Analysis Overview
SHA256
47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 23:12
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 23:12
Reported
2024-06-14 23:15
Platform
win7-20240611-en
Max time kernel
119s
Max time network
135s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-37568.portmap.host | udp |
| DE | 193.161.193.99:37568 | runderscore00-37568.portmap.host | tcp |
| DE | 193.161.193.99:37568 | runderscore00-37568.portmap.host | tcp |
Files
memory/1876-0-0x000000007418E000-0x000000007418F000-memory.dmp
memory/1876-1-0x0000000000860000-0x00000000008CC000-memory.dmp
memory/1876-2-0x0000000074180000-0x000000007486E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 0c84b58a5322284269f3b86e648e1fc8 |
| SHA1 | 6776c3963a64a3ace4caaff164669364356f72aa |
| SHA256 | 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357 |
| SHA512 | 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7 |
memory/2524-11-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2524-10-0x0000000001290000-0x00000000012FC000-memory.dmp
memory/2524-12-0x0000000074180000-0x000000007486E000-memory.dmp
memory/1876-13-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2524-15-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2524-16-0x0000000074180000-0x000000007486E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 23:12
Reported
2024-06-14 23:15
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-37568.portmap.host | udp |
| DE | 193.161.193.99:37568 | runderscore00-37568.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | runderscore00-37568.portmap.host | udp |
| DE | 193.161.193.99:37568 | runderscore00-37568.portmap.host | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
memory/2448-0-0x000000007387E000-0x000000007387F000-memory.dmp
memory/2448-1-0x0000000000FB0000-0x000000000101C000-memory.dmp
memory/2448-2-0x0000000005DA0000-0x000000000629E000-memory.dmp
memory/2448-3-0x00000000058A0000-0x0000000005932000-memory.dmp
memory/2448-4-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/2448-5-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/2448-6-0x00000000064E0000-0x00000000064F2000-memory.dmp
memory/2448-7-0x00000000068D0000-0x000000000690E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 0c84b58a5322284269f3b86e648e1fc8 |
| SHA1 | 6776c3963a64a3ace4caaff164669364356f72aa |
| SHA256 | 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357 |
| SHA512 | 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7 |
memory/2448-15-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/4632-16-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/4632-14-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/4632-18-0x0000000006510000-0x000000000651A000-memory.dmp
memory/4632-19-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/4632-20-0x0000000073870000-0x0000000073F5E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 23:12
Reported
2024-06-14 23:15
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQ8s4O2vrPrw.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3812 -ip 3812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2124
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUv9Ycrv9c2D.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1944 -ip 1944
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1604
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f4TiNWde9PUC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 2152
