Malware Analysis Report

2024-08-06 11:20

Sample ID 240614-243x8stekp
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
quasar school spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar school spyware trojan

Quasar family

Quasar RAT

Quasar payload

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:09

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:09

Reported

2024-06-14 23:11

Platform

win10-20240404-en

Max time kernel

133s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2828 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2828 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 316 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 316 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 316 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/2828-0-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

memory/2828-1-0x00000000008D0000-0x000000000093C000-memory.dmp

memory/2828-2-0x00000000056A0000-0x0000000005B9E000-memory.dmp

memory/2828-3-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/2828-4-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/2828-5-0x00000000052E0000-0x0000000005346000-memory.dmp

memory/2828-6-0x0000000005E00000-0x0000000005E12000-memory.dmp

memory/2828-7-0x00000000061F0000-0x000000000622E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/2828-14-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/316-16-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/316-15-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/316-18-0x00000000066B0000-0x00000000066BA000-memory.dmp

memory/316-19-0x0000000073AA0000-0x000000007418E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:09

Reported

2024-06-14 23:11

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3988 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4392 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3816 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3816 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3816 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3816 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3816 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3816 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3816 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3816 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1288 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4396 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4396 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4396 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4396 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4396 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4396 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4396 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4396 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4148 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4148 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4148 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4148 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4148 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4148 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4148 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4148 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1792 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1792 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1792 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2644 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2644 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2644 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2644 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2644 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2644 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6bb8NpEu7N4.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOLaBGlytncY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1288 -ip 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1640

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUrhY7I56MfM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2124 -ip 2124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcoCzW7N1ZK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3zta41gHJRvC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbISih8CuF9l.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5100 -ip 5100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWXv9OP6X9aq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2668 -ip 2668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/3988-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/3988-1-0x0000000000E70000-0x0000000000EDC000-memory.dmp

memory/3988-2-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/3988-3-0x0000000005940000-0x00000000059D2000-memory.dmp

memory/3988-4-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3988-5-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/3988-6-0x0000000006700000-0x0000000006712000-memory.dmp

memory/3988-7-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/3988-8-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3988-15-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4392-16-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4392-17-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4392-19-0x0000000006A30000-0x0000000006A3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z6bb8NpEu7N4.bat

MD5 6e1d7c7c01a871fe366be36d6ccd4da9
SHA1 f5c89973ab55d60bdac514b222131a96f8717041
SHA256 459fcaab744da59e1146cd5a882504175cd3436379887e2ed65472278e65659f
SHA512 3f8f10e7e0df5d96c3144eac6d78f552f1a18291c5dbd30a920e697bd0e6f2aa070198bd164d865518c91a9965a75af7a22318a0e2a916420389f2d063be1c76

memory/4392-24-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 fcd807464f777066d2d507ba3b3b9599
SHA1 6f41959ca918b7d0e4ca5d91238ee9b5e99558ab
SHA256 cdc078f46c98624a568ec7d9445454c46a3b92b7b3ffe0ce4be71a56d7a5fabf
SHA512 a6a0d9108efbeba329e1df95670679e2839a3f73fe5feb977503b20778e7224b870c9a35d46eeaf9239f2d2e77418c0b57833ca39694dd0d52dc9d7e2718057b

C:\Users\Admin\AppData\Local\Temp\lOLaBGlytncY.bat

MD5 026b67eec628a1349c305307f52c875f
SHA1 3b7744cc61c5d2e4418b89fb24a46e6385e3711b
SHA256 2218e443f4382882840dd54a76ab7ff2e718f6e35076e9e1361241798abaec24
SHA512 8a3e08c5e7d8f3be76e7a5fc7c38d37d4d04c25c07f2cf712da2f90b1ef71ce27907ce78769e68d0539116967f7c6b38e2d2d7d482b5488d671b87bf2ae289b5

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 c1a1116dff4440ec66a98f6ecf97d37b
SHA1 7d211afdb595bd6e50cbb74025ac9a9cb15c5968
SHA256 0ecc1b1ef4b3eab639017491534c941f34ff9ed3337ae61fd479eb8db09fe90d
SHA512 a98789dcc7dd878444dbde2693ef833d2b2cdaf72669ff20188b64571ece442276e46afefbbf9af09f2d2d873a78fcc18d1b4568724a8fb54b3e22ee7d6b4d1f

