Malware Analysis Report

2025-04-13 11:56

Sample ID 240819-b9762a1djr
Target 93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe
SHA256 93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0
Tags
napalm quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0

Threat Level: Known bad

The file 93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe was found to be: Known bad.

Malicious Activity Summary

napalm quasar discovery spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Checks computer location settings

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 01:51

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 01:51

Reported

2024-08-19 01:54

Platform

win7-20240704-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2716 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2716 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2600 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2920 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2920 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2920 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2920 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2920 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2920 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2920 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2920 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2748 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2748 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2748 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2748 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1488 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1488 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1488 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1488 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1488 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1488 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1488 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1488 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 2848 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1260 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1260 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1260 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1260 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1260 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1260 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1260 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1260 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1256 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\schtasks.exe
PID 1256 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 864 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 864 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe

"C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\z1ek73I8qObw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKcUBaRR7a6R.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6fcTfxyFja0K.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6cwNzDW40Xsi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgTkdKDevOQP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7GdsCcbrQXrr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGii7GNS9fpL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KFIyXcGLOfWj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sw66Jd4TpsIq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYIiopCRB9fJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 napalmwtf-42785.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp

Files

memory/2716-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

memory/2716-1-0x00000000009C0000-0x0000000000D20000-memory.dmp

memory/2716-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

MD5 53327dca23173e9e9bae9d780786ba78
SHA1 1108be5863af8152dce9d7534cd217f44bfa12d3
SHA256 93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0
SHA512 cda6cc2aad6fac5474c30cd5e38eaec8baed816521c5141538a9401cbe4594a5c980fef943ab5558e90e7dc5f7ec18d9289bcee996d089af505ffdf0504031ed

memory/2600-10-0x0000000000DD0000-0x0000000001130000-memory.dmp

memory/2600-11-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/2600-9-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/2716-8-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z1ek73I8qObw.bat

MD5 0dc52fd89b3c8a8454e4fccff40f18a3
SHA1 fc8118e515095c8ff0b9012c8bbe499749847bd1
SHA256 7b9372678c9fd3bd6562e43611f461c3258e08359a65033db67a8ed569e24d76
SHA512 e53bf8a6b08cd8a7d23a6801dd9c19215449391ebb4a1f2bc48bc2c28aa0417dfea15bdaa3857a02fffd5aa4cd404b8492e0e61e2f706f20c8d9aa0874ea4c23

memory/2600-21-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oKcUBaRR7a6R.bat

MD5 9aea3863d904d48c872bc744dfc377b6
SHA1 db68d1686c55f73b000d481e3e49f5d0c431a33e
SHA256 e71abe3334afb556c050d52adc82677eec54bedcce1e0ed609de546c7bbf1137
SHA512 4f7d84f1a26fea2c3579ab13f8ff889993a7596368035cebf4f24dd332c6e03989d4feaffa8bd6e1eed82ec415ca37dffd8e4bdb481879e513ffecf4da0d6c01

memory/2848-33-0x00000000012C0000-0x0000000001620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6fcTfxyFja0K.bat

MD5 6c51ee0033599d96a90ca6cba9e904f7
SHA1 2a7a3da3e7d6daa261fef4e52353bf0f3bcb8569
SHA256 f5fa6f2d7d78d7259861a21059f65e8ec3bdfd697e99b03725c81cd87463415e
SHA512 c03ea03201240e479c200836e5d8690b43554dae97b5955b1b05e8287cd2e14049e11e8f8b4cdff56e6a6a1a1ae611150d301b2e3ee5c8f456513ceb7528d74b

memory/1256-44-0x00000000000E0000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6cwNzDW40Xsi.bat