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K4WUyX7s0j0u.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1328 -ip 1328
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1884
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUr0ZQWcTGpC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 940
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGg06OCrKOYX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3712 -ip 3712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZTvKWN8QSaVD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4920 -ip 4920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U5KDB3aL4Ojm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3952 -ip 3952
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2208
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4788-0-0x000000007471E000-0x000000007471F000-memory.dmp
memory/4788-1-0x0000000000170000-0x00000000001DC000-memory.dmp
memory/4788-2-0x00000000050D0000-0x0000000005674000-memory.dmp
memory/4788-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp
memory/4788-4-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4788-5-0x0000000004C90000-0x0000000004CF6000-memory.dmp
memory/4788-6-0x0000000005B40000-0x0000000005B52000-memory.dmp
memory/4788-7-0x000000007471E000-0x000000007471F000-memory.dmp
memory/4788-8-0x0000000074710000-0x0000000074EC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 0c84b58a5322284269f3b86e648e1fc8 |
| SHA1 | 6776c3963a64a3ace4caaff164669364356f72aa |
| SHA256 | 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357 |
| SHA512 | 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7 |
memory/4788-15-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/3812-16-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/3812-17-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/3812-19-0x0000000006310000-0x000000000631A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AQ8s4O2vrPrw.bat
| MD5 | dc9027059b5c341481e162a01976045d |
| SHA1 | 44588ac758c4e84aa77aae00a3ff78023adafa5b |
| SHA256 | 00b1913f908aeda4c96bf232d71568f278342b9db99712b2b9cfc4db2f04e841 |
| SHA512 | 23feb4101db8a1a1c960e7b75d87e9bc22ef088e4f1c70a590d469041e453710f603efb24d145511220ae5e1b117452870e5622ecbd050f381800bbe4c867c80 |
memory/3812-24-0x0000000074710000-0x0000000074EC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 4a8f4c34b5a4bdbb61207adf98fb259a |
| SHA1 | 7911ff3bfcec913b64043af7efea51d88d89f917 |
| SHA256 | 2bb3b027992b95521bfe05f8d0ff51f527ed41a164063d76c0b4c6560a80717c |
| SHA512 | bb9ce7f969b31fe312ef253dd44dfff691cded5d960444a6357d66afdfcdba82a6ce9f0f9ce5a374ed0a4600034e77939dbc15ee79f578e9a10209a7a7c89402 |
C:\Users\Admin\AppData\Local\Temp\qUv9Ycrv9c2D.bat
| MD5 | 0ecae696f007da45e35b077b0276611b |
| SHA1 | 205ec2d9ba8a859f37a974d97d3118feaf77e8be |
| SHA256 | 1f71876001c6d2ef1c5022116707fee808cd274fd6cfa231527569e1afa9589e |
| SHA512 | c384e766e0e2d3473a1d885b0ef2b7cb4a6c879106a2f0d453e6690dc8aace9ab1c55b73854a3ff1396980bb71d84fea3e6d06258d9e75a512f8ba2590ea7486 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 5db28b50730f00bf5ddf2aa2e28ca608 |
| SHA1 | b94621d8ef7601044dec1e0721a720e164d6de63 |
| SHA256 | cf42e21fd975e9deb2650f8f14fa7fccaa6fe922832312350c68113c5d019379 |
| SHA512 | ccca3adbd5558e6db6ac621e20ae8f4d8994a34b0bb98d1c3674ba24d1d8d2f051e65b879d24fd0d93d7a20799f2c35c3e6fa7a73b2f119bcaf5f890d16a1ada |
C:\Users\Admin\AppData\Local\Temp\f4TiNWde9PUC.bat
| MD5 | 42bc2b3a2429ee8e300b4878064a1a98 |
| SHA1 | d7e6dd52f8cd455e8d4e31bd21ad4580a01f7407 |
