Analysis Overview
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
Threat Level: Known bad
The file a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840 was found to be: Known bad.
Malicious Activity Summary
Detects executables containing common artifacts observed in infostealers
Detects Windows executables referencing non-Windows User-Agents
Quasar payload
Quasar RAT
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Quasar family
Detects Windows executables referencing non-Windows User-Agents
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing common artifacts observed in infostealers
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-23 01:58
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-23 01:58
Reported
2024-04-23 02:00
Platform
win7-20240221-en
Max time kernel
6s
Max time network
126s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File created | C:\Windows\system32\SubDir\updale.exe | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe
"C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoRtaHZaFedJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NxSyfN3t4MCI.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sILikmaZT63E.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\O0sZfttt5usJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DOePQvqLAsSh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ppUgiJ6xSzoj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LfJEfHnabtd2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eum53BFFFrJp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SdqApOgONSTQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSbDpQxebSBt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYN8Ej4s7eEK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5cuavOqPUCjl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\r3e6qidczgWf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
Files
memory/2956-0-0x0000000000040000-0x0000000000364000-memory.dmp
memory/2956-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/2956-2-0x000000001B150000-0x000000001B1D0000-memory.dmp
C:\Windows\System32\SubDir\updale.exe
| MD5 | 2c1fba8d6624adf6c582fb2d5fb43b28 |
| SHA1 | bd45ee984e9476d604824f83c6cf6111a9db2467 |
| SHA256 | a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840 |
| SHA512 | cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19 |
memory/2544-8-0x00000000001B0000-0x00000000004D4000-memory.dmp
memory/2956-9-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/2544-10-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/2544-11-0x000000001B220000-0x000000001B2A0000-memory.dmp
memory/2544-21-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CoRtaHZaFedJ.bat
| MD5 | 03d54daf872ed80284cf44881677cb78 |
| SHA1 | 6fdb2783eff27226d7b41b92e4c217136c5b632d |
| SHA256 | b29e8169b8cc50db9352ea6167cc40bcc16f0ae4299308aaa2c71e8b7572ad88 |
| SHA512 | 5695af35739ed3b1615e8b26649dfccc625117bfd250dd3f1d18f8b68440f1225d5866fa2016b505582096c56d0e8d55b6512baeb202e70781f5a802c471e05b |
memory/2372-24-0x0000000000A50000-0x0000000000D74000-memory.dmp
memory/2372-23-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2372-25-0x000000001B2B0000-0x000000001B330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NxSyfN3t4MCI.bat
| MD5 | 109aa3acda2b209292ed179679965bbe |
| SHA1 | 00a2efafa20abee780358110d60c8fb3b5bd280b |
