Malware Analysis Report

2024-08-06 11:24

Sample ID 240616-ajq96a1cma
Target Server.exe
SHA256 f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
Tags
quasar stealer spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0

Threat Level: Known bad

The file Server.exe was found to be: Known bad.

Malicious Activity Summary

quasar stealer spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:14

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:14

Reported

2024-06-16 00:17

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4708 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4708 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 4708 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1904 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1904 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1996 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1996 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1996 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 3152 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3152 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3152 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3540 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3540 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3540 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3540 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3540 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 3540 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1748 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1748 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1748 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1748 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 4612 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 4320 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4320 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4320 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4320 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1148 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1148 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1148 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1148 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1884 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1884 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1884 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4016 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4016 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4016 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4016 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4016 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 4016 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 4420 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4420 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4420 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4420 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1520 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1520 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1520 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1520 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgOFYQGD7GdB.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kfpcDxRKldQs.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GhRi7bwmFfU8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cZkjQhzBng59.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EtitBYxhwK9T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gR2GQ7lkuif3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BNJxgWdkIKCb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbr82g8PyY4s.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BSb3BGgcHRX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp
US 8.8.8.8:53 battery-stripes.gl.at.ply.gg udp

Files

memory/4708-0-0x00007FFE444A3000-0x00007FFE444A5000-memory.dmp

memory/4708-1-0x00000000000F0000-0x0000000000414000-memory.dmp

memory/4708-2-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

MD5 e45a6c438c6ab1538b44fc43a242a5d3
SHA1 00a85654779955ca989d1f2907ea1831b2511688
SHA256 f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
SHA512 806783dfc96b3a97c11675236d31f10c6540668e6149ab158eea680b0f84248b7b25ba4f36b4790250459b87e2b0bc91d551b07a79e236c8a4356df4f3878a6f

memory/4708-9-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/1904-10-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/1904-11-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/1904-12-0x000000001BD20000-0x000000001BD70000-memory.dmp

memory/1904-13-0x000000001DE30000-0x000000001DEE2000-memory.dmp

memory/1904-18-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZgOFYQGD7GdB.bat

MD5 e362e02a46d232bf067abe83bb004692
SHA1 1e8f882b8a52ce4b84ecb5315cce3d5a2a48c9cd
SHA256 68a2772d6f906c19f769f7752c5ee67068989e538b81f53f57914266b0b334ec
SHA512 390b4a635ce3a6f524f84a38738ea8796ae1d189d469e7da9157a51e446e6fb4f758a16a70ae182ab7834825938af5752d7414d508b2a3c180e42d864ac7bed7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\kfpcDxRKldQs.bat

MD5 f89136d4aad1226fe28993364029bbfb
SHA1 02895d23e4c7a8b9874bd2aa4060f6cad5c3ca83
SHA256 cc2a1aab4b4f2cb3622a9d3e60268444f137c759e65bf74a8460eb0701430099
SHA512 b75fba159fbd7ccd82cad7a4a4b780498106704a39c99127e7b9d32d75b614cb1d31edb457593be3e34d75c7d93c53013028bb1ebe02c9888292f8d33a2912c0

C:\Users\Admin\AppData\Local\Temp\GhRi7bwmFfU8.bat

MD5 267675d28b8239ebe3916f20fe928af4
SHA1 c7a841b2c571f18764b3bf66053cb621b5d32028
SHA256 2906684caaf409a2e3d430e64a5df0783e78c643cebe6659ea3de3408d6246fe
SHA512 c0e83203230eff279caf469bf4514d5b20bff863a97e4f54e96071d670ad5d154d5fd177b4fe59daab05d3ce94c2ebb89f4f6f029f30df48f2cee483bd26b876

C:\Users\Admin\AppData\Local\Temp\cZkjQhzBng59.bat

MD5 32eec2c01df7647ba4481f04ffa3c692
SHA1 94a3d2c505b6e8de38b3fe074cd7bd6df9069a7e
SHA256 fe3a2b26f7e4186d9a44d94068dec885c72bbed20b46f60a3959ce960d5ab342
SHA512 8d1602f37f7be8d676469cc5b18690a2e69d95166f85ddf0cbc6a5cb31e195753a4f6e2043a1fbe7124f087e4718daa04c3eecaadc381c51ea3edb59104452cb

C:\Users\Admin\AppData\Local\Temp\EtitBYxhwK9T.bat

MD5 271e9a5e111f6c018795adc0163fa3b2
SHA1 aab2237c9594f88bdbb0c6d1cb341a29ef10ece0
SHA256 8bcbb9474c772162166bb857bb14f73f7021a328b1f970c738abbedb02955d27
SHA512 16ab8d948c8f6e2438a56207960e4af65dd412af7547a246a58cfb0cc91f29cbed5238ff7d28759b049fcea82228665913f9b60fe7366a18a98b9b7040d644fc

C:\Users\Admin\AppData\Local\Temp\gR2GQ7lkuif3.bat

MD5 11093a9844eec0f768d36d169026bd9a
SHA1 d48961fc1b0a01fc50e627718b18b2d1104431c3
SHA256 a99a81f7b5b614e188c2b8e006b4c5023fff1c169c31f9c6d20354dc01a100a7
SHA512 aac73a354acccdb44f6855a372da694a35fb5a75c0a452d93a2a5a1cbca064073f72bff9f3b2732188667c3f620856b34546d1e19e402bba6357adc7724dd48a

C:\Users\Admin\AppData\Local\Temp\BNJxgWdkIKCb.bat

MD5 9b212a9ec3cc29716fd6d65c6fc7ac54
SHA1 4344e177692679e9437bf8151a88fc04f2e197df
SHA256 45c1ea4ca877b059f60b7041c92d929de312e0e2160a55f903338e7b75105d23
SHA512 8ea6f2dfb6d1637edf0680b32b8c0066926a45f0e7ad8ed1c110af3b29af55c7573a184eccba5f56815ce0b3ed45efcfe568c48c802f7f90f1984dbd8e548509

C:\Users\Admin\AppData\Local\Temp\jbr82g8PyY4s.bat

MD5 b5f91028726b46ab45f426968cb98b6c
SHA1 6825a88eda3fc12f1f45008a96c47c61bbdae3b4
SHA256 da75a7b594037c8d42ff666ed2116e1db3c07911915b694dbebfb045d2375f38
SHA512 f1ece1d69a6f77edf91122d784ec21440f55bff9502092e376988e3cbbcb661d305236d992de89fd3175a4ad6e5d2cfed33f16bb0e10337d92c1efca6d3f20a3

C:\Users\Admin\AppData\Local\Temp\7BSb3BGgcHRX.bat

MD5 3f41dde0b4f76241e6c4b09ad729c186
SHA1 3224e2beda5a76cd0d6e12ffd8196102eb6e02fa
SHA256 602347b4ccd424cb20b544ccf393b82d9a2c658dc73ef9bbbd890e19005d5edc
SHA512 1385c5b34f151ea73169c89bd3f02c9e81790643df1252ab139326ecfd28e8934cc4186db98e08d2cc7efbd23bd7f7fca08de362c47a08d141b9d22b99f1c1be