Malware Analysis Report

2024-08-06 11:08

Sample ID 240614-2586mszela
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
school quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

school quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Program crash

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:11

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:11

Reported

2024-06-14 23:13

Platform

win10-20240611-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2800 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2800 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 348 wrote to memory of 168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 348 wrote to memory of 168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 348 wrote to memory of 168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp

Files

memory/2800-0-0x00000000737AE000-0x00000000737AF000-memory.dmp

memory/2800-1-0x0000000000130000-0x000000000019C000-memory.dmp

memory/2800-2-0x0000000004F40000-0x000000000543E000-memory.dmp

memory/2800-3-0x0000000004A40000-0x0000000004AD2000-memory.dmp

memory/2800-4-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/2800-5-0x0000000004AE0000-0x0000000004B46000-memory.dmp

memory/2800-6-0x0000000005760000-0x0000000005772000-memory.dmp

memory/2800-7-0x0000000005B50000-0x0000000005B8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/2800-14-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/348-15-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/348-16-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/348-18-0x0000000006C40000-0x0000000006C4A000-memory.dmp

memory/348-19-0x00000000737A0000-0x0000000073E8E000-memory.dmp

memory/348-20-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:11

Reported

2024-06-14 23:13

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3068 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2212 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1384 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1384 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1384 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1384 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1384 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1384 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1384 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1384 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4816 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 456 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 456 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 456 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 456 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 456 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 456 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 456 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 456 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3272 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4500 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4500 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4500 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4500 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4500 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 412 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 412 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 412 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 412 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3928 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3928 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3928 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3928 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3928 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3928 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oPUhgWBkySXt.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 2148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t6XcIHzKKTWz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1608

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OV3aeOC52K5O.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1104

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D5cAUJxn37XO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 412 -ip 412

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1608

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suKVX9haSSwe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4504 -ip 4504

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RpYyxryU5MNj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ldJ5biCWM1Hh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sLOaFUX0oFLT.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 612 -ip 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/3068-0-0x000000007513E000-0x000000007513F000-memory.dmp

memory/3068-1-0x0000000000220000-0x000000000028C000-memory.dmp

memory/3068-2-0x0000000005140000-0x00000000056E4000-memory.dmp

memory/3068-3-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/3068-4-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/3068-5-0x0000000004D80000-0x0000000004DE6000-memory.dmp

memory/3068-6-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

memory/3068-7-0x000000007513E000-0x000000007513F000-memory.dmp

memory/3068-8-0x0000000075130000-0x00000000758E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3068-15-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2212-16-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2212-17-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/2212-19-0x00000000067E0000-0x00000000067EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oPUhgWBkySXt.bat

MD5 944dc82deb5f8a921884afe5df748b1d
SHA1 d5f5eb1df45e94c3b4996799c2eac8b42d9d7cae
SHA256 3d381067f3542da67d63d4bae00205cf748ec4174d135bd28f91075d4f64d732
SHA512 dbe09d024727e8b83f0452594fb5e2f6eeaa4eb31e241ba4e0ad39e1eae56dda645f79bc48945b368d8d65d192492d5b39950fc52abf13ddbdb2ad26f050631c

memory/2212-24-0x0000000075130000-0x00000000758E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 1d069e780e8a854697f9dc6e38ab7ccd
SHA1 530ff86466a45f8cadd7740eaf027f76e2e1fac2
SHA256 1a5171b1be9e6e0fa0707ebee72547d38c32b28e1690070ab2299f3f505d5334
SHA512 a9a54de01ad2bae22e9a07cec9588410136a020bc75ab14d5ada6cf74683209d41121343eebececeb64be8a70228e216b146d7f6ad5f923f4cfe31b615401de7