| SHA256 | c0e690a7060454865d67f1ca7c3a69390704e0690be825394ecf538633fc8c37 |
| SHA512 | 2bfb3ff2a602266cd807a073b2175e98d33e568ab3256b77a98b61353fd380a294c4f59801b4a2c68a85f8bd0acb61528d13a9d0075cb82fb05456e0d9b02c72 |
memory/2372-35-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2116-38-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/2116-39-0x000000001B310000-0x000000001B390000-memory.dmp
memory/2116-37-0x0000000000130000-0x0000000000454000-memory.dmp
memory/2116-49-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sILikmaZT63E.bat
| MD5 | 94fabf93fdfbcd6c08199a57dfe97ce5 |
| SHA1 | 757265228608fb5f2e95c7d0190f6e0e43aaa947 |
| SHA256 | 49f9e19b44a93b57370d244c4d528f0456131bd5d62db1a3b89b1b145ad682cd |
| SHA512 | 1c65c9b225889db3fc1ff62f502f4ab01e79174d3eb630f70b73b406ad72a5ca51c8a4432318cdc0d72e362d8d2827532631ba3e051de1fc3f6075684e5e001c |
memory/1492-51-0x0000000000950000-0x0000000000C74000-memory.dmp
memory/1492-52-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\O0sZfttt5usJ.bat
| MD5 | e6007c8ac51d90bfa3cf835229e3afb9 |
| SHA1 | 17a7e01ae0ef2d051ea1274e4df5d90ff8dcd652 |
| SHA256 | 81333d28f57dbc2dd56a935dadd9c64a52de4496ef7d808cac49003323dc2839 |
| SHA512 | 1d9c8fba1fa2b4233213bf8470fc97b2ee4aa64d469b7c32a3d36e756a699e0353188a094053b9305d920d909df828a93735aad79c6a7d7f79ab91c42b5a2871 |
memory/1492-62-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/1892-64-0x00000000001F0000-0x0000000000514000-memory.dmp
memory/1892-65-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/1892-66-0x000000001B0F0000-0x000000001B170000-memory.dmp
memory/1892-76-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DOePQvqLAsSh.bat
| MD5 | bf458b5de46900a1dd923165d42547af |
| SHA1 | b9d8d4d9fac09addc0169cebaed1e7f478153bbe |
| SHA256 | 75bb490a6d1ebbae70a340c7bb50bf140315229ee6411b33c9461d7c23615400 |
| SHA512 | 779d192b703c7fd6625f4af828570d526f0117ad800ba869299b1067dd59615d0c371413d343a33d1b1b5e99c5439e506b995542c37839a43a9704c1a5198452 |
memory/288-78-0x0000000000110000-0x0000000000434000-memory.dmp
memory/288-79-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/288-80-0x000000001AD40000-0x000000001ADC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ppUgiJ6xSzoj.bat
| MD5 | 26897707d398bfc14fb1316b6acdb9d1 |
| SHA1 | 829634c41a108af391114b02b753f2ac31c23ae8 |
| SHA256 | 3d3ee3a15d1bfe8dfa50e560c03e4915dab22e3d0712ad3c68523a2a193009c9 |
| SHA512 | 6b2d9a44392074212ad42530bf76144404f5c212d4521a4970ee5bf76ab39bc6d1ffbbb04392a5a204e554dd5db1e534ff9acd3711d70bbc65917e9ff7c804be |
memory/288-90-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/1600-93-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/1600-92-0x0000000000AA0000-0x0000000000DC4000-memory.dmp
memory/1600-103-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LfJEfHnabtd2.bat
| MD5 | 2ee7c074ce2e346a9ee23a6055fab4f0 |
| SHA1 | 0fa6c3988f1690b0d5c6d97944631cea421fdce2 |
| SHA256 | 43b2858ca548a7abba05a2aa00a7b8fb6d8a33e09f4f920a90bf254dd1942345 |
| SHA512 | 6a0eb54402e39b8d9bd572e6d800e4c8d3b8df5c0f775a42a59a667aa79ac5934fc3547a36dda1380b277257b857792e5b03abc022da1d47df8c50af349b6502 |
memory/2660-106-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2660-107-0x00000000003C0000-0x0000000000440000-memory.dmp
memory/2660-105-0x0000000001040000-0x0000000001364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Eum53BFFFrJp.bat
