Malware Analysis Report

2024-08-06 11:49

Sample ID 240609-b6c7gsbg4y
Target Fortnite.exe
SHA256 1dc08cd07a32da62aba3f31a61c0f906a2bb96f488178db94dd644e14da2189a
Tags
quasar doner spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dc08cd07a32da62aba3f31a61c0f906a2bb96f488178db94dd644e14da2189a

Threat Level: Known bad

The file Fortnite.exe was found to be: Known bad.

Malicious Activity Summary

quasar doner spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-09 01:45

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 01:45

Reported

2024-06-09 01:47

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color B1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 01:45

Reported

2024-06-09 01:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe
PID 3748 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe
PID 4812 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 4868 N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe C:\Windows\SYSTEM32\schtasks.exe
PID 916 wrote to memory of 4868 N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe C:\Windows\SYSTEM32\schtasks.exe
PID 916 wrote to memory of 5012 N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 916 wrote to memory of 5012 N/A C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 5012 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5012 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 5012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 1016 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1016 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1016 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1016 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1016 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 1016 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 2980 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2980 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2980 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2412 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2412 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2412 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2412 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 2412 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 864 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 864 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 864 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4368 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4368 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4368 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4368 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 4368 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 4620 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4620 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4620 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3236 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3236 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3236 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3236 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 3236 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2328 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 2328 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\system32\cmd.exe
PID 3960 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3960 wrote to memory of 1264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3960 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3960 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3960 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 3960 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
PID 4176 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4176 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\Proton\Proton.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color B1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe

C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe

C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NXVlP9PXvAbS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQ5VWeo9nkhJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgDDZvecuXci.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdsv6TZN41pI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9VbDvRRNPew7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aDKomAyBSXIV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6G1vUZ0TyJ7m.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESh1fPQsIHmm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcNxujDqX3h1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycinND1SmHvv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajOetqFVZH0r.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhSoIntoQYB6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JivHqkpy12jV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe

"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5XPwRdkuWB3L.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp
US 8.8.8.8:53 hoposor.duckdns.org udp

Files

C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe

MD5 b0b36e8c58ba04c00fc4f4a1a95b7adf
SHA1 03d53a79e2e500023a8d5ea016f47dfcc5aabf5f
SHA256 eef28529ab73a3b99804de2c9f2218b77c8c5c94d0232c09e53c56e4a0252b7f
SHA512 80b0d523e586c42c91b502b69b4c190f1a5de70c775c479406dad497a587f8e5c40c0d596985d8074bca7afd37a810538a9c3c068dabc286a4f2f0c073bf5abf

memory/916-4-0x00007FFF97383000-0x00007FFF97385000-memory.dmp

memory/916-5-0x00000000006D0000-0x00000000009AA000-memory.dmp

memory/916-6-0x00007FFF97380000-0x00007FFF97E41000-memory.dmp

memory/916-12-0x00007FFF97380000-0x00007FFF97E41000-memory.dmp

memory/5012-13-0x000000001B320000-0x000000001B370000-memory.dmp

memory/5012-14-0x000000001BC80000-0x000000001BD32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NXVlP9PXvAbS.bat

MD5 433618715bb0483d330c487844ba3972
SHA1 93b45759388a64d4c78f47d4786c179a43090dad
SHA256 5ed6294ecc29cc3bc36b278ce04ec34c3b02efb40f0285a8796e70bf083cee77
SHA512 4cb63694bc9b5935ceb0b5195c9c1d11c026c2e1f30484ea1ee8b38433e6607d3c4b2bf3c959a6e4ac44247bd21500a749f2aa7d54be2d735094aa5c3c0dbe3c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Proton.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\fQ5VWeo9nkhJ.bat

MD5 a76813aeffebd151c5595870fdb67d67
SHA1 53fb686b57e7e2eb981312cfff0dc40c8f593a52
SHA256 5fd57ac2c177949b95c77dbb1c630027f6be48049620934ce02ec213743789f9
SHA512 1cfd218c6c651fce0f7ac0c92728feb9fcf82c93a6ce0cf51f9d59e71c82b208aee2d4539890c8b81646cc538469ffc24be4bf9543dfdf22e27500b527ae8411

C:\Users\Admin\AppData\Local\Temp\sgDDZvecuXci.bat

MD5 a98fb1169523920037b8bb8338918660
SHA1 3a79cf8c66a0ce1a0278c92f13f5058b59919565
SHA256 4b143c092f489998357d5ce67088b7d8a254c8b148f97dcd3b60b7b2c5efa269
SHA512 e6a8d821f3066598bf02e75ffc79c7e69986b5ab868bb19a0e14a2d790b36e7f7d47261a720f54a414a6c3a85e5bc3693c2d1a818e630224c76dee03aeb40f54

C:\Users\Admin\AppData\Local\Temp\qdsv6TZN41pI.bat

MD5 59c74485e7b2d7c4d925a6d58131d0ec
SHA1 4dd15f50baba449220585ab5da8a850e25842314
SHA256 13e1533033645cf844fb65e5d4da3fbb8f5dff815b12aa9869343fec548a9063
SHA512 5a490262eca67e6bea36b9ee513e26619bfeff4639e2b0194322f75e7455c6b024cc62e516610ec1f1c31867490097967ee54ec6303cb81b2a545bf374271292