| SHA256 | e8d56aca58b1c5e23d2d7e942a993fbadc91ac5c1e87c0e2e730484fb2bd5bc6 |
| SHA512 | b2047d988cfa97177d53715d7be5047000476df6a6f4f827236d962edebcab95addd321f2ea085cc2b5d0a733a7f536908d42a8c7a2c3d790cab43a26af39cf5 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 7a7631db34f5c9dbcdc730ddec24fc59 |
| SHA1 | 1edef3ea32c1ee83cee0c8d2961f588061e8dd3d |
| SHA256 | 14991fcd35668756062807e8572d660b0f9ee3b2096c9e39ddf5c7190ada9f53 |
| SHA512 | 0e5c13d0cbca2be68ebacc4fdf587846edb16a66e3260924d056dc4d7e0262be6d54dc89b2494c33c59e6f44b412701fd8207f757c2a39e62e5af9bb3e61bee8 |
C:\Users\Admin\AppData\Local\Temp\K4WUyX7s0j0u.bat
| MD5 | 4ac1de751dadb3674977bd0131cc0310 |
| SHA1 | 9d40de4f347c81f75d6483d35a180ca1b79ba6cf |
| SHA256 | 3505cd03920b4a9f7f7c4ff53f27d06e0e35a36afcbed64443ba0e5b9ab48e2f |
| SHA512 | 4493a04dd7d84b8fb15ed3a4bc58f1718bdf0dbc743a65a9d8c3027130e5f3ae8b2f5d7313325a707168476b973bf8604c3a1ae879cd2b0e5292d7866eb33c89 |
memory/3168-47-0x0000000070800000-0x0000000070812000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | bd6b8288e6a7376b671fc9943ff77b64 |
| SHA1 | d2d0d4cc031e1bcf540e58d1f35472e184973912 |
| SHA256 | 4ab67eb0766e2b20837550e8b23bf2fc7f5e09537a7f1d94d1dd7f386921d001 |
| SHA512 | 3c3384e13671bc918e89aaa0bdfdd372349f3ba213b23117bb11c1d9efcedf6c8bdd0f778e58a5e6e61f59f6e1e6478427b427b76318b37aecc01ca3686a99fd |
C:\Users\Admin\AppData\Local\Temp\PGg06OCrKOYX.bat
| MD5 | a9c6b37d9515c80367ab8af58364a544 |
| SHA1 | 2fea0afbb05a7a2358cbdba48d3032c9083b3be4 |
| SHA256 | a9940d559cf4a5f003acc390a88e033bd6e3f204e4d714282d19a13fc691a3d5 |
| SHA512 | 968324cdd5a15b3add89bbf377a7b328028b96a1641a2364011f0451e98f2798f31c01567155910e02f5e5a63ce590c41e1b3a90544d291d6b6b66431da56964 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 47aeae8a05e07bb8b60f407c0f31d382 |
| SHA1 | 81ac0fd02e84999bb53cf3eeee5511893284409d |
| SHA256 | 76042800f9902d88c26e1e10d2b2b0fb89ec2079776947127d3d3ed57f4cdb7f |
| SHA512 | 22e720e88cbc894db3ca63ec6620a8b2d65ced80f5341f469a0d2093201c59aa0c81dac889e4dfd7de9c7bbee01b0d27649803c1cea50f886085e13e78a07dfe |
C:\Users\Admin\AppData\Local\Temp\ZTvKWN8QSaVD.bat
| MD5 | 616cf94d94f51e4a1872970fb6a3a8c0 |
| SHA1 | e24dbbbb6b3cb79f755d52543345f08f17f0433f |
| SHA256 | 223c5ba6fb77f8be9a449e35703d89208ba619fecf1e84e6f72cbc9a3aa52543 |
| SHA512 | e5c6caeade2239f6cacd87715723f899c2e80badf7288b185636be19d71f457ff7f7223d25f366f548b4fa84d334a254783779c9cb213786c03d7611c32add30 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 9e2507020372d65ccf4f7c5cfd2c4be3 |
| SHA1 | 8c60ebd29ff7d9939b7a842aa11d6e9bb213e29b |
| SHA256 | e68876a698c34883add9e1c9cfff38c6181e5e76d5b6e82a72bbabf92b88b1b6 |
| SHA512 | e3e38fc92053262cbbb3210820302576d285d392cab3d9936a75e277c9085257ba5ab2a35ef024e41970a7b23fbbd7026664d550891589d08d4b04cdfce9a62c |
C:\Users\Admin\AppData\Local\Temp\U5KDB3aL4Ojm.bat
| MD5 | 1b8db04a4555bdd7c99e3086b2e742ef |
| SHA1 | 135208b1f412d44a94b3bbe5c59bc83be61afcae |
| SHA256 | b8ffe68c4aa1d9e80b3f7c0fd625418ee870fdc0ee42c165eb3442207678b281 |
| SHA512 | 98c11b1f4e37a505a665a7316f1ee66e3aef1cc30b6cb72dc12b09eb16cbd2d6683e7df71ef20a60f2418978cfafe7f236b89a434827d19c1f1586fd2db658c8 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 23:12
Reported
2024-06-14 23:15
Platform
win11-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZHadx2JFnFG5.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1076 -ip 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 2232