| MD5 | 87e04d978b39ba88c3c31bc090bdbb23 |
| SHA1 | 2b338def74c79aedc1f2d0b610bbade82385aa63 |
| SHA256 | 9f201ec07a0a3b55a6219fe3adceef854d3b0c9a7ebb0a76d64aef543bbb080a |
| SHA512 | 40c2b942f65f0930d39f777856a97ce9e4e98841bbec1e0baa0ca2ba973f0d8258aedccef2949c6b7f98a465b6cabd6b583957e1169afcae7acbe4ec48a55faa |
memory/2660-117-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2776-119-0x00000000000E0000-0x0000000000404000-memory.dmp
memory/2776-120-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
memory/2776-121-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2776-131-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SdqApOgONSTQ.bat
| MD5 | 5b6265ae349094652a6372c287430ca1 |
| SHA1 | 74557d0ff056295ee48c5f7f4eef99134e0a6ec4 |
| SHA256 | 22f5db983d01be6f79b0a013e884accfe969307d012d6015635e28ce9f8a1391 |
| SHA512 | 71bbfc2b36a17723c5ee34b0639244d9584e55ec2a295c80a950f9c01b173167c91480db59316d816157fbadb9d48484fd6bf3d5297088560bb924166e3d6b92 |
memory/948-133-0x0000000000EC0000-0x00000000011E4000-memory.dmp
memory/948-134-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/948-135-0x000000001B5A0000-0x000000001B620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CSbDpQxebSBt.bat
| MD5 | 120a923a8294b0e4876d48b6eacc8d7f |
| SHA1 | 6e908d5807cf162ecb9dd4f5381e268386a019e2 |
| SHA256 | 440e60f386d87c40cc4133b14dcfaac93faa65a793d6b641c65e25dd83684933 |
| SHA512 | c1b31fde9ee1bd85fff49b64dbe3072ccc3abbfe39285bc03d56110b36965f4aad5bd00c2a86ccffab2d90614a1b282e9e8f890e08aa57de5c205aad6f18ce76 |
memory/948-145-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/1148-148-0x000000001B230000-0x000000001B2B0000-memory.dmp
memory/1148-147-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bYN8Ej4s7eEK.bat
| MD5 | 0889e53f198b025a93e36e2cfaa39c4b |
| SHA1 | b1ccc06a86c884987226714fcfa7e0e8161f1ce5 |
| SHA256 | b6b07b191b9abf7c6cab9d02a25b5fb1ead9d3b8065c4aae16da4d3dc90598ab |
| SHA512 | c6f0e5b0ad8e6ad315bf2d3e83556ef106e4d0750a6b7d275fb2d454896f9da4c5501ee00f8cea6dde7cb68dab65fd12e9ddab8d2babc05b75f203a2cde60126 |
memory/1148-158-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Windows\System32\SubDir\updale.exe
| MD5 | 97ab52a09461aaae33671bfb2c97d461 |
| SHA1 | b9db39918d35dab42fd01d5f9f3d4f1ee37b9a79 |
| SHA256 | bf8bd3d5565e85ccf3e284681e358a1095199bcb72540408d2bded155ee0da33 |
| SHA512 | 9c23edd8c437685e2d1ac9ddf87ca5d149a1c82df86d95503643cef0be2a48616014e4bafe943a8f17f9ec975dbd34b9595094233d1ccd34aea33b68a65cb84a |
memory/2892-160-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2892-170-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5cuavOqPUCjl.bat
| MD5 | d920b1a5b2bebbb4ce393a0bd209dc3c |
| SHA1 | 5ea34609d15582996f5997801366ebeab64ff048 |
| SHA256 | 9429e80717232f573fbbeb6cf86a4d96749bfc89886864b8830c4f7a872e164b |
| SHA512 | 9d32ba45cdb77c3f9f74b1fb0103fed88f5878c52f463ccbfb443a32e8814d7622821e7656fde0a27677a19267fe6e8faa7d5f30bf6cd8df45d60f94fd5f9edc |
C:\Windows\System32\SubDir\updale.exe
| MD5 | c4dae084ebb0e54b8971fec31a08f85c |
| SHA1 | ce012c064db1faf577517b1fe2c669901f03283d |
| SHA256 | f8fde498de57bd9414057afb86bae5aa7827d32dffb07d1f63700903bf49260d |
| SHA512 | 8836d6b08642859a192ea765e415d425a0354df54e025cc6edf6a50503232177590cce1650513603822eb37e2da197351f3aa1ce172366e16add1ebabb04a36b |
memory/2256-172-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r3e6qidczgWf.bat