MD5 78130696d41dbb34f2bec637bd650165
SHA1 aad349a4d0f1c126152a4ecec02f732888b4f316
SHA256 5825c2175af83b10c82487a0741c441564195fbbab452226ad9931d6c34363a8
SHA512 19a01100f7c0a35513465168737e4b1e81f3d40b0532898712ae503149c933e415b443abdb7a3a383c3bcfccf67a513b240bcc2e0064a3224e931f848d3494e8

memory/1592-55-0x0000000000E30000-0x0000000001190000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\bgTkdKDevOQP.bat

MD5 d4f0051ba58a577561c02e422032e920
SHA1 34313c55c233be05f01b680c1cf61f6fd1d4eb7c
SHA256 05da82d056bab298f8728ce06c1e50385176e963e162bfc8aa85347c41fcee92
SHA512 d8ed6880980993cd248b98599d679d935779e07974a3c2db1d0f9113d605440a779d7142e7c35116bac6125c4c1e6be85882dfea51e8d48990222715cbce9f20

memory/2076-67-0x0000000000150000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7GdsCcbrQXrr.bat

MD5 82b2ac29496d6baae3046791182d4281
SHA1 6856faea91a9bb2e8664503a575259b1c00b7d93
SHA256 3a82d6f2f2ef5b1b770a3c0f43668a727c3b0026f707152233d80ef1d1c35ebb
SHA512 f536b060d7a32091b45cdc28a05dd16cd437c7732b13158691657ef694130706d484f6407668537b9d2247e9c0b72e0a03afc19cfc9ce9c042a11b5c4c0cdac9

memory/2004-78-0x0000000001130000-0x0000000001490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fGii7GNS9fpL.bat

MD5 0fcbb20216db7f35738f1fc02e120e23
SHA1 3d4a5627e0892f26509f2a1dde26530de15fc46d
SHA256 b346eac59e546477086f0dbddae51f9c6b1d63a96afc3f083d2f3b782cb45853
SHA512 71548285165003419e97ac63b00f32fafcde9944c3ce9022c5a4cbe8e81b6f81db6daa44457436c3e487126d793152f10005b3030d7ec09f45b0e903e93e3af4

C:\Users\Admin\AppData\Local\Temp\KFIyXcGLOfWj.bat

MD5 41b086e4522db102017c2b88cd3af2c6
SHA1 5d56a487528c1005613640a19d7684e9058ce37a
SHA256 7466bffe649e2ed89f98d6c4f95ed801f1cddee2b7518e09fbd20fc8d026ad9e
SHA512 b4856a70f81d648b0deaee8190bb93fa4eacda837f3384526a717b5584716223026e5d6d2378d8f357a5d1537b5ced43ad0c622c29f25fdbf7b7b29ac06388f9

C:\Users\Admin\AppData\Local\Temp\Sw66Jd4TpsIq.bat

MD5 5838d1dd41502070179a8711c33a9a4e
SHA1 7670fb29e9ed702edb6eaa57fc47cf0463b4b0de
SHA256 0f02a155858f9c03e6038c30b124434ae24112728213cbcd12b69443594913b7
SHA512 7432ea4df2a05017e1b6dae60866489e26a7574e22912cd097d1289843673f2505977610f7631bbfb33b64d8d223c715dfceb2928b1247e49c6d6d18475991b4

C:\Users\Admin\AppData\Local\Temp\LYIiopCRB9fJ.bat

MD5 81fd76d7748e40062698c68c73e862d6
SHA1 2767494bf9b7b43109dc68e40a6f1929634ef7eb
SHA256 c2b6e2aceaaa9f7d8ed2bba3844e688b593f8ffb2d1b38f25bb216de79d64334
SHA512 76c49b534450635a688e7d5b98197481045d4ae4406b8bd50960309055765799e7f7d31b83afdbdb6b5a6930047afac2d17955c2884077cdb40f60655c100aed