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gTmNKyjtqE95.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1316 -ip 1316
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1660
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oZNC3xlsr8aE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4672 -ip 4672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1656
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W1NxpLyUDbI2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4552 -ip 4552
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1112
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2vogSI54Kh2C.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4692 -ip 4692
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 2256
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3124 -ip 3124
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 952
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1100
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/992-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/992-1-0x0000000000670000-0x00000000006DC000-memory.dmp
memory/992-2-0x0000000005670000-0x0000000005C16000-memory.dmp
memory/992-3-0x00000000051E0000-0x0000000005272000-memory.dmp
memory/992-4-0x0000000074E30000-0x00000000755E1000-memory.dmp
memory/992-5-0x0000000005280000-0x00000000052E6000-memory.dmp
memory/992-6-0x0000000005EC0000-0x0000000005ED2000-memory.dmp
memory/992-7-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/992-8-0x0000000074E30000-0x00000000755E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 0c84b58a5322284269f3b86e648e1fc8 |
| SHA1 | 6776c3963a64a3ace4caaff164669364356f72aa |
| SHA256 | 47f06153275d1f01d1d7410eb5917aead5a79660be5da59bf51f31698343c357 |
| SHA512 | 02bc07552096f2b052e064ed2941cde5b70058066b614fa7374dbf7aa2177458a22d9746181b8f88e3468b252adf7e1aa1518ed9085ed78af5b736a02fa297d7 |
memory/1076-15-0x0000000074E30000-0x00000000755E1000-memory.dmp
memory/992-16-0x0000000074E30000-0x00000000755E1000-memory.dmp
memory/1076-17-0x0000000074E30000-0x00000000755E1000-memory.dmp
memory/1076-19-0x0000000006A70000-0x0000000006A7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZHadx2JFnFG5.bat
| MD5 | 720c364f9d60312455d83f023978769a |
| SHA1 | ebaab7b1d96bd0fd44e90e6f0e012c63f173c964 |
| SHA256 | 740a12b074f3d698107baea61c31df61251c5d765b9a3c2a1e00b8b4bdb9cf37 |
| SHA512 | ad37a7d72aca5e6d15dd87babd1878f99920171b4d70d9230c7ff660f5e038d3321576571ab1b399649e31ebf13872912fdd8137b65af1384d5c95edf6203281 |
memory/1076-24-0x0000000074E30000-0x00000000755E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | bd4ccc5e21a927221a28c4d2a3e8dd55 |
| SHA1 | 7adf3eaad74873e17ba3f0613ab64a7e630d73db |
| SHA256 | 38800732ed11b5b42112be3f5475c47bead0f5f2cf02d66fc677b932f867d20a |
| SHA512 | 5826b48bf380bdd4ee6ad206a2a5cfbcb8799c4f480132ece37e2b4db0eb13ead9a58b0359e2e943b8ff08665f002733f13caa67437bf7cce2e97c18ff51e431 |
C:\Users\Admin\AppData\Local\Temp\gTmNKyjtqE95.bat
| MD5 | 086f89dc9be0317172b65fa76e6548e8 |
| SHA1 | a499d7de7d54a23899530795b8c286b0fb2da80a |
| SHA256 | e302aa73a711e4d5d6f302b2b8f0cb19d5a28126f1b07832116b5594c864b324 |
| SHA512 | e1b99e6835c698468bf1f933c735c4e95b2f54f7d866b4d8b3a63815fef5ed954b66b6e7f59c9c8c9b97134e93459f443ffcb9ac91512738125ae4b57f72bdc3 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 96cab3dd4de2409f67cb9862b538506a |
| SHA1 | 76dad1ced24c3c5aea7ac3b79c385936ff2c0649 |