| MD5 | f1b6988a9c25bf71c4f98cc1dd233a68 |
| SHA1 | b1c34fa2c56b20cc55645b12ffbe088720ab6f66 |
| SHA256 | 6ffb6068e37b052cbb51c91e8f174da8a942edf0f88b969f8f8ec3537e78030c |
| SHA512 | 3b24b0ab3e8bc5409d31cb945133481f4e906645f4a8c283c7d7b6b7f4df1c285217beb0db4f4255684ca081670dc3012b2c0d3dfcabb3960f921dadecf477e8 |
memory/2256-182-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp
C:\Windows\System32\SubDir\updale.exe
| MD5 | ff809c9272654f1b51f88bc9b7d7e265 |
| SHA1 | 93044c701db48e3e1afb990d339c269dfa1a5f7f |
| SHA256 | 6e61433fe73b382d2b9596535283db01213371e91e026e727410ef9020e81592 |
| SHA512 | 4b755be8148945dba6ed578c78935ac21ea04315e92e5861da64ef55d0bde31c7f034a10fb476cfb48a8864380ec62e2194d0217a143d001a2572248d31b1e3a |
memory/2308-184-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2308-185-0x000000001AAB0000-0x000000001AB30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-23 01:58
Reported
2024-04-23 02:00
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\updale.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File created | C:\Windows\system32\SubDir\updale.exe | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\updale.exe | C:\Windows\system32\SubDir\updale.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\updale.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\updale.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe
"C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xK5IXmAI0nhk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YPbj0KkQcXpn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQkt8k3VOfC0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f8wx7D9c1kSl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QNildA48LLlK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izDBbXvyE7LL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIVG8GaKznld.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYCNAobkF9rt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3wiimGlo7pti.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E6YNydK52xxW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58BtiZXzhvMU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMPsimu5AS0Y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\updale.exe
"C:\Windows\system32\SubDir\updale.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | funlink.ddns.net | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/4160-0-0x0000000000390000-0x00000000006B4000-memory.dmp
memory/4160-1-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
memory/4160-2-0x000000001B320000-0x000000001B330000-memory.dmp
C:\Windows\System32\SubDir\updale.exe
| MD5 | 2c1fba8d6624adf6c582fb2d5fb43b28 |
| SHA1 | bd45ee984e9476d604824f83c6cf6111a9db2467 |
| SHA256 | a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840 |
| SHA512 | cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19 |
memory/4160-10-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
memory/1976-9-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
memory/1976-11-0x0000000000F10000-0x0000000000F20000-memory.dmp
memory/1976-12-0x000000001BF30000-0x000000001BF80000-memory.dmp
memory/1976-13-0x000000001C040000-0x000000001C0F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xK5IXmAI0nhk.bat
| MD5 | 9f8f12d4c0ef25b2858fa300b368d415 |
| SHA1 | 1fc67dfbce03cbc945713bb791417040d32368dc |