C:\Users\Admin\AppData\Local\Temp\fUrhY7I56MfM.bat

MD5 8e2d5917b147f958417b38a555057059
SHA1 4576640c99e929c85fe3093c7c80320a6b0eb088
SHA256 af5f9cb6456f79789a58581a75e30381345ef088b319f5c95117eeba7e9ccb4e
SHA512 9f6ec71340251e16c67d7ecec5748e99391b79e20206e4a750874850b04657ea7398995c01e114f8254ef4b3e84df8962df8868c340e6b663308bb54323df641

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 0cb3da426c9dbb293d90293b99d9da43
SHA1 fb6f63271d29b7be2a1e6e5481cd597387102913
SHA256 c9dd4e67ae957325619da4ec7e2b947e9136ffb8a2bdd207248c158e8db08d98
SHA512 a67a6ae3b97f087169b2aac335193c4798c344e2e6d6908cbce44d8aa8e2aa106ebe3ebf0b1f72afd31cbc3b4005254d2b82df716c1c2dc8f46b395aeb17bbf7

C:\Users\Admin\AppData\Local\Temp\zIcoCzW7N1ZK.bat

MD5 95f9da8f726c1e91d4180a17ea72de76
SHA1 dc8169d2714f5b6d3ec650c5f709d3106ce47ed2
SHA256 acc800b41320b8d829fe1c13ddca384a818136e7b3690dca21776b3170d9a56a
SHA512 15e62d09c092cb307effcd275061ab571addf9bbface8f68d891cc8fbcf5ca526a28f86442333e3d6d0d1e9e29d5924aff109ce9b35b3bde79819585b98807d4

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 aa442f3bcbdfa89608dfab85766944d2
SHA1 06c0ee6cf38e55723a678790164afdf1794e9fd7
SHA256 dec2710fc403127666ef9233eef252ff63ffbfbe99482feb5a4a53e5479bcdeb
SHA512 da0d311368f8fc0bd354075a4d80e230da63449476daef612e378c855a6099d3d89594aa5d2fdb5ffa704cd9e6c9080e74fc7e0d208a361baab9dd4ddb4be3bd

C:\Users\Admin\AppData\Local\Temp\3zta41gHJRvC.bat

MD5 4c7d61a13be40e43e89a7e4c090e09c4
SHA1 5cffad8cfe7790da125d8cfd3c8ed6e1b8fdda4d
SHA256 6ebee5d2c67579a617787aad68066f8dd8502dee7173d1c826061c989aa92c82
SHA512 b0a9361881bf7505b48e15ae68776ac6c74fa6034efe33296cba164b5fda53a74bfd5421ee82a81f2b59b2289cca7496b36267171a1e7c0ed1a19518348e563a

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 738069f75dd4fdae981fe630f37ad338
SHA1 12f4e0055f62fe901419ecd85c5f7a8f3ee800fd
SHA256 cf84c8ee3733ad1f1d13654a924149ac8efc2d77d7f0dc57b1423396392a079c
SHA512 5e8002c2db7ed26329a6a0e864efee8ee73ae249c65d3ef99d87c7bdf7a6e7799a4ef65df3db739a7d83883ee7d1ef30ebc35e3e4c73607e5b41dc2def740399

C:\Users\Admin\AppData\Local\Temp\zbISih8CuF9l.bat

MD5 485e58b4315373c4f8c5e7d59541a210
SHA1 c83ecb0a52f587df491103f2fab6935bf19a3c29
SHA256 f284f1be59d0bd326a59f848198c6d03ef542f761c33228c18372702c0af31a0
SHA512 b1772be932c39e2709b9bb7865236f6e909d4be664bebd5f00855806aa583685632ce2f6e41761fefa9bf1a647f9e28b9f1d083ad82e33b50168f78d405545bd

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 95edbaa2806d8474622648301959a849
SHA1 4d62842287e436ef067b79a8abaab3f4e336694c
SHA256 956bce88ba0d59000bbba46e06e002f820932975817117d4ad792fedbe9efd41
SHA512 0b0b0c436775cbcb021dc7bbf6ed4219c8557c8f5a0f7f38e8c112163c3c75ef3e47056859c0e6af79d319835976504ec3f01b46d0a17636332b660b5694b1e8

C:\Users\Admin\AppData\Local\Temp\YWXv9OP6X9aq.bat

MD5 49b4a432a16c17c7d4455e3b148b4018
SHA1 73a70f8ef5b2ff73fd4714fdf925d3e45e10d7c8
SHA256 ef6a384570c0e0d7693098df91d957fe455da2c92ced1f854ad358e98427a372
SHA512 0ac4c5748419bf7e40ebc43481a5a0c5b8fe07e2b116ce6122fe2b5333589af0efcc2e89b077175426a989ca160fe1e9351a6c66e31fa24aed33873e89d81aca