Malware Analysis Report

2024-08-06 11:17

Sample ID 240614-x33hvswhkk
Target Client-built.exe
SHA256 e0d396037b18c874e161306d18d44dccf9fcd7f3b0bb054e354478eb93767701
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0d396037b18c874e161306d18d44dccf9fcd7f3b0bb054e354478eb93767701

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar payload

Quasar family

Quasar RAT

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:23

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:23

Reported

2024-06-14 19:26

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2760 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2760 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2760 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2760 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2760 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2728 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2680 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2680 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2680 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 3052 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1832 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1832 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1832 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1832 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2844 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2364 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2364 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2364 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2364 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2364 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1176 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2392 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2392 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2392 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2392 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 572 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OZVwmN1Joji8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RHTvNlj6FUwz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OBu7820FjLdV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SHs0tDupG63E.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OLWbNoQzP9fC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ePjVjzwbYPp4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eE0SL6XTArGB.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0fVonmcyZluL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9DbEIx56QBuJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IlC9QLTiFq52.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tLy0dYmR1tAU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksKzNdlNLtbK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytRxinlHm1T8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

memory/1760-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

memory/1760-1-0x00000000013D0000-0x00000000016F4000-memory.dmp

memory/1760-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OZVwmN1Joji8.bat

MD5 0f8c2e7c92dc788d691ff92a774113be
SHA1 f8bc195cf88c40bee3e09674796eb18803af81e8
SHA256 6a996ffe815bb99a733b736d23a7a1278d1d1abd6d883a9f7603c8d15db656c9
SHA512 2c1a9a0b5c33176e1f8e61535edc323cb3392b2329b1db3a4513e9cfc95000ffcde90c4d0d2b0b2a029ed582c47f05c43eb32253edd491f73dc5b0e52f1694ff

memory/1760-12-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RHTvNlj6FUwz.bat

MD5 374ff12ed86d493855b489427e08569d
SHA1 2ea3e5ae14771096ce0a5bb968c50fd3bba34c0e
SHA256 605e75f0579d6d4f36cad84f883190fa35cd585652df9df43e714155d7224250
SHA512 1deca42fef7165083e5df29003b3d8922594d57fcd56ffdd2b7f369c63bb2460fd282d86e9758e0095c79af37b9ac0d99d242050a997bedf1adc2dfb2f0fc918

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\OBu7820FjLdV.bat

MD5 4d7c876df0af7e435366ee0f3dbac22c
SHA1 5adfcb4868c0a3d526213495552ff43e1539a577
SHA256 c428f9f4a24d445c7293da71882fe90535734890ca40890c91b1b8c82b72275e
SHA512 96bfeef74efc75cac08d152b2a20f85d1d6f4f7c5aae881d5d4b565113bbe09b926c6393dff44cb86571729d099107ce30c732b04c095e60d71c2a4b81d916dd

memory/2844-32-0x0000000000160000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SHs0tDupG63E.bat

MD5 dfa06c9d38e236873fec42b3394146cc
SHA1 0685d7169975a60d6cd497a2b043b5fadfa6b08f
SHA256 5b734b9e25d124833a33cb625555824ef34aa44b0c02e3164147ae2fe6e904c4
SHA512 b9d288fbb01871e3f4200f0158bf934dcc7374b058f5d564b74aa2ba8a4727747db89d26506ff955ebf6bed3e2d51e272d4cd6127b5f1102eb36933d346c8da4

memory/1176-42-0x0000000000970000-0x0000000000C94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OLWbNoQzP9fC.bat

MD5 4baca61c43d058cd42b5d012bbe50865
SHA1 97b7c5c514be2a8f6ba275f75901a3b6d7da9eb8
SHA256 cc9eb41072cb3721fcf4196075e2c7e186cd2554e486322edbeb25de5e32f0da
SHA512 0c57d4d87898c0d08f9c6620ec2a4abca9f75a0c33f54f0d2f1f5946702ce2112db47e3d75a627b10518a5457572191eb3d88e557bafa7851c5d856901c0fdde

memory/572-52-0x00000000001A0000-0x00000000004C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ePjVjzwbYPp4.bat

MD5 9bb6803c737e211175219866374312fe
SHA1 d24595897187b1617d545d54944439fc48985ce5
SHA256 81fb0a72de7bc6f451548418093706f82be0c912d35d757313051351e303dec0
SHA512 745a2ab8788eab6909824907a075d75576b4140b2c0a44dcf4d8725ffb30c963805f2eb7f55391737f3dd770881699cef090a10ef474f75ce800dd8a0fcc2b6f

memory/304-63-0x0000000000150000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eE0SL6XTArGB.bat