| SHA256 | 65b89c7a10cc18cab7b9b77ac2f176e72826ca6fbaa3ddd3f5d49ccaf0c5ef29 |
| SHA512 | 1fb950f3dcd75c9fba2829389a19926e7a11f198a384ac8b1c61c16fa2b22b5ec1c0b527f6a24f1e89aac0404c0226fdf38a59eca7dc0f5e469ae32c8f09ae38 |
memory/1976-18-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updale.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/4060-22-0x00007FFCE8510000-0x00007FFCE8FD1000-memory.dmp
memory/4060-23-0x000000001B150000-0x000000001B160000-memory.dmp
memory/4060-28-0x00007FFCE8510000-0x00007FFCE8FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YPbj0KkQcXpn.bat
| MD5 | f053d5cd9363fc27a8cd2f8dd6292cb0 |
| SHA1 | 24a3e5b04ca09d26aa040a600b564241ce3354be |
| SHA256 | a553e83f8cc405564f9c5c83d12828128b5660fcb4c763dc23dd705cece681ad |
| SHA512 | 542de4a84df9ffc29644c3f5a64e26b78abb88cab716c7b077c15c81c1eb1e22a3a1feb71af33ba20df425f8ca5c9c6f148097dcd4743582f490ecd68f411ced |
memory/4448-30-0x00007FFCE8310000-0x00007FFCE8DD1000-memory.dmp
memory/4448-31-0x000000001BFC0000-0x000000001BFD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IQkt8k3VOfC0.bat
| MD5 | ca0c3ea3a67b1b5906fb18619fdde961 |
| SHA1 | 51904135b9e6dfc277bf7d984507ad336c9f3492 |
| SHA256 | 9544011bf611cd1d0ef31162172999a2394749b581e02f0dbaf755a3c576270c |
| SHA512 | ceb43d13f2912c45bc4ed7dcbbea9fed65d0f31c7d2330fb6127176f5fa295d79df37cdd56a13f5cc2db15333e855ded2e0cb8d4aafdee40db66da1dac46394e |
memory/4448-36-0x00007FFCE8310000-0x00007FFCE8DD1000-memory.dmp
memory/2812-38-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/2812-39-0x000000001B330000-0x000000001B340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f8wx7D9c1kSl.bat
| MD5 | 205ee1c88d269cb92a407b9ecb06ef19 |
| SHA1 | cffb195a20a5f5cdd4cb5deb3cb68f4ba7056ac8 |
| SHA256 | 94216dde4b6c835ed3c513dafff90bc7609d4f00ba94f1e94b27dbfb20be6843 |
| SHA512 | c27cf1bb9c62765ab23fecf76f63e82bac93211db2d2f6f36db7f06036a8c44697069035f99fa15d1772bb1644a91e98af23d7c132e59e51e2d5186c950a3353 |
memory/2812-44-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/2900-46-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/2900-47-0x000000001B240000-0x000000001B250000-memory.dmp
memory/2900-51-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QNildA48LLlK.bat
| MD5 | 1e6c3051448dc298c07496b5d55aa116 |
| SHA1 | b11e2193bcf20668e18c48e886c3e65382d70460 |
| SHA256 | 59bc9c88d705098800056136a31273e2aeed2dc81098c3c5c4057f9eff25b113 |
| SHA512 | ff8462cf8fbf67ea65622bded0ef04e918af8cc64a524eb78cbdfbcf134c9db97e589334123a1fabc41299a23ff712d3f94acaf596bc7e48571544c46a721c14 |
memory/332-54-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/332-55-0x000000001B6A0000-0x000000001B6B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izDBbXvyE7LL.bat
| MD5 | 7bd44bb588c75a8af10b2b245002d614 |
| SHA1 | 6b31f8be1387a83e51bab68cbc45b264af2db008 |
| SHA256 | 085e2ab320888fc3d7797222d92da2edd72ff27838499c2b28821ac54842ed20 |
| SHA512 | d95fb6f887e0c9eaf79bad655afce56dd3416b1bb3499a8ff79f90231d9c5d385320f16cc6a3475d03f071d3de7069bc672d3df5ba8d84071a60278010c4cb56 |
memory/332-60-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/5040-62-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/5040-63-0x0000000002A10000-0x0000000002A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XIVG8GaKznld.bat
| MD5 | 6227fe36beeac7ee3c6da0a7da4a585a |
| SHA1 | 084c345270dee101380181eea5b0197e78901880 |