C:\Users\Admin\AppData\Local\Temp\t6XcIHzKKTWz.bat

MD5 91cfdcabc476461b70d5535cbcaccd4a
SHA1 f78a4b2ddbafb7fd7f8be05361ae4bb736fbd1a4
SHA256 0b1e7fb063adea3833939f8023e98d0698d36a31e6657f26a616bd59de4d3f78
SHA512 5493c9b15cb8c19c8662a1e6b1dc6d864f728f9046c7d8e1326b800d6ac472472e89fe160cb794fc2e8383b8423792bf7d7e41503afcd2f6897b1e699121d7dd

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 9d673ddaa25583f4f1a7595523d072c5
SHA1 8695f78e9e0a7179f5855d6abaa9caf56ebcd3a1
SHA256 9f7b5cfb384f884daf5d0b0964f247138d0c5d7cfc28579efd225ba1c64e82cb
SHA512 1d18c3ddbbd35c89a5de795b1feea15f5cd2ca532500311a3bd2d249f6f0333095cdbedc8672e5e9c5a0d77480d917fe7508a5f22cb926f56c1de62bbe2ace3b

C:\Users\Admin\AppData\Local\Temp\OV3aeOC52K5O.bat

MD5 7b66592df2f1ddc07f873bdaa3e720ed
SHA1 07e38f5a9cac342316703ef56bac73c57124a6fe
SHA256 2aca29f9553ebb4108b4de87196c307d5799ed5c0bc7411f9941c83f04441a8b
SHA512 085bb88de29aa5c599b531b82198f08eda2f98fa6990ffbc03c6e11d81d4bbf63737229be0b717e846c815c433265cedaffc7fcc18986423dabc009d8796f310

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 ee03271e86106eb0a9d5f5c109d6ab97
SHA1 ff262a02542e26edd1daddbd32085fa42af34dd9
SHA256 3f2df86e8e3b149807df58b59562add43f8e14e73e710936856d27ce58eaf20d
SHA512 eef3aa8ad45eb5c36efc5bc7d167de67944b4ac8f850d46ae5f22625e8841f33261a6b032b6fce4b3271fdae2e5d0b5afe38d363b5c79c726485bcc590ce6ae8

C:\Users\Admin\AppData\Local\Temp\D5cAUJxn37XO.bat

MD5 c198a58309e9ee1c1c49ef73da308f8f
SHA1 8c20a8dc64b530e80c6b32fca8138d688f111df0
SHA256 0724ebd31c6834e9896f1b55c82ed3dbbd768ad4850524b6de417d7ef6245873
SHA512 f26e282e287e5616beae93d9ce5b274a7cf4b6ace69850905c477e3719078114afbc2a340b0c34eb1e8d501734b07169e426eb004e1a6af276832d94feb089e6

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 f07c0370b0f531e01e1b35fb56f78ed4
SHA1 c3dc0df7bb326da8950e5f623edbf524de1a08df
SHA256 a41c4df0dfb576fce2d9ab08fe4833691b3a35804c1e9f2a969aeb636da746d2
SHA512 73f268644e2a1325bc517c2f03acf6736aee976399d7f2eed197db05561c192c9fc73f3d41f1b3a40d759ee7b52a49be61f55177faec6ecd775df7098163c1bd

C:\Users\Admin\AppData\Local\Temp\suKVX9haSSwe.bat

MD5 f6f7240d3f6e2e3bc3ae49612b9b485a
SHA1 7135daa389f1d40516dac08ac1380ab51c29c0d4
SHA256 2fcd82919f5ee2a2d3e06858da3304a6b90790cd36863b5d04c56ace8f8897fd
SHA512 d36703d435e17aaf58c337612b1edf4f186b85b37ace5d3611658602ef8e5ebf6af91143701e4efb60e1e09d904635b6b367be359a87adf75a59193127ad01b8

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 7bfdac8b34e379f0e27859228eb78186
SHA1 c023ff597e67d3c7b02b919624748bf6ba5c81b7
SHA256 413e9ba7722a01852626cd8f4a36639746a2e83d32362bfd9ecc243cfe5e7074
SHA512 2c317fd7c3fac7794601327f5ca784df43f960f55aa4a02fcf9c5768fb4d2e791e3569d29190475ba08ae88f602b540d3309ac85712ee7c3d30857979ffd04a3