MD5 8873f250cf272dc50b6b8b180d15a9c6
SHA1 16d28ec2f6d125fa1c1cf825e88ca145e51c5258
SHA256 68a8a9f5453fdaf89cc6e0957abb49114b95fc0314f361eb7827241d54c936ba
SHA512 1fae7fbc5c9a597bceccf8633ae338f0f70676d51ab5d7da17513212bd90cac2123a5c6b5d649a24adf5c117e53135c61ea027b7f3bf670c48ed2736f06c6d9e

memory/1928-73-0x0000000000B20000-0x0000000000E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0fVonmcyZluL.bat

MD5 83c078b9bf33a88089ef8cf0a63bb302
SHA1 c8a3cede4cda55919e16a36b02d5bcb8180537b9
SHA256 6d5fb9be38034d5b3a2f029872038f99474c8fce46484a616a1c7c835e43a3a5
SHA512 ac183709c9ee63b8dad814cce139d30c784503f6907fa97f2cd4a121ae6c2bd5ce39280b0b1860a541b72b6497d9d288b0731c7d30b1adeae37023ee05117916

memory/1468-83-0x0000000001390000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9DbEIx56QBuJ.bat

MD5 f0d339fa7f4ac05ddac0d48751101d0e
SHA1 7816487cd024359790ba3a0ee9f46456d874d768
SHA256 35db461607b685bca4acef81bc4621fd2798d79214675ff98da1803b6c1420fa
SHA512 8034be5a0479c49c433e9568b4ac3a0599ce9256ccb69f1a53d7dba80649b5fa12a1bd70feec5fa50e1e9405d268fe7d7a6817122174ff28cda32d0607c5c2d9

C:\Users\Admin\AppData\Local\Temp\IlC9QLTiFq52.bat

MD5 2130632011bb22b0caeb7d88042b9086
SHA1 f3187ed255d20022aa3891e34903d569ea2c4825
SHA256 28de8ee58ada4563560cbaf951d4104ed60d85a351250cbd083afb8fef6e2611
SHA512 f85f1ebfba368042af68e004ffca2dc4cf6689e0894c3935193953b5d0d1a67a05df7858a69ddef502b7f39b0777a1ffc07417533eec3d06be265003c1c68c7b

memory/2700-101-0x00000000000D0000-0x00000000003F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tLy0dYmR1tAU.bat

MD5 607bd98e4e91551b40843d3c8e524ba9
SHA1 8db5f39aeb442799b0d93441d906316ca6613e7b
SHA256 4e73f95b6f6a09a31ae4f722a04b45b49235e30cc005073c4dd5292852755c5d
SHA512 ebd8122b29eefd290d4868ef964c13bd0b9f2c2391c12cd2e57de830ef82b3db93050e716979608bf637a59492de8dcdb30fd1169f7a410385d7b476214beb58

memory/2396-111-0x0000000000360000-0x0000000000684000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ksKzNdlNLtbK.bat

MD5 17333ecdfed3d12e13619173394c219b
SHA1 f26ac7e6d9d923a7cb5b9b5ccf94ee261af68252
SHA256 2f7ff8c9461b165bb40fd4e33219756bab233667df2e5aa82393be16a19c61d2
SHA512 b1a0db20b4b2bfde8a799fa070fc46aec423d9b99715c002e8633600951cd0c2c43dd836738d5e8a520b76bd3a5b03e78befd90c0ffe31056928c5ad641c4395

memory/2940-122-0x0000000000B40000-0x0000000000E64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ytRxinlHm1T8.bat

MD5 88d704ac9b9d8043830eca1359f1d35b
SHA1 59aaed9fbcfc328138c5e4d7ba0cef3401ba0b7c
SHA256 1f14073eead70e4cabfd7fe78e371a70b38cb9e6b5c28928b28270fd7e3839cc
SHA512 c2be18143c0044306c43933af02998e342ecd71cdb336447877f0d188cf8d36bb5c55db5a791ef01659ce754d3a4f156d17d5c77ab5d7b9eab4b18d86ec725b4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:23

Reported

2024-06-14 19:26

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3836 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3836 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3372 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3372 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3372 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3372 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3372 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 3372 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2132 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4948 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4948 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4948 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4948 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4948 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 824 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 824 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 824 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 824 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 824 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 824 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4500 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2612 wrote to memory of 424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 424 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 424 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4968 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4968 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4968 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4968 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4968 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2348 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2140 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2140 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2140 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2140 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2140 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2140 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2312 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 4560 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4560 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4560 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4560 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4560 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 4560 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 3092 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2224 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2224 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2224 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2224 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2224 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goX4DUX5aZ3X.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WbGJ3xuXNy9p.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Vcnelkl1Jlu.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nHPUFYzqUVic.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MTkwEuaF6RS8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wTqZ2HZBuNaw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\khHfP2DQD2Ks.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CI1qJJj7GPWI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yTLgMfXuXgWy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqhQkCy2bxun.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c25vWIWUOinL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQgSkGbAhPZN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJbxthZlVFth.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58Zy6v9JQbFQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97UUUUBZsabk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

memory/3836-0-0x00007FFBF7F63000-0x00007FFBF7F65000-memory.dmp

memory/3836-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

memory/3836-2-0x00007FFBF7F60000-0x00007FFBF8A21000-memory.dmp

memory/3836-3-0x000000001BBC0000-0x000000001BC10000-memory.dmp

memory/3836-4-0x000000001BCD0000-0x000000001BD82000-memory.dmp

memory/3836-9-0x00007FFBF7F60000-0x00007FFBF8A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goX4DUX5aZ3X.bat