| SHA256 | 12140416d152620b1d9608bfc09b2546f641d91dd43662f167324e469b4a8854 |
| SHA512 | f5f961b1fb9c6d2eb086d5e4b1f8959fe6530b5a77998d6c0e423e155de3b386afe0892ec76b55fb9d985db4ad57b2d84f7f3f8c3b04c2defc11ae67d138a969 |
memory/5040-68-0x00007FFCE82A0000-0x00007FFCE8D61000-memory.dmp
memory/1452-70-0x00007FFCE8310000-0x00007FFCE8DD1000-memory.dmp
memory/1452-71-0x000000001B5B0000-0x000000001B5C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QYCNAobkF9rt.bat
| MD5 | 7e53c7a663729b0e590ced6683381975 |
| SHA1 | 3435559413abddc9ec777fb10e2ba3bb0cceb5b0 |
| SHA256 | 531ccba7ba0f18b8eb867ac3e0c64c6c28415f924dc40c30435eb5075f3d5e04 |
| SHA512 | 751a3f9de84fe9c9eaeff51e5172471750d7530de713f76293987d301a6571f4121ed77ab58ee3ba677491b5438e6f3d89dc58aae35579c57249ed48f09ab7d5 |
memory/1452-76-0x00007FFCE8310000-0x00007FFCE8DD1000-memory.dmp
memory/4500-78-0x00007FFCE83C0000-0x00007FFCE8E81000-memory.dmp
memory/4500-79-0x000000001B5B0000-0x000000001B5C0000-memory.dmp
memory/4500-84-0x00007FFCE83C0000-0x00007FFCE8E81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3wiimGlo7pti.bat
| MD5 | 6513736a392e8133f9a8c307dfb35994 |
| SHA1 | b570f042c8b7a5d6d84f012ae47604f8cff039c9 |
| SHA256 | 73292d5767034cc3fe2b3f755ba342456aa2329352da2ac80a2a5af724d8f6dd |
| SHA512 | 410d229ea294b35310fe979bb3a5fd07c6d9501bc3013320a147095710c4b80adc3d09817fb17fa1c09cd76d1f93dd2ed343f6089023f2900fb3f1657540195c |
memory/3852-86-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
memory/3852-87-0x000000001B260000-0x000000001B270000-memory.dmp
memory/3852-92-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E6YNydK52xxW.bat
| MD5 | 767a73717b767d126aef804c081e8001 |
| SHA1 | aae0d04bae666e6fd744a3cbb3b274eb6ab1b617 |
| SHA256 | b2c10589e70b9bce94e896a1da4d563a9aa8187c81747893352c3f2c80300dd9 |
| SHA512 | 97f6836ee2b09109ad18b7d0fcb429ff02764231044f893fee4a8e7f3e6f1a06efe071c5df7129dee00720c91e4ebfb71e91cba9aa0eb3a7343ffb9a908cefc8 |
memory/5036-94-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
memory/5036-95-0x000000001B570000-0x000000001B580000-memory.dmp
memory/5036-100-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\58BtiZXzhvMU.bat
| MD5 | cdc34f9e1c8e4ed7d4e79c16a668a7fe |
| SHA1 | 81da8d2d9690b609c7572b105dc79ff0c82649ff |
| SHA256 | e33e933200b99beb8e35dff9e9f48e5ad6b4f670859a0dd32a2d6564f07485d7 |
| SHA512 | 93d0d16d5410fbe9e0ad2ce2844541ded074e7076a61f212d82130b32a4239e196d1ad01000743299f59c924a967d4eaacb89f503bc3b5f84883dd8d28c08064 |
memory/2836-103-0x0000000002650000-0x0000000002660000-memory.dmp
memory/2836-102-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VMPsimu5AS0Y.bat
| MD5 | b69dd002df7747b5830b78e4877ef3ae |
| SHA1 | e7b1acee87288e03ae1d88c6ec08f4f6ddf2edb5 |
| SHA256 | 095cfe4c4c23ea4b0873c7d8fed40c2ee0b0ca87119598e49c46072994780087 |
| SHA512 | 0fe26e37fbcb1adfe599a34ca422e1e3ec27d5b0e55ec910066ef765b41202a5e2bad5055a96fd7129c0a66ff6b56756fbcb025dc4f18894c86b0626e0701e26 |
memory/2836-108-0x00007FFCE8470000-0x00007FFCE8F31000-memory.dmp
C:\Windows\System32\SubDir\updale.exe
| MD5 | 515d2436af5cbc584fa72057b3b11670 |
| SHA1 | 12023633d83992a250a4abdb5665b6cb0dd5d7b2 |
| SHA256 | 57e5ab552287e3b9458cae779275afda0e6fb082b8a52b561584aa7bc89b5906 |
| SHA512 | ab0d6ec4467325818552ac9c1cb5daf4cabf642e55a0a5a2624f62f4ac7a928651961f39b4c5a7d02662e5ab913a0cc4462cd40191e32be6b7a0676c534c2ff7 |