcb8e441182243201842eba9012d07bcb269b6a102a5200bacff0ea493
SHA512 db4324e94b3f06a885fa3c7abd4f54771480d7e4078b8fb182d1bc436a2cf258866f070fd6a0bac3cb230e708dfc3d4cfcc7f0befcb165f9de06b390eacc2c31

memory/3360-74-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/3360-78-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0agnF48wud31.bat

MD5 abef8f136208d60e3edc2ada7559ea23
SHA1 8faa843d692d29c0fba3975c30ed3e6cd18cea51
SHA256 1ce8ab144b78ea12140a467272ba2c07d60744803780e773f1c292164ae8efaa
SHA512 acf4148d05b78f56670353ee5b1b071dceb8bd5a01a8e1bdc02b8a9f2602b83f5b7e0bc47f85c9b08a7d711a16a53e3837c02f60a81daff1d2b89300267d459a

memory/3160-80-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/3160-84-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U5RAxoiKq1Vy.bat

MD5 5674126ea427a461ad8770563c605f0b
SHA1 4c21e691e7caa87066dd04e19151794b435462de
SHA256 e665eb2c7fe3c21417a22498797d0bce39843e73bdc45c28efd098d98c9028cd
SHA512 60312c55f46d048975290bee1f43ca20132957c019f424ff6a5477562408e5d32cb34ca3c6a55b81e7d427f553498ecf56187e09ffa21458baeb3d0be56e0528

memory/964-86-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/964-90-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\R1t2iyHgQuYX.bat

MD5 5659a0d36613b4cc5efdf58bbb1b7641
SHA1 df189b6716d226432e74a36744a0de9297e720a9
SHA256 a4ff5ae8ab471c9daf46cd7639b526b8177d89f24138c7a1faa5db2af7d59258
SHA512 29447338f46696392f6faa5e1f66432dc2c26bb843bb3eb5243f7e4abf6e8e1065fb35e992cb531828ae4cd30ff89e9b397e6cce35e2bd42b9b7f2fb1dc8813e

memory/2016-92-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

memory/2016-96-0x00007FFE21D00000-0x00007FFE227C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZCk0rgR8Is4b.bat

MD5 979f8b8211e76d2297a489f41ecbe79d
SHA1 c19f7c332469bd9fdba0a7159f54161404dfe858
SHA256 dc039ff270910ab5f0336a29e72062a61c850909795f8c3793bcbf2c7fd7b31c
SHA512 7e0495e14e816ad91e6ecc8ee1b8b66e3ddd354f4d0f55576c30dc9323d026451251e7d7c7013c9d4b68fc548aca83893bcc345fb6302790aa6c1c6475c19ebb