Malware Analysis Report

2024-10-19 06:32

Sample ID 240628-3za74awalg
Target Neo.exe
SHA256 cdd44caceb600c73a01b95c572142a59a35a23b1fb8e8e70cf920140366d3d09
Tags
slave quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdd44caceb600c73a01b95c572142a59a35a23b1fb8e8e70cf920140366d3d09

Threat Level: Known bad

The file Neo.exe was found to be: Known bad.

Malicious Activity Summary

slave quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 23:56

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 23:56

Reported

2024-06-28 23:59

Platform

win10-20240611-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.1.1.9.5.f.f.f.f.6.a.e.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 runderscore00-42512.portmap.io udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp

Files

memory/1548-0-0x000000007396E000-0x000000007396F000-memory.dmp

memory/1548-1-0x0000000000C10000-0x0000000000C6E000-memory.dmp

memory/1548-2-0x0000000005B50000-0x000000000604E000-memory.dmp

memory/1548-3-0x0000000005530000-0x00000000055C2000-memory.dmp

memory/1548-4-0x0000000073960000-0x000000007404E000-memory.dmp

memory/1548-5-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/1548-6-0x0000000005B30000-0x0000000005B42000-memory.dmp

memory/1548-7-0x0000000006620000-0x000000000665E000-memory.dmp

memory/1548-9-0x00000000069A0000-0x00000000069AA000-memory.dmp

memory/1548-10-0x000000007396E000-0x000000007396F000-memory.dmp

memory/1548-11-0x0000000073960000-0x000000007404E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 23:56

Reported

2024-06-28 23:59

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-42512.portmap.io udp
NL 23.62.61.97:443 www.bing.com tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp
DE 193.161.193.99:42512 runderscore00-42512.portmap.io tcp

Files

memory/5044-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

memory/5044-1-0x0000000000120000-0x000000000017E000-memory.dmp

memory/5044-2-0x0000000005180000-0x0000000005724000-memory.dmp

memory/5044-3-0x0000000004BD0000-0x0000000004C62000-memory.dmp

memory/5044-4-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/5044-5-0x0000000004C70000-0x0000000004CD6000-memory.dmp

memory/5044-6-0x0000000005120000-0x0000000005132000-memory.dmp

memory/5044-7-0x0000000006010000-0x000000000604C000-memory.dmp

memory/5044-9-0x00000000063A0000-0x00000000063AA000-memory.dmp

memory/5044-10-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

memory/5044-11-0x0000000074A40000-0x00000000751F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 23:56

Reported

2024-06-28 23:59

Platform

win11-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2308 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2308 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2308 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2308 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2308 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2308 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 2308 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 2308 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 2556 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3088 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3088 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3088 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3088 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 3088 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 3088 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 3660 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 480 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 480 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 480 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 480 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 480 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 4480 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4928 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4928 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4928 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4928 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4928 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4928 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 4928 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 4928 wrote to memory of 420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 420 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 420 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 420 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 2368 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 2368 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Neo.exe
PID 964 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Neo.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auqSeYGAeAWw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1764

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2280

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0oqyBKgNL7xW.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2280

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1wEPOxth9gmu.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4480 -ip 4480

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1740

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ZS1qOVwGHhN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 420 -ip 420

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 2288

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IJScb3OD73vl.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 964 -ip 964

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1732

C:\Users\Admin\AppData\Local\Temp\Neo.exe

"C:\Users\Admin\AppData\Local\Temp\Neo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/4404-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

memory/4404-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp

memory/4404-2-0x0000000005C30000-0x00000000061D6000-memory.dmp

memory/4404-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/4404-4-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/4404-5-0x0000000005700000-0x0000000005766000-memory.dmp

memory/4404-6-0x0000000006420000-0x0000000006432000-memory.dmp

memory/4404-7-0x00000000747FE000-0x00000000747FF000-memory.dmp

memory/4404-8-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/4404-10-0x0000000006F00000-0x0000000006F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\auqSeYGAeAWw.bat

MD5 cd9a8eb90f7ceba284e1d226d6cc179b
SHA1 a583a3c03d88e5cc4abbf81b848dc289c67f873e
SHA256 32e9c4e8d227db053b9d6f553c02cea860bd6627481341fdfb5fc3c63e1ef4fb
SHA512 5c7f31f513fb143be1b461fd0100facb3d30c89656ff0069f763bdb08ca4248919239c643e11a595c62bdc280bcfb4a89298b2d673e0c95c0e05b5a0ddfefe61

memory/4404-15-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/2556-16-0x00000000747F0000-0x0000000074FA1000-memory.dmp

memory/2556-17-0x00000000747F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

MD5 fd4d7d3968061f3841648a91a16fa2a7
SHA1 b2ff92c27605d87f75a62fc90d0e653d6088145a
SHA256 4d79c6f488370faa00a2d038f1aeb6466e1ba229c595ecc071a5995f94c3d805
SHA512 7d20fb7ae9da5b0014c5fa74ffb885989df618b5347f3d1d88e126ac6b47d6e43616b114b3d4468a6bb512daec77d0807528920f9cb1015c7cec42931e309d0f