MD5 4ce3a96bb05fe7c19b27da097d99fc6f
SHA1 5d20d646783950fb86947f0ef883f24fcc5eb39e
SHA256 13d9074a23e46dc21e4405c948a82bbf77ad5a2b4456a89ab2f31165e4721317
SHA512 9d1863f5a078468d558f783265368aeb4f15e3823ccc7dcd5209ffc40398a01d1e58321346981a81d4c6c53862aaa2261a970159d440c2c2d82bc781643f47ee

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/2132-12-0x00007FFBF7E80000-0x00007FFBF8941000-memory.dmp

memory/2132-13-0x00007FFBF7E80000-0x00007FFBF8941000-memory.dmp

memory/2132-17-0x00007FFBF7E80000-0x00007FFBF8941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WbGJ3xuXNy9p.bat

MD5 492aab2b28a36c9057e1101b1489790e
SHA1 34c7a579f9948e01042bad719873d0c5045c3160
SHA256 8482aa485c89393c3818665fb3e6cfa91283ddd1096a4a67d9584664775a633a
SHA512 447225e2418f225fbc3df723eab0fdbbc95f94fed0868c4be714570280ebe9da79425364c7688bf6e9fa4b718ecd05aba0c863e7540a7e9318a6386e73b2b5df

C:\Users\Admin\AppData\Local\Temp\0Vcnelkl1Jlu.bat

MD5 6995cd1adeb2bf5809b15649b5e6ae7f
SHA1 8e3952edd24a7944e0e502023a4d7b9da9c8b6a7
SHA256 998d224a561bffc13835e19e5c8027ed91ab84f5c8ea97cec8869863ee3d3dfb
SHA512 82c9092c1e62dec4fc6028d32c265ba82675a88d981cf263b4781608b106427bad8a15a24e460e313d8b2c7f4b9022c90865ccc4a56b7f32b1542c13bd5225f9

C:\Users\Admin\AppData\Local\Temp\nHPUFYzqUVic.bat

MD5 234894774345ee8a2848d2486b45147f
SHA1 45fe9d47df1b632131ef5ab0868ddaa15bb75847
SHA256 15bdd949eee8dbb73aaf8899cfc729c31ecf85910b1b4e8f125c1a5454c2ec3b
SHA512 aab6dfb966c32bc8249e2ab730c0ef53d9eecf314a026323848be7a5103c7cfe1f847c74cc4bf68c631884d1de0354f7ace647667c1aee63d2ebd59b31cfdd79

C:\Users\Admin\AppData\Local\Temp\MTkwEuaF6RS8.bat

MD5 b6ef5475788304f36dfd5b75960ccffd
SHA1 a77ac378e3728e63522800f0b7652c0080633f53
SHA256 b0bdef4e4404109fb6b6dc822ba0fe7beaac29a1ec23e08e8c35db5a4c261faa
SHA512 2e03fe50aba3aa173d3516073364d7484b1dcec21a3eaa20bf4a60035c93aaf00b1d072b81a97aa4765b73c40ee12c9209967c22d0ea1195f6ce0a2e14cdafa6

C:\Users\Admin\AppData\Local\Temp\wTqZ2HZBuNaw.bat

MD5 2873f526fe649c9e5ea604e8f1a4f7be
SHA1 bd868203dbdeca98af653e33340b34c0ba68f37a
SHA256 89da9677c1292a5334717039bfde80020b44a222d0253560cdfcbfcae0516715
SHA512 b9b7d48b437907ae056d27a48edca2485c961fd41abb81426310ab34beeebada637620442f10c728d847bdd1485ffae8666cf33b6d41014ebc8905ffc7a9c6ac

C:\Users\Admin\AppData\Local\Temp\khHfP2DQD2Ks.bat

MD5 25bd6bad180faef1f124e058715366e9
SHA1 67e415068c648ba0a020f0645dd56bb805516d32
SHA256 95145d6b76616abbaa0ccfbc30627b2b540ef6415ce0432e57a2dbc8939a5bce
SHA512 c9035f4c55a6ed8d8d4a305489589de003eaf4d683d680cd991a5e5409d6985ce75449b9d18a66a8fbe409bc08c219be9c8f982923b29acfd544cf61bf927063

