Malware Analysis Report

2024-08-06 11:14

Sample ID 240614-25tqyszejf
Target Client-built.exe
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Tags
quasar school spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar school spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:10

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win10-20240404-en

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 4420 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4420 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4420 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4208 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4208 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4208 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
DE 193.161.193.99:37568 runderscore00-37568.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4420-0-0x0000000073B5E000-0x0000000073B5F000-memory.dmp

memory/4420-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp

memory/4420-2-0x0000000005DB0000-0x00000000062AE000-memory.dmp

memory/4420-3-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/4420-4-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/4420-5-0x0000000005830000-0x0000000005896000-memory.dmp

memory/4420-6-0x0000000005D70000-0x0000000005D82000-memory.dmp

memory/4420-7-0x0000000006860000-0x000000000689E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/4420-14-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/4208-15-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/4208-16-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/4208-18-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

memory/4208-19-0x0000000073B50000-0x000000007423E000-memory.dmp

memory/4208-20-0x0000000073B50000-0x000000007423E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3564 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3564 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SysWOW64\schtasks.exe
PID 3564 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3564 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3564 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4756 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4228 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4228 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4228 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4228 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4228 wrote to memory of 3448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4228 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4228 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4228 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4592 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3944 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3944 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3944 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3944 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3944 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4924 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4496 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4496 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4496 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4496 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4496 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4496 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4496 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4496 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2256 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1176 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1176 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1176 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1176 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1176 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1176 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3dzjAX1GDWve.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 2136

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mwq5XZKT5wes.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4592 -ip 4592

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cjYc8P2cHOTA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 2140

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XHEzut8mTI2A.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZTLw0ihrhlV7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1568 -ip 1568

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvLgm6uT3EEu.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4884 -ip 4884

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I3j7zj7mro2I.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2216

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 runderscore00-37568.portmap.host udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/3564-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/3564-1-0x0000000000510000-0x000000000057C000-memory.dmp

memory/3564-2-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/3564-3-0x0000000004FB0000-0x0000000005042000-memory.dmp

memory/3564-4-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3564-5-0x0000000005050000-0x00000000050B6000-memory.dmp

memory/3564-6-0x00000000054F0000-0x0000000005502000-memory.dmp

memory/3564-7-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/3564-8-0x0000000074E30000-0x00000000755E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 0c84b58a5322284269f3b86e648e1fc8
SHA1 6776c3963a64a3ace4caaff164669364356f72aa
SHA256 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
SHA512 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7

memory/3564-15-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4756-16-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4756-17-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4756-19-0x0000000006130000-0x000000000613A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3dzjAX1GDWve.bat

MD5 2a1537015ddf03f8cd8abed7da64b542
SHA1 3b93d28071d7022e15ae1a7c58f654b53a87223f
SHA256 69c048c88de39502d5f37f716e32d72b1e7c8973db7343ec09961b0958015bcb
SHA512 da49351a07cf644b92f0151266f9af7699f9dedc5cb1cbc77d0e30bb51eac7573a7f9290e9c87ce21d6dd0e680dc8c022b98e9464f4550ec8a97359dfe43c879

memory/4756-24-0x0000000074E30000-0x00000000755E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 8c85a7c5121dc6814fc41b14ec9647a6
SHA1 4ca724e854c7c1e1f5ce20ecc1a9936c49130251
SHA256 8cd639b068d61c03eb865281c78bdd2ec38670e6636bc6a6165fd9a1f6fdaf10
SHA512 738731fc8cdc87278c5c1e87b670aad6725ebbcd50ab434791bf2cef60b7b2e14c418fec37afa40919d03ed74338163114ad854eeec487e9c951f220fc66e226

C:\Users\Admin\AppData\Local\Temp\Mwq5XZKT5wes.bat

MD5 66e7ab1aacc9ce9bb15a8b4f2868432f
SHA1 9fbccdc592127bc7a36a818f9688d6ed15e04650
SHA256 2a2f6c6b075071b62dcbf255d8c28d9cbb2de4151492604a46830d32f2ac010e
SHA512 77aa2ace5336255d2067d34d80f84c90152cf926f874adf9d8f0d0d588ebc35f3f66cdbe861a894763f0095d8e97f7a86fdeac3d28899e181d4ed5d51c99b046

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 5a9bb592952b289bf88e5b95090cb86d
SHA1 8c1d55b6ceaca779075683d5b402a77e684a7541
SHA256 93e6046d49ae801f59fcb151fc634adc8f86395a44685f076d667b983b618184
SHA512 92690405c99b43b46be84bc55c32026d443ad1fe32cc4f51dafec4eea8c66f8b041b1065355616fe69506c23b831004dd1194cb1dfa9bd629be8fcd9ca6f970b