C:\Users\Admin\AppData\Local\Temp\RpYyxryU5MNj.bat

MD5 85e0dfe8450d4409d8b36b07140ee0b9
SHA1 2137600f46d8641bec12e69736f51b5708de3658
SHA256 0f278244494141c0dcf13a57a258c863033d3ca249a2c6a55734c1ef2651f785
SHA512 be4f7469f6ad80d735f27ae6b616365a3a7352675a87bb985b13daa3907f3cf3e4ef41ff168d7878777fee2fbbece142f9d4ce74c0080ceef0640aa2a78c16e4

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 1c09c537e7a0098cfda663c172f0d017
SHA1 d8c08ae6976e187297b72a17417b2f50244ec3d2
SHA256 37870725cd3f2e91897be1450438db7837f76b80edd159d7ef6c4f0498805e0d
SHA512 13c9de6461b1636c6508b60ac582f3266963aec1f1aa0098d5e936e629960628f7582f7fcb2cd6982d65f0cdb049b9eb1f401a2bd6d52f242763a19a12e223af

C:\Users\Admin\AppData\Local\Temp\ldJ5biCWM1Hh.bat

MD5 38f0be4ddfe557b48cd7d66cb75f5acd
SHA1 7010b2448c7befc87524f99b8b8538c8fbaeb0a2
SHA256 474d6514a1c5b2f4c0a5b65db22841177282148fba09dd155fc35b3b6a594d0c
SHA512 2ced338c14e046f380737158344c25ed8919700201b49842d41b616dbc06cb33502c46af564ee57ecf39a9d1d5180831bda89c684dc56ca402437ee565809dcf

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 2d0bd2d5dd1a8df92131212c257bbda2
SHA1 375c0b7d4f025e0dfd4e3325a2a530372f71a5df
SHA256 abab68f0209c5fc51983f147e9513a36d67ed7fc9d0928a60ded018d2bc99f57
SHA512 c130ea58410114dd51aaca1f3fe4ec11f7cb8fdc2544a3a97e039e8de302ae79db9616cceb848145325b30d3915d460e3828d22d2728364a325ba3138877aef8

C:\Users\Admin\AppData\Local\Temp\sLOaFUX0oFLT.bat

MD5 31b8b8a28168e950a6ec32fdd2b016d4
SHA1 b14f4ee2c61a29701ab964d0cf33956cf9bd437e
SHA256 6c21bfa7cd47748b54d6dc43b74d42eab72d6dd1aa06b43de353e5ad9a741a6e
SHA512 fcaba708c09f8a177eebf76bb5ea3e7283d81c81202e00d084f41f3a34c92d0973c4cbf400543b5998bef135a0a8a70015244f20026386b5400763759e4df2c0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 23:11

Reported

2024-06-14 23:13

Platform

win11-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 124 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 124 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 124 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4768 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp

Files

memory/124-0-0x000000007436E000-0x000000007436F000-memory.dmp

memory/124-1-0x0000000000D20000-0x0000000000D8C000-memory.dmp

memory/124-2-0x0000000005E10000-0x00000000063B6000-memory.dmp

memory/124-3-0x0000000005860000-0x00000000058F2000-memory.dmp

memory/124-4-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/124-5-0x0000000005900000-0x0000000005966000-memory.dmp

memory/124-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp

memory/124-7-0x0000000006AB0000-0x0000000006AEC000-memory.dmp

memory/4768-13-0x0000000074360000-0x0000000074B11000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/124-15-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/4768-16-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/4768-18-0x0000000006C10000-0x0000000006C1A000-memory.dmp

memory/4768-19-0x0000000074360000-0x0000000074B11000-memory.dmp

memory/4768-20-0x0000000074360000-0x0000000074B11000-memory.dmp