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 01:51

Reported

2024-08-19 01:54

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5520 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5520 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5520 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 5520 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 5984 wrote to memory of 5876 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5984 wrote to memory of 5876 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5984 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 5984 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3756 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3756 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3756 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3756 wrote to memory of 5308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 3756 wrote to memory of 5308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 5308 wrote to memory of 5264 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5308 wrote to memory of 5264 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5308 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 5308 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1568 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1568 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1568 wrote to memory of 5424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1568 wrote to memory of 5424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1568 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1568 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 4480 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4480 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4480 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1116 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1116 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1116 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1116 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1116 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 1740 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1740 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1740 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 1740 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 5476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3980 wrote to memory of 5476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3980 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3980 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3980 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 3980 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 744 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 744 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 744 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2088 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2088 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2088 wrote to memory of 5892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 2088 wrote to memory of 5892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 5892 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5892 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5892 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 5892 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 6092 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 6092 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 6092 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 6092 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe
PID 6092 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe

"C:\Users\Admin\AppData\Local\Temp\93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQTfuP8LZRHl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zjulA3rI3Vk7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Ycja3su1ShA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JrPYVVGKpWPx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiVZOcKJ4gKJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I5s8MxwSxDOw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QjAICGn6mvlP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8k6EMlPN68Zd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3ExzvHOkISb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

"C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "EasyAntiCheat EOS" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 napalmwtf-42785.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp
US 8.8.8.8:53 Drownzy-54034.portmap.host udp
DE 193.161.193.99:42785 napalmwtf-42785.portmap.host tcp

Files

memory/5520-1-0x0000000000DC0000-0x0000000001120000-memory.dmp

memory/5520-0-0x00007FF899563000-0x00007FF899565000-memory.dmp

memory/5520-2-0x00007FF899560000-0x00007FF89A021000-memory.dmp

C:\Users\Admin\AppData\Roaming\EasyAntiCheat\EAC.exe

MD5 53327dca23173e9e9bae9d780786ba78
SHA1 1108be5863af8152dce9d7534cd217f44bfa12d3
SHA256 93fd2544b315e84b2fd26cca70b84cbdcff3e02cc01b83a7abac2f99d56b19d0
SHA512 cda6cc2aad6fac5474c30cd5e38eaec8baed816521c5141538a9401cbe4594a5c980fef943ab5558e90e7dc5f7ec18d9289bcee996d089af505ffdf0504031ed

memory/5520-10-0x00007FF899560000-0x00007FF89A021000-memory.dmp

memory/5984-9-0x00007FF899560000-0x00007FF89A021000-memory.dmp

memory/5984-11-0x00007FF899560000-0x00007FF89A021000-memory.dmp

memory/5984-12-0x000000001BFF0000-0x000000001C040000-memory.dmp

memory/5984-13-0x000000001C100000-0x000000001C1B2000-memory.dmp

memory/5984-19-0x00007FF899560000-0x00007FF89A021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kQTfuP8LZRHl.bat

MD5 829fb3e5862c84e02225299ff999c683
SHA1 e8c6d5e835aecc61d323535542eca92590d3515f
SHA256 b424f4ba86a0488c952db9f5885b4fb2fbd1b6d74a17e4d33487a098dd379b25
SHA512 0b76190b852f6853774bfa1ead56f043363f5d161a84a0d7f58e3824d955511756171749730b1ed37389de52171f0f30409bc7548bf76e50059b31625fa9d5e3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EAC.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\zjulA3rI3Vk7.bat

MD5 59537e54967622f8e8da2161b2d205ae
SHA1 2e3e45cc2b7190097c2faaafecc855f9214b381e
SHA256 6fa70d9dbc790fd63fb9c9a6a4abe356e0912d1756c59506097957af999218b6
SHA512 eb46bbf132b1665ddaf26c38f8369f7f8089c8071d4e873937300eb7050a4294d5dd1fee9e14ef9c45bddd5c205a70d64153c295c07abe4fa492f188d252c2cc