C:\Users\Admin\AppData\Local\Temp\cjYc8P2cHOTA.bat

MD5 bb0e55d38384376681209b32f823f86e
SHA1 1fccbfcb91e38016822dd4ca1e0f3aba6873455f
SHA256 2554a989957d8f017ce18dbac0a973b07a54286582f7ac6e4021e69cd05fcfe4
SHA512 3a5796bbb9db1b8040d79805842575d7cc3df30ff0a979f2586683d348731dbf522f6801cf3ea66f1ae4b6f9fcff228927ccf7a0f9fbf43f4454e2994432ced5

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 3fbcd98e416be87313bdf6b81fed1a8d
SHA1 8ba2fc10204449b8b9027e68f55972da9750c0f5
SHA256 1f4cecd3cf6506ff0fb942914a4e5b2654583a8c783aeb8c0c1b8cee861ab918
SHA512 d70324ab33866258a99a8417fbd8311a76371972da2eb80f034c3adeafcae976af0c01239120d19688a0ff3ec92c56866e1360b923fbd74b40a0eb3f164a600d

C:\Users\Admin\AppData\Local\Temp\XHEzut8mTI2A.bat

MD5 96be231a17ea518ff1668f8b6630bc5d
SHA1 f60d60f787906894cc4c0c7c1d7d56eee8df89f4
SHA256 fc7b137235d10b71a400d105e9c0419e0ef8d2fbcff0e328c77ea323654ccf90
SHA512 6a287a6baccfe7b2afa519ebdf35852481383a84cbd852437269bd8346c091fdff4df5cb1daed38621cef3c26d9cffef35008a9425671925e67f259ec86d6626

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 4ad61f34c3885847601cc1d3b62a08ac
SHA1 57030880dee170e7c1b22d9710e659a656208d05
SHA256 2ee415abc591c7091ee9229b78b11af7c738455fa5448c0998c1c0504cf2c350
SHA512 972a6c1881deab1fd69cc653d331e531965a76c5a310770f9a04d7dbff1367d8c9300eb3434a3e34c2497e90b120e4e56fbd33c54be952075f7d5fdac5d93b75

C:\Users\Admin\AppData\Local\Temp\ZTLw0ihrhlV7.bat

MD5 88c69d36041cc26e6570d9f1fabd1532
SHA1 c37f96716afd9ffa54fe503fb934a10740ca035a
SHA256 e195afb6e585cff3b09e425f95971bd9cc9b9ecc49c79e16cfadbed93d2ec811
SHA512 cae2490f60c6a8d4159aedcea10fcab1fa5834b3a9bca95037a0a8a13d7c29915fbd11560ecdf230ec6c9fc70cc42079a6190be42b11bb4a480539549162c1c3

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 149ea6735d363a51fb63399dd39e6ceb
SHA1 dfa3763d96a2dc3b1402ac62dd55e8c6994f3bac
SHA256 10d6f1db8123fe12f95c67888cfe5f7204d612f0525f474c4a40ea1f16c11e5c
SHA512 892a1c7b55a6556bd24850a621f256abaff41a47ac3fd7cd1a35ecdd3929480806b10932f179c472b4ce46ecf0e648cd724478bbd70283ff271b314f5eb3b96a

C:\Users\Admin\AppData\Local\Temp\HvLgm6uT3EEu.bat

MD5 4f92e0ac5d4d66f5f2b3ffc881416da2
SHA1 f2f3e8f3d8430973d5b7c53084a400e3f88b7ea2
SHA256 b88e7ad34b23dc32451aac6fe87cc0e66a473d20de0c8fb189ad4528fa45ed23
SHA512 45c3995bbf3b295cd584b99d258af32595c04eed4c538469e15a24c8a863a98946bf53cb4998b810051e081f5dbea6a9fc38afbc1ecd50d0f615c463fcfd13b6

C:\Users\Admin\AppData\Roaming\Logs\06-14-2024

MD5 1c52ca33be476fa10b616576611cc0d4
SHA1 cbe9930f1721d3e8505e20dd943fd62d854efbec
SHA256 00c880c7dd9c763c61afcf8fcae5b74f96b184350355838b919791b54648d28a
SHA512 5071d62f74f59ab901c841086c02f11da6cae3e45f1f28ff087cebc967c55c7e5b10f8cc8af85df6a90a1bbfaa4b3c892ae5e164683e417bde6d076d51a8c64b

C:\Users\Admin\AppData\Local\Temp\I3j7zj7mro2I.bat

MD5 a50175913928becb899c09d42155075f
SHA1 9d16351c57936ef6032fccd24174478a72146809
SHA256 c35f2ec08ce5c9f5ff474ce95fc48c03604d583dd30a90a6ef200b8e342be279
SHA512 725199ac827e5ee84e2fc1ad7c96e15a9968f6034bdf1fd889856e2d2fa08a11c125f72e3522cfd8bdd475dc1a7709b6ee02b50c09c534d7d4bb993978b672c6