C:\Users\Admin\AppData\Local\Temp\CI1qJJj7GPWI.bat

MD5 71f192f55a76bba7e72dc0ce5a31e0ce
SHA1 e82fd17d4b3fd490a8440155be340815e1c96ef4
SHA256 a165ba933384525394ed8a70f61811735987b74ac3aa29f3c6ae41ae9162c4b6
SHA512 d5abca824f0aa267e10b7c09755cdf8401755fc2b18fcecf83150304626be2f1d81756d30c13a38a583dd3ffe6f42271202f887ef8c24973a9deca8a16ab93a0

C:\Users\Admin\AppData\Local\Temp\yTLgMfXuXgWy.bat

MD5 55ff78fc99ddbf823dc4c538fd4faa34
SHA1 207a741ccb1a7af93f8322776f584317b7811da9
SHA256 91afa1027a08b69954f6e6627eb4f4d6497a1d252430d82aeb5c98419a784120
SHA512 72903278a72a6b0affcb6443b26989aa1bcdb6092da1d1e56c5323722719798b5e8e3205baf433252cd3406603da2c658ebafacce8b4cbf7d33ff4b801021e98

C:\Users\Admin\AppData\Local\Temp\hqhQkCy2bxun.bat

MD5 88aea3b849b26cd95737fdcc50c5c09f
SHA1 f454d49bb02b9414dc01cb145d3696fe69f178ed
SHA256 561151c9d2d13a36783d0f8051f469ab18ff5eba1a476f9be4ecd110a866606d
SHA512 126fe55352fcd9fcc81d2234006d050b819f27e572639d9e0c2e90eb0dc59392b6f9d5f563e8b1a23ba536ffec7480e04c3e062978aba5d432e9be15bb5af41b

C:\Users\Admin\AppData\Local\Temp\c25vWIWUOinL.bat

MD5 4bb906fff1db35cd215e41018abe2a14
SHA1 80c7ffc4ad00f64fd034d044c51d678fb5331ce7
SHA256 24eac50d66f2a8eb8df949522f74872172f5ae7beb5bd6e1bbe0edf0e9e5bbee
SHA512 847f4b27c93077fbc6751be4de00f960d2bcb9e1c575a6fef5566174d5a75761e8f1a0be0ae45b07425e67fd26d770c527c399a8651815d620449156f6e5d5c2

C:\Users\Admin\AppData\Local\Temp\VQgSkGbAhPZN.bat

MD5 260673c7e22c0e1b5132aaa1b3d3a81b
SHA1 b67e39566136d98c0d3b7b852b4195ec25d9fe19
SHA256 1bdc539aaaa29eb27ba9a6fc918f6fdbf6d975d2e6bc59e6e3a4f2e799ef02bb
SHA512 312c24dac24ede58d8866ac3a6e2ec437799e5cea69a07ed54666782267a3a919bf7981aa0cfb06936ea6c70fe98f4a925b2bca027d1d56c1b78f9593f6bf572

C:\Users\Admin\AppData\Local\Temp\PJbxthZlVFth.bat

MD5 cd32402417fb1452c48b010d3b0ed98b
SHA1 fbbdb63398ed0f77cd4450925463d2f71c3936ac
SHA256 e66240f30c95a367cf504c1ee28828d4dca5cdc0b3fc129b0ed8a0bf3650551f
SHA512 aa4034960ec6612798a34d7d0ee6d7e5458f4d5bc6b07af2a3d629b5ad0b2fe7de334223e553bbe9946b8e781279a1d928d0a3604a16ba88e334b95e47cb8a54

C:\Users\Admin\AppData\Local\Temp\58Zy6v9JQbFQ.bat

MD5 0858f03a915914e5a89c21514551358f
SHA1 97c530e88526f068da931904f22779f9e55e7493
SHA256 514b32662bd52ea3782912b92ccb2af402cb5132157b9d6756d9c7790f33bd6a
SHA512 2d008b3bf3007a30dc2a7cbfdfb8e607246aafc97ab0c0ca816fcff84f87f8aff38ecdc55ab47614bcee7bf2868314293b15845c5a7cb376ef0aadb2478ce8b7

C:\Users\Admin\AppData\Local\Temp\97UUUUBZsabk.bat

MD5 1b599516d6e7c5d616c065495216026b
SHA1 fbc4a3cc127923bfb12ccbfde6f396afaf5a64b4
SHA256 dc5f056ea773315a101090c85f3dde2e928569cdd4631a89cc39f77bf94bc070
SHA512 3b0a03a87105794da27b21494db55ae11db59e3c2f916e0298f13ad2398781b09fff485782fcf6e0277519b7db5b96cbdb6f3d773c584af90e60e31fe389257d