| SHA256 | e5654c2ffdc6075da108828402e651ff73b3310437c211af7115333570dc4caa |
| SHA512 | dae44f0f5267546502ac0548965f44bc0611e28c7abdcf22bd1c2dbd1184ace17d23628b244c4608f93d5af24a2bcc953632be9ae2d697dfd3727e7230689944 |
C:\Users\Admin\AppData\Local\Temp\oZNC3xlsr8aE.bat
| MD5 | 23cf3ef23d9b89723a32ec0ce4225634 |
| SHA1 | f31b844a15ac3d61f4843125933d98b6d1363f15 |
| SHA256 | 145a2b8318239afccaf8c1543e84a14e533fda1bd81ede029a04cb134590b9b0 |
| SHA512 | 5186cb83700a464e668e5ee32040d54add97ed0c76ced5448aedb989fbb14366f9c6d3d60babc25dc2e0d596a819faacb816f5bf58ff14c8e164e769e026c87f |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | 8fd0928a5995a10bfd64850edc12d91c |
| SHA1 | d141556eeb778c57472c14f84346e36a846e87b3 |
| SHA256 | 21395aa0c15a6c6cba2e16851c4579050dec4fd0ab512ce1fea5b34625c026e9 |
| SHA512 | 5a3cd176a9e7c5b9410cfc9cf1424a43cbde343a25d657babcbd3436e7f87657dd2e10a704f5437a37ed74925df13311d1706187f3fb1f72ce3d8654a5978a21 |
C:\Users\Admin\AppData\Local\Temp\W1NxpLyUDbI2.bat
| MD5 | 4970b41a7f2363a90933e085f05b8afa |
| SHA1 | 0e4afb0bcb1283cc23a9c8821db58b603b756cc7 |
| SHA256 | 114858ef125f9238b26e704b98f462d2854fccb55234ad68f1096c69fce034a7 |
| SHA512 | 69a880ec8e82ecd0c2c54533cc3116f7429960a62a630db01f2b780310eb5ded3886a7ba97242616f08ebb6e3bd69130787fccc302185aad004f3e15180fcda7 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | b40df084cc8b9a67af43f223e400c221 |
| SHA1 | e4c03c021c1b3bbc817327a9e60a64783995cafe |
| SHA256 | 48120c4fd3d7553a096d20b9158cc6aacc9f2b86a9ba61f6ff8127f27dce1a5b |
| SHA512 | b326eb6688b3184e2437e521e20ee01e6de0554d2bd86f2c9e842df4bceecaca3bd0cab5715cfdbc1d2af0d1ee182230c7cfa65ca0b47360669648eb30c3a0bb |
C:\Users\Admin\AppData\Local\Temp\2vogSI54Kh2C.bat
| MD5 | 87b739436ff0ec96a4336a36cf45365b |
| SHA1 | 21c1cd42ef58c8c3fb0fbae572718cebecdac55d |
| SHA256 | 11f3d80922a48ed540c6f259071d908719f7b3d5aede4ff5d793da77d8abfb72 |
| SHA512 | 81e5593fde68f495eb1ed52505070eeb155429a23d73a159e247c4e2dcdc04caae98a07356889e5b0907a19d7762ed558d9375b39964929689a576e1213a7eca |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | bc06d84821f6b284e757402a9070f008 |
| SHA1 | 7f6201a8c8d139fdcecb0a0d78a2af0a5b9f1989 |
| SHA256 | 9138dacc36d78089fba63e650021b9ba43abdee8f371ee48241780e967acde2c |
| SHA512 | 40de6d6d3634b744e4fc006de7f6cd69bff23ce47af95a62392849818f8fdaf2ba8e4938e2b1f27d925fcea8ffadba6e1a8bc6b2749ae306bc4ef5858648bc07 |
C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat
| MD5 | 3083816ffa92516b5db81b16aca081b1 |
| SHA1 | b0f4324091d154b634a9fcde1a49060428cff1b0 |
| SHA256 | e6e71a5c3f0fdf8b32748f3b22c58bf303e6abe1f8b6b2b407ef0c3d61b8d0f1 |
| SHA512 | cd5f2df60aefb5e12dcba3c33f6df2b1f7c428c5c3229d99c7a21a4ce58c465b631e56015f3686fe82593356cea12a8a86628a59fb0c1b142d70608d11fc8700 |
C:\Users\Admin\AppData\Roaming\Logs\06-14-2024
| MD5 | f6af5d70d0646517c2fbd29bd42e6cc8 |
| SHA1 | 74b2cadee97ed04624110c2a78d5e5bb28d308b8 |
| SHA256 | f5b6c01e9520bee0c83dec262f2d826a970163b6c4bafcdfe93faaaf1fdb65a5 |
| SHA512 | e5943c2115022cf59f4e1482b4cb1fcdd44f11dab502a6f3694840625454bb8e93edd26896b4a16779f5e92609f0b2a82156f0b52f8aea87ccebb57b1816d818 |
C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat
| MD5 | cc5552fc4e03181fd323bbce670f8092 |
| SHA1 | fd20de39413f46bf430d22f695bec69b5065e340 |
| SHA256 | 73c88f21594626c87e6219bfe5de4d327fa1d4f80d40d2e42027d2ca80940e63 |
| SHA512 | 3a1ef481e6fc662d515130c645f900a23519a7bbae294d9e303a83996fe93739c384a96749c298a415b3570c83a64f2f31824ead53f74ddd9a339c97d686808c |