Malware Analysis Report

2024-08-06 11:17

Sample ID 240614-25bv5stelk
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
school quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

school quasar spyware trojan

Quasar payload

Quasar family

Quasar RAT

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Runs ping.exe

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:09

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:09

Reported

2024-06-14 23:12

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2924 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2924 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3684 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2924-0-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

memory/2924-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp

memory/2924-2-0x0000000005800000-0x0000000005CFE000-memory.dmp

memory/2924-3-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/2924-4-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2924-5-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/2924-6-0x0000000006020000-0x0000000006032000-memory.dmp

memory/2924-7-0x0000000006410000-0x000000000644E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3684-14-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/3684-15-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/3684-17-0x0000000006CD0000-0x0000000006CDA000-memory.dmp

memory/2924-18-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/3684-19-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:09

Reported

2024-06-14 23:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1252 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1252 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3464 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4580 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4580 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4580 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4580 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4580 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4736 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4736 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 636 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 636 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 636 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 636 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 636 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1268 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3196 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3196 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3196 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3196 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3196 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3196 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3196 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3196 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4540 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4540 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 664 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 664 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 664 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 664 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 664 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 664 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQvQcBzNnRGa.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3464 -ip 3464

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1608

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsBusVXtwBUZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4736 -ip 4736

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGbVuUMCkIZG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GBpyLCd5NC0K.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 2208

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aza5z3r7eruI.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\unKCdv59vWoH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1080

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/1252-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/1252-1-0x00000000006A0000-0x000000000070C000-memory.dmp

memory/1252-2-0x00000000056C0000-0x0000000005C64000-memory.dmp

memory/1252-3-0x0000000005110000-0x00000000051A2000-memory.dmp

memory/1252-4-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1252-5-0x0000000005210000-0x0000000005276000-memory.dmp

memory/1252-6-0x0000000005670000-0x0000000005682000-memory.dmp

memory/1252-7-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/1252-8-0x00000000748A0000-0x0000000075050000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3464-15-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1252-16-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3464-17-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/3464-19-0x00000000060E0000-0x00000000060EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nQvQcBzNnRGa.bat

MD5 3d4b649bd47879af0ff0c40a5c946b37
SHA1 af0ec2fd266bcba89dcda63c916db2978e7717f7
SHA256 fb24f86b387dc285ebf44a53d8d98cfb6fbe8bec2f013d4fb24302cc7726a29a
SHA512 81f9ea50ed7c7ac6a4396f12cb78a0913dbe238ee03646ddb5ff4736517faefa1e11feb2160c6a7a1685fb2fee1af9f84b4f18878de2f74b9b9b967fe4f4a169

memory/3464-24-0x00000000748A0000-0x0000000075050000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 79194bc55c4e7698fa1bf3cbac9e514e
SHA1 ad30898fdd1663539493dd1460e87c5cc6a5ac16
SHA256 c0cf99c5b4309c372a830329c883566d4bc676435ac9f38a81b66428c9a58356
SHA512 fd9dacabaa6a8890a44848cb1aa6d4d0d06f7ccf7c9bc0e477740d2389280531a6cbda304701dfe39eaaeea7d281d84679a345061ceef18663d7d6b1aed044aa

C:\Users\Admin\AppData\Local\Temp\KsBusVXtwBUZ.bat

MD5 e9679ce18577208ec4174669362d0f55
SHA1 af73c98f76de810bfefaa16967098b5d7bc1bf62
SHA256 27917aa54aab3c72a6f24bd7fabce728c984ec0130cf0aa5a92c21f231e56a9c
SHA512 cdae3ced16946fc14d632a8594e08f18891e9ea1647c76bc4fa1849c9aa06802d6f1481c6fd2ed15aa7198ba3f828ef3f96c5594a1d6f99be1390d45b1a1dd6e

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 397596e5653d41937f77e1ae7f91a851
SHA1 f312ed56ea8d0793ab1184e968a72f7a03b82340
SHA256 7f8a9412240d5896637511062bc59551e272841da6725f53253af7f3f5280df5
SHA512 bd8307908120c348d816f8a0ea965a6e93ab535e8959e51b30212932a2e88d3b760cc17adfc0da2058850d5c688ca3543dc51f85b54289ccc78536e4d95faeb8

