Malware Analysis Report

2024-08-06 11:19

Sample ID 240614-256erazekh
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
quasar school spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar school spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:10

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win10-20240404-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 512 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 512 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1904 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/512-0-0x00000000738FE000-0x00000000738FF000-memory.dmp

memory/512-1-0x0000000000BA0000-0x0000000000C0C000-memory.dmp

memory/512-2-0x0000000005A00000-0x0000000005EFE000-memory.dmp

memory/512-3-0x0000000005500000-0x0000000005592000-memory.dmp

memory/512-4-0x00000000738F0000-0x0000000073FDE000-memory.dmp

memory/512-5-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/512-6-0x00000000059D0000-0x00000000059E2000-memory.dmp

memory/512-7-0x00000000064D0000-0x000000000650E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/512-14-0x00000000738F0000-0x0000000073FDE000-memory.dmp

memory/1904-15-0x00000000738F0000-0x0000000073FDE000-memory.dmp

memory/1904-16-0x00000000738F0000-0x0000000073FDE000-memory.dmp

memory/1904-18-0x0000000006490000-0x000000000649A000-memory.dmp

memory/1904-19-0x00000000738F0000-0x0000000073FDE000-memory.dmp

memory/1904-20-0x00000000738F0000-0x0000000073FDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4852 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4852 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 540 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2084 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2084 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2084 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2084 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2084 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2084 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4084 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4084 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4084 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4084 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4084 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4084 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4084 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4084 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4368 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4368 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4368 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4368 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4368 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4368 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4368 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4368 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4368 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4732 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4608 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4608 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4608 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4608 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4608 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4608 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWVNNhxOrHOY.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ritNxtEkOTZf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3000 -ip 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H67incDLjOMF.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3108 -ip 3108

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HjbOjQWq9izs.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 2152

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEU90FQfXxAd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3456 -ip 3456

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 2160

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bp5IsCiHdxhI.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4700 -ip 4700

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2208

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkKlItzBGq8N.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5016 -ip 5016

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oRbWAvALBHVE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1080

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/4852-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

memory/4852-1-0x00000000003F0000-0x000000000045C000-memory.dmp

memory/4852-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

memory/4852-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

memory/4852-4-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4852-5-0x0000000004F90000-0x0000000004FF6000-memory.dmp

memory/4852-6-0x0000000005480000-0x0000000005492000-memory.dmp

memory/4852-7-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

memory/4852-8-0x0000000074DD0000-0x0000000075580000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/4852-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/540-16-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/540-17-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/540-19-0x0000000006770000-0x000000000677A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nWVNNhxOrHOY.bat

MD5 b0542e576a6700654a92b98c4879905a
SHA1 7b3170b8b2041ad5ec3b0a2632f63b13e0d37169
SHA256 a2a52c955d566a47b55fee150dffd0be5dec481b256fa3e6789ca469448985ca
SHA512 2f8ea8a59fc288bc480fb7ce4a6d4287cda9ce981bcb6a995ed023191466c64cb0f96c4e34bb3a8598f7f715b7eb184573d1278c15f075169b1195dd678dedb5

memory/540-24-0x0000000074DD0000-0x0000000075580000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 9f4d4c269e0c0ea823fa6de412d3f6fc
SHA1 9410732b61b7548f1b7206caba44d3293b31dc76
SHA256 69b373180ddf1927300e2bb8dd920be41037fc1750836dbbb52d3667d5f5cf5a
SHA512 9033896a38b47cb625dc0acc86e393f831abe31cc1e721840c22296bf1c187637a21150a69685a07daa02277afc7013e00541a3395c2844ece7f2ea9f62658b8

C:\Users\Admin\AppData\Local\Temp\ritNxtEkOTZf.bat

MD5 13a7a4de870e51e04bdec1bded9a427f
SHA1 9e88daaff92c1fed3903d5e566b388effef4816d
SHA256 629bbe7e54d78e23cd78813fab6fbbe3f6f7d3639a23f7dc449a2615722b8e78
SHA512 eb29d8ea3ff05a04e58f9c2ca041d977cb11ae788d7421da32428ef113157c5c431fdfcb757e7646794232ed8ba9589bcd6ed7e6334eca22094eaec10b808f65

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 cab7663e6d49083bbceac838b3a453cf
SHA1 8df2ed6a5929eb1ae05e3d20ca7025fc47294d92
SHA256 4273985445cecfd140fdd2531a07b9e7bc5b23eb8fd100eb16cd8ff3eab6f3cb
SHA512 1f15d52ff4f68a092331d7255c4e4fe3a867065e2e43a04fd59ea4496bf4579620541120dedc577498d785a755c1d8d0600a7e2e614cba43a623d9519b34c885

C:\Users\Admin\AppData\Local\Temp\H67incDLjOMF.bat

MD5 31eb5f71438e9975e6dfe760ae737133
SHA1 d6b4460d6efd8dec50c4d8b70787792d43f3146d
SHA256 4f975c2ce3f0786fa46295b35d6ddfff88cd2d9f1a617c202e9de1bf1c778033
SHA512 a3b9893a653214bec5590f198830bfba888a4df5fc0a7d810bb6439e9f7e7e4f2a3877d44d2d66ac93597d10bcba043d4de4fdef8a9f2579d95ff6a0c3d4d49b