C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat

MD5 0500e8aa143e67dd29690fab697471f1
SHA1 bfb26e63e797f25851447dd45d6b3f4fc37645c7
SHA256 f30ae98f4395706f6d114b535812fdc062f4f81c8a3afcde790a385cdc76dc7a
SHA512 ea9835d44e299a2fab13b2b041d61b87b6c75b84ce23382e1e14c05c7e9ed0b61288f6bbe4330ecf251cf5615454c5aee09312a8def4b1bb9e23dd00602f8f3c

memory/2556-24-0x00000000747F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

MD5 ee23701f7a528b43fd0ef10abac12eac
SHA1 36f933e13277e42d3b73667b31ddfda7474d83b7
SHA256 a241ad4d53706d0137b934b1f54773c4cc2293eadfe27aeb01b48d0750a99a1b
SHA512 664ae64dcfa02e18a365877c007f5b905016792fe02c36ca4f32dc6f1de6c9b61f595569374797ffbd81080bb9c8d103503d48efb0507a33508980023d5d92e1

C:\Users\Admin\AppData\Local\Temp\0oqyBKgNL7xW.bat

MD5 06459ffe905af9169d520355fbf52ae2
SHA1 bdb4a81c12afb535a521ea88f6a187641c316372
SHA256 598672fc7c458a69cd035cd41ecd4c969f805db753fcd2966c121f5efc15d63e
SHA512 23de4f07c1d442a91345bbac94ff24de710f52dfdb06648c64fa13b21c15120a6e4acad952b7f678752fb258e3a71c81aa23766798c7c1d97ba304f49b877a52

C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

MD5 cbf6c7bfd2abb457934b78b39baad599
SHA1 8831e7f058ec24aa0cf2dbe82357aedf9dfb13c9
SHA256 0992844e01b266de5fe84376ad6b224e3c6de02c033222cbe5e56aec60096c3e
SHA512 c22846f4d11275f7b36763ee1742684971b2cc1e68965dd17348979348a529631e7fb77a3ee256cb73bdb9a94c5abf7c2c53d640a064fbb943ebb2c8d421c239

C:\Users\Admin\AppData\Local\Temp\1wEPOxth9gmu.bat

MD5 63b8ed976d07a21ba87e2a29c34bf172
SHA1 9bba7ac45cd60a7dcd60245fad4e21b5845937fc
SHA256 b39db3319e121ec18ae6a36f7d55861adc63c9b34260c93152c3fd4465d48818
SHA512 112960184a20ccd2b571bf5487372dc3dbcb282050ed232bba6e99af5df90a11b5b0e6806e243cd368aab4f305ae68a8be90c0dbdade01b74cdb502fa5222980

C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

MD5 ee22619e9822954363de7211917e4568
SHA1 3924ac0b8edb6bf3be937819c6fc18afa4ed61db
SHA256 22b6daa4c6b7326d66503134cd9fa30a832309ab4e4b2a30c52a9e1fbc5dfc08
SHA512 acd27ae3acbf797b7ec6643023297ff8b4c43406da6ba7cf427453e2aea14fe6dc94991bb59c36371b363af4d23df56fdea9b7a001200491e8f885ff9a1e7755

C:\Users\Admin\AppData\Local\Temp\0ZS1qOVwGHhN.bat

MD5 bffeec51d6304bf87b63600db985b5ae
SHA1 ab41c9435d52f8f7be2755ed4b193ef39f537037
SHA256 36b478bf8567956f76e95a4cd3ffa97bcd1b6dac3d7832a7f4075808f06acab7
SHA512 318b0a22ecf58d3451f145c7aa0f682356c664f48c5af81e0e8c301457756499ca1e0523a00f88e268849fc01e01cf1000451bb8a5b3633d2ba99fc099beefd0

C:\Users\Admin\AppData\Roaming\Logs\06-28-2024

MD5 64c3d5ac911ba4bb780f8f4b63b62701
SHA1 d18c6504a703781f5dded612731874f1e054bdfc
SHA256 3f8d488cc4df3f050ca7af1d5b22ad1aa0d1c5ea82b78a22acc999521c17a50c
SHA512 79ea0037d24f4060c2c01c2678f855e931d7cdd903cf4846a68c4d70ee8d5f06445cd85abd1b935f2afb9c812d766fc5eae468c303f9debaf61b8d66055f2ff5

C:\Users\Admin\AppData\Local\Temp\IJScb3OD73vl.bat

MD5 3bd4ef514aaca70fcfc33367ddda0c98
SHA1 9cbfc93f99e6b05597c405766fffd463599de4bc
SHA256 c49685f70b806c37faf748ddff9ecc4a8ebe84feea3a54c4f5dc5aacb5d0c906
SHA512 a5df3cd54a912aff7830d7dd962483cf47d29dc953fcdf1222da47f6a494e0dcd2ca9bfac09631d6e021fbe4b45b822921cf4230da8d9daaec903bb508238848