C:\Users\Admin\AppData\Local\Temp\hGbVuUMCkIZG.bat

MD5 0e2940a0dec794a02ced5e15b7aaa9b3
SHA1 927fd6e3fca95e1e86b759b3a0063323d4cbd38e
SHA256 d97f12cc42d50e8c3b5a03b9c18f82234b628514a06b1d5bec02b78e00ce2563
SHA512 6cdcedec3442c21173935b28b3b54971325f375b382c348ad9063463ca36ca158026dda14983cef98e661d4bc33622cdf598c0ed1f750eb64a0cbded5e5f7346

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 47e30fd1ed912735a241be355026a6e3
SHA1 0652a79de9f2396d2409a8fde8c102b414773b2e
SHA256 25aad637114bf8df614cf57e6ea1bc937108ee8f86ec2ae8e73e941378f06c16
SHA512 2eb675e187a22c7c03f0656af0a46071b4aae6be9ff03624f40efa4fc3c712fe4f2d177c7891946667909e29d8d55f65193c72cb2dc6a1381ba765907417cbab

C:\Users\Admin\AppData\Local\Temp\GBpyLCd5NC0K.bat

MD5 c947fa6beea97465e7f8d1a1f41cc6ac
SHA1 d6ba64b7e9a244991f56a8543ff83bc139d9270d
SHA256 cf457dfc616e365312931f77c3751a42e74e079a3c9e56f3b582b7b279405bca
SHA512 047ca614220fef4b69906bd34cb7ac5737be90e584c3ff97553005a5f8110ff78a5a6ad5516e60fcf4084c32fb7f3cbdd847b3a59c76f58dd87d20d4b5485d40

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 6b14631a3a9830702db9e27eddb4d926
SHA1 6b395aa30d03bfd5d3c7384140fad210fa88694d
SHA256 62189037adbac79155331a214edd69163a7884aee1420f242fdbf3ac15e7e796
SHA512 aa4c538bf67868b31c488a8ca8c2221093ed7bf12c59ef907f1ffcfc2b25bddb3095ede01b21f00a580edd83a21e8eb25d135ae71e19894016968c05611239c8

C:\Users\Admin\AppData\Local\Temp\aza5z3r7eruI.bat

MD5 2c149497c4789ff683f9ddc1ef196c69
SHA1 d05d8fed85ff867baf6566c5a9f0634780cd3d51
SHA256 af03f038384067553374430ced8d6047af4f56915afeaefea85973d6f0534b01
SHA512 8cb72ebd41b6fdc303edeac2abbffb6b2e275536ee04f0937770032432eb261d4ce206fd52708fa7494130dbc5e26fa4ef011045968d66f6546f83eacc4903d1

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 a9e2ae3efcc28a653abad830267584c8
SHA1 1ea940fa51ac7e5f5a644761b1c9c0fa2fff568a
SHA256 cf1e71c8b5b6d575744ffa38314961de0f6e234fdff3d39b80db7a9fddb13790
SHA512 3e35d59dbc291d56821f46930848f98b2c9924a35442fcd75db1a2994dd15bb5072695544c450e6353749babdab9a11da5148daf0ad10cffae752a0ff0465269

C:\Users\Admin\AppData\Local\Temp\unKCdv59vWoH.bat

MD5 26c5f5ff4686803211090c6608a7e1e6
SHA1 407f1f9bfcafd9ce4fa07598b535a74ef8961ee4
SHA256 7147a25f5156c1441a1ba5ad861ca85ec32b03c6dfd5abad8eeb130190adf0d3
SHA512 f5a0bd03186b0a659f4d5562736658edfef8889bddbb64063c429315d506415c10404357e4b391c144e8a383acbe31382f7b4e825528edf27fb7a8e9f4eed8b9

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 b5419c681b1499941c9dc06c143ad146
SHA1 0614732406acb11ecf48bb1f006288cfb42d93de
SHA256 b51947babc6ab16910aa8eeaf726ea59a0c37d8bcbe097a9cf9252a1c9ecf929
SHA512 be2e19eae464ee6ef36b37b865774210e65a85d1fa0c4a2d6d0f90439de2d6bfddb9244ee0b543eeed2f7081f8fff67ec69cb55fa9f7f342d2d38b62095ff1ac

C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat

MD5 b915e6912fca767229577885cedb224c
SHA1 6853470450174ca2754b18015f72dc426a10db37
SHA256 7d4a4ff56f732b4630a04866e12431984e8a2e0c922112b72479ce7c77f63b2a
SHA512 dcf6837f5b4ee221b365df553df890ccfb62564f35cae9ace1366ffc3d25d464920db2393cb8991575ae44006354659d2016ee3d268ea7490ceb33fefc0fdddc