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 872c29ad3417aa0b9a6ee0c2e402a630
SHA1 6f857236077696a1b67a2674f87d28a9054a4f65
SHA256 60efa53a127815968c4f204fd6082a349942861687819b510e4acc9762e9264f
SHA512 49d5ec24e43271f053695909ec8eb598adef78683c230da142567951d39d9f11f8940ce2698ebde8411a0bede147191453306dc3f391b124534712007243dd66

C:\Users\Admin\AppData\Local\Temp\HjbOjQWq9izs.bat

MD5 dec0be3405bd189b7914ea2304dcc5d2
SHA1 23bbad744da8b01cdd5efcb357245f91935a31cb
SHA256 93cb087000509f5b08cc2352985ab912f0791e7a3aef3a850e4b2bd337168a2e
SHA512 90bb3b8f61cf58377801c17ccbb34aff07329f3d508b46afe24e36a9e9cf13aee040a166ed85d885c23079d54323bdf8d9b455de0860c02bc8aca6515512e6cd

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 bb865d45c32ba77c2f769143436ee8a0
SHA1 ede12286d96a1550b281e9cbe410799442ae0849
SHA256 cc803e178acbb7b3b6530ce785a4fad0a251dea43c49ec77c2a82fb712570ca1
SHA512 3c7ec941ff900795eef193d72577822cda80701a646c04b13b6251b7e0491132e683084b3089942c930350461019186431c34c18bde142613077035d22882614

C:\Users\Admin\AppData\Local\Temp\IEU90FQfXxAd.bat

MD5 e0a269596485f8743f95821598e0005d
SHA1 6957e3726f234984027efa0ca26678e638ca81be
SHA256 4d35b7b36d931f70c46ec68856efbbe25cf9ea82c2914e0fba5fbe3c5da4ec9d
SHA512 ed6e49f251f43bc29c87e7e74c5ce4ee20daccf6b2202649daa34904a6fb57008f523866d036b10fb89b0890796d336bc0d079df8dc3011c04fcde03db9b9bd7

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 d16f73ab9a4ab5e50d07cb530715939b
SHA1 0dd5cca02d566e0308e8d79a94a23ec83ff43756
SHA256 2ec737397554648623047241349601cf4d560326284c82585195585ffe0db634
SHA512 2afff21702f41104c432fd095f9a7c4b84c2fcef91abf9ccdc50c6b5a01ee8ede420fbe8c413b8c353c1818bcfb7f509f1388bcd31335a2af4da4fe17c9c39b7

C:\Users\Admin\AppData\Local\Temp\Bp5IsCiHdxhI.bat

MD5 3e54dc7ef5a34f42efd3faf3a69ba693
SHA1 c2607b2f395aa22fc5c2fc00bf6234fb015bf7ca
SHA256 b7f539b810f991bdf1e37144dbfd74def29ba9e7744f4aaec67f492a41267e41
SHA512 d896f062add8fb0c01f7b25c7599ad5b390a53951988056968752f1020815b6b3e09ed47814dd24b5c86067cd16b0f819984331ff0ec3810a628b4cf2ca6c543

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 3fd053dd8c0232b5461f857ca5302de5
SHA1 46d3e2eae6fd3a562eef0cba979817fabca4a939
SHA256 3ff91b469942060b7de5e587ae402101be7287047b8a0d0d06562f6cf368854b
SHA512 60f3c7b8d87699ce65e6b419dc9aee71847d542333e7f5431702d48ee5da763282576d843daf512ae978460defd642d49660136dfc302ca7c828cdce04c32370

C:\Users\Admin\AppData\Local\Temp\kkKlItzBGq8N.bat

MD5 4d5cedcdfbbcd4db1322929aed6b7fce
SHA1 0cc25b9190e09f6bdc1ed80d49e10e9a7ea4a3e2
SHA256 c938e5704eb1c219ae21b80ed8c2bd810b13d5553b299bc93ad8345ba9f76159
SHA512 cdaf1a79c20fe9aa8b7a2de519ce95c05e665b2562376bc4a035a0e3a6d6b01a8def36dfae38b80acf7fe4564624ad56a87f31095de3322848027c45956dbaf4

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 741643df82f95e5815207f8ed640d5b2
SHA1 2d8f9c5dbc8a9ed47b72a397a1cb7678d085bec9
SHA256 f2a50ed5f311bbf00e98ac13ef10827074bf927e36fe39f0fe5f238fc29ddd57
SHA512 a9d7f682efcd7d53d8dbd487c458d97dc5c0b45aeb20c0c0f25e63d15326624eb86ec24765f28720d6090fe18a1c85ce88f98c4e7f5c77836f7942a272b382e0

C:\Users\Admin\AppData\Local\Temp\oRbWAvALBHVE.bat

MD5 649275bdc7d6032cc0d86adea70bf22c
SHA1 c664a8fdc94900fc2afb8423afd94f0087a7b1be
SHA256 bf6c1e5e8a01c0f11c9edb8ae029dff526f3ca5b1dc8755504bee6be22e5397f
SHA512 f60782ff98bebc86fbe4bc9c5ea50f04190e6288be7fea99a8ecd228d7f840d45360f6cbbdcffb564d7d2cbf78c26e06057537d1e5cc6c7c6db240d209c54ead