C:\Users\Admin\AppData\Local\Temp\0Ycja3su1ShA.bat

MD5 d09f76768921af147e72595b7b4d473c
SHA1 15f3f37c5b38345a62a18d61711f059c3db6bd4e
SHA256 ba7f082b9e937431e820352b34ece3c30d2d5f72e491488e4a7e37b2b9450770
SHA512 6f512d5fe7701ca554d310dd4fd70e999091f5216849aa21433a04f81aacc7b2057fa987c8a714d6a54d3cbd979a6c5d6e03899ae8487b85215aaad83a590371

C:\Users\Admin\AppData\Local\Temp\JrPYVVGKpWPx.bat

MD5 314c0810a21efa6efadf107f236bc3c7
SHA1 fbad1c1188aef41331a5f39ac3e9d765cfad1e61
SHA256 16344d9a6f5f34532b13f8905e0afefe645735d7a947a582d911e64459a98145
SHA512 49de975e7514b6aae0b2559215ffe11be342ff71873d3e197c64dc23e307782389fbdd88734aafc3819e77c22c505b2b54cb704b1a3bf723b8d6f536463cb973

C:\Users\Admin\AppData\Local\Temp\kiVZOcKJ4gKJ.bat

MD5 8a33d7b72f30679e351264754bd74b4a
SHA1 225b126dbfc0a4a5fcf3bde7cf37fd6a2e6e09ff
SHA256 145e6ddef668ed3da1461b49d0f0e6a44aa42d74e9126dbfa48999d2abec7189
SHA512 3f5144ba7218c5e712ed150f9c5b5bfc05737c359a5bc64312cc2dc7cadf1ae11e9bf0c964d95a99c595e883f8bc6ec3b4b4a969f5210147a1bd450831574d0f

C:\Users\Admin\AppData\Local\Temp\I5s8MxwSxDOw.bat

MD5 0f48c9fbc76b9b2d49b557bc624d56df
SHA1 b83622461b7b9fbdf043b2ed902a7c756974b073
SHA256 6cef3bc6137e9a36a30670f8aa6bb2e3ffac3e45513a412505cfd27e7a8af301
SHA512 554d22f7bb60b0dbdd8922c44d05a0b0a918a26f3161b878c94c293eb3430abc8f3941ef33d186e01f1a4e37b229e40fe7599b3b59388a55039dc8c52c29598d

C:\Users\Admin\AppData\Local\Temp\QjAICGn6mvlP.bat

MD5 65e135b2a9df2d16ba2c0e9261c860a6
SHA1 83ae90e4d1c7174e123318eedabbf90b2e484879
SHA256 bf5122ae181e09dc1ec9a6507a00a3e754e9ecf64f9ef40a6551b97c47b9fec8
SHA512 fb53c0f4e069507ad50ff3253c99fe59e2bcada33da852a4b6f3009db9f61e478542e31f9f220f8880e4751b898b3fb3a878d7c0d9b6dec1c1c5afdbe6f4c382

C:\Users\Admin\AppData\Local\Temp\8k6EMlPN68Zd.bat

MD5 5220c9b4c9f38d69d0ba66b29519318b
SHA1 4add8883e193ab565fab37e1303a514d226d97ce
SHA256 aafd6518dd7b55abf9368338ecafab87d92bbd2acd8a8128331bfc4c654b22b6
SHA512 26271ceb7312bd58d0bacca80247a81825cf7d1fe3f777a75361c152623d378f0bcab095ff6ca0d9abee41641f3abdf5290a713709ff1ed5c4ef935aea1c7969

C:\Users\Admin\AppData\Local\Temp\P3ExzvHOkISb.bat

MD5 057a91e164ad62d7b241853de3a14bfd
SHA1 417d7170ddc194dc3a6378329d030f62a660d615
SHA256 e0f10cfde328064ed7f49cf983956b44bfa056f65277e893ad3470d4c20e3859
SHA512 88a0f83f507564bce4588a5dee10b0e5c712a234c8b88fcab417d16a840c91765b2ddfcef39a76539979bd66902c19411ac54bc6bfab66f057dd55ddf008ea07