C:\Users\Admin\AppData\Local\Temp\9VbDvRRNPew7.bat

MD5 11ff06b00da0679e4d2a60ecda1ac401
SHA1 290863b139b7494ab029875082cf29520be570a3
SHA256 bca5773b003cd3a8b1c14d75994d33e0fa33676ea47de685259b7621921a91be
SHA512 c69dc4ac5eb7f896bbec7095d1b92a6cdc32c24a0f61981533c516c485bc9d8a9344f71d50c79de54d4cd160e357449734796ba7f92df057e1ce76092b0c58e0

C:\Users\Admin\AppData\Local\Temp\aDKomAyBSXIV.bat

MD5 b36a8e61bfb8612bd7977896a69a8687
SHA1 07d81a36362c9d7630754fd5a72ba6de453a1c48
SHA256 34c13218d907c4ff6fe64e7f377caa7da433fc9a3321ca0e9e0cfc3d651a069f
SHA512 26bb280e8d13f5700d5b21afdb3ee338502551957070f521c26492765f780f4b3e392e5a50fd09a52d270ff083f31454847e1786da86dd6c2210592ef3cdbc1b

C:\Users\Admin\AppData\Local\Temp\6G1vUZ0TyJ7m.bat

MD5 9a77bf6f39329a5fff1d65c0c075c135
SHA1 798cca649b31f24f161b6035e66e2a4c1b92ff7e
SHA256 578508f9937fad2f2e5f5d7b2b1a763680944148a1f11222dc154b6260bdaaf5
SHA512 2b8d3d717050fd67c95b085f839c43291d1fe30b09a00c85e31de31bba765b69ffba70a748e80271184df69498d850ff827b6a401f6382f7f847d89c86331c55

C:\Users\Admin\AppData\Local\Temp\ESh1fPQsIHmm.bat

MD5 f138f9058b5d1a773bebfdbc101de09f
SHA1 0fda7c471dd5847a86d3ab22989b07d051053315
SHA256 02d06642d8295d881107a72d672f79af336f9026cc30fcb784f748f62653cbdb
SHA512 3e9db2bf4165b5754cd1a4864469d5fa4db708295ea1d967b574c8a2ac0fa6579dd763b95d8a8d615344bcb6913d8746d73a82d5305c14df9549de4c73b34ef1

C:\Users\Admin\AppData\Local\Temp\hcNxujDqX3h1.bat

MD5 877329ebee1f373937d273f78b287822
SHA1 60dfc1d9c27db0a381ca6d2bd5a3a6f7c4b6431b
SHA256 c872807eb2978650075024a9cb37a8db05e66075e0c22cd93b3a25e16918547e
SHA512 f352e37089d74cd785dcb5ed26bb6d768fbdbfd9df496b8a42c0439174c241664f180bc9e04ee2d6fd24babf671fbb7d91b794d9ddbe728bc635631b573e3ae1

C:\Users\Admin\AppData\Local\Temp\ycinND1SmHvv.bat

MD5 b079d231e63ca438192d4f7d250a06e0
SHA1 356b94d31b3054f361faf4ecbce93251c25e1d7a
SHA256 7487fc085c71cb43e13cf1cfbab5a26efd928b56cec866cba0ecb31ec90c169d
SHA512 d85f997a0377da3c8a9ee07e7e136edec3fb6ba549f53fe844723e1a32df16616d3241d7379a05be9ec1a4a6173c4d5a5e7327b20ac5ae184de445f5add7482d

C:\Users\Admin\AppData\Local\Temp\ajOetqFVZH0r.bat

MD5 ae8c48889276c533cf4aa79162af10e3
SHA1 091ad2d85e1edb98ab98ef26efe301a8b601bac4
SHA256 95c0b975dde85282d258e3cd4259600bee30b3f4cd314a9f81ec6e75a7b124f6
SHA512 f667ee9f5d6c26e7a14d8ad903bfa8a1f64912598481195a0b92d35c6b1886afd2e9073dcaf2ed5b2d8536069f71e85c6e3929ff9172148acd5f455b90eaec2b

C:\Users\Admin\AppData\Local\Temp\bhSoIntoQYB6.bat

MD5 fbbd9ea26edce7746e2d8300a2bc3b11
SHA1 6d3b64f780abb47c20ac55643f6d0c4f6cbef0a5
SHA256 904f47157ff72a4e0dbdcf5be1cad09e8ac8e8f581f4efd3c92b711c30d56d54
SHA512 f3694d5962e34ebf891424542a2861d35b9facc31c57c8c913a94c03ab73e16b95b9cf929d6e0c447536e24c3fb92e80fd77eb0976dd8ece8578a7fc4e0db044

C:\Users\Admin\AppData\Local\Temp\JivHqkpy12jV.bat

MD5 29f59dd16af1178803426fe9e6cf69e7
SHA1 8db3ce61e7ab91d99e5d70a10c2b06a8438a7b99
SHA256 c0173c7ab1dfcd305f8d84bb75916634dcd1d8eab00ef016f93517006ee4cb28
SHA512 0c0856e75ba1681bf53c7ceac92a59a0459d1bb23d017b9bea4f2124c0602f32a809981583a8f62594c7c9e68c8121b6e5699fcdbe5abc4f711eb4d4577ca015

C:\Users\Admin\AppData\Local\Temp\5XPwRdkuWB3L.bat

MD5 9879516c06152a1d7f3db7c207ec9032
SHA1 1070ae7a32281e3e77d78753c2cc11750a58eaa5
SHA256 1afb912151811dd8021ef1c8e0fa95baa025c4f1c22122dcfb456798821d08b6
SHA512 41046c02861a5648fcf09503a2d995080cb7e35f2093dfddf127396dc292651a9c42cab6eeba8051cb1d78f5dbe18013b40a5869c7023f3230eacbb3532ae4ca