Analysis Overview
SHA256
9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 23:00
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 23:00
Reported
2024-10-29 23:03
Platform
win7-20240903-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
Files
memory/2096-0-0x000007FEF6523000-0x000007FEF6524000-memory.dmp
memory/2096-1-0x0000000000CE0000-0x0000000001004000-memory.dmp
memory/2096-2-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | cd8d41167dc2fae9b0ae6a8648d5070f |
| SHA1 | 97a475e752d8bbd6a66bb2231b5ab830f86fdc06 |
| SHA256 | 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220 |
| SHA512 | d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b |
memory/2240-8-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
memory/2096-7-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
memory/2240-9-0x0000000001190000-0x00000000014B4000-memory.dmp
memory/2240-10-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HvwcoJAviRoB.bat
| MD5 | ef27b839d375dd10c65839b3ee64c7d3 |
| SHA1 | a262d66f648f716e73ac972d63e2e08d37b9ac72 |
| SHA256 | 23ec9d9b8c77b322cce98bb177b27d48e5495a7b40cb6e171c1eb194bd0e2aad |
| SHA512 | f6e1714c7f9561625e2ee0c818aaa93842f234ebf4f318f525a59abd1160425901e1e3e73414adde49f96c9693cad2db6d24792b11ab697d4e7cca8706c04635 |
memory/2240-20-0x000007FEF6520000-0x000007FEF6F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8OdMDvi2lbg.bat
| MD5 | da473db3acf0ac71bc153779117495da |
| SHA1 | a54152d387e95de5886c54a8fba9950ada5d8977 |
| SHA256 | f3478431e4e093f866ffc77f20408eaf976befcf29548019114639e8e4db4b3f |
| SHA512 | 6ddf5632b62264d2f18beb60cb7e4dc3890d9ed783ba89ef656bebc944f95a809e392ab0eb5da411b491f1e30cbe336b36e0e58d22efc4aff7cf70fd000b23ac |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\WwIIODJLu9nN.bat
| MD5 | 9449a4e86cc0f1b7e0aa1d7642358825 |
| SHA1 | 462083263e4368054e829cbc0d85f5ffe097c0a2 |
| SHA256 | 6f32a3f4d2fe0283aa5f62173e8c59a8a75e1037389150bab8c026006fc73f74 |
| SHA512 | 9b9da4d36a781295c8509662567f20168a22521fe343b699bad2db31e975f81eaade54e119b58de9434116bbb9f510fccd4cba98483fb671c8e8168c72b997af |
memory/2140-43-0x0000000000240000-0x0000000000564000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vXRG91x9ON5f.bat
| MD5 | ed062ff4525d9190a15a63c1fff7a0b9 |
| SHA1 | 919e2bc66a4864282eb7f5a25a5b25c2e00881c6 |
| SHA256 | 07f68f164e9a97c967d19df09f8c1328f393a50229a45b34550d34f1d9ec62ba |
| SHA512 | f6ae648ddc41b74860e4dcfe42893ae7c2b809f4efd21cb17a91668f36bff620d32b750d12a0f0541301f104c67da97209dd927a69216e26b4a00169a6ca064c |
memory/2200-54-0x0000000001070000-0x0000000001394000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9Z5gO2JPClkW.bat
| MD5 | 99051766eb0ca07a9f882e9edb4f84af |
| SHA1 | 7d3d54ba8ceb1faef504a77dffaa2e4b9475534e |
| SHA256 | c1d142ec0ed8d7816ff3bfd1bb8e121073ad78a57e71b9f6aeb46fbba3081f10 |
| SHA512 | fce937c6cc4a663624455c274e152872bff32c0d488620c3f1609088351c90a4e44658be62d49955ac37804cfad78baad361f06f6c78973215bfb8c9fff035fc |
C:\Users\Admin\AppData\Local\Temp\TJ03eede15lm.bat
| MD5 | d83a83322b4bf7616d4317de544c43d5 |
| SHA1 | 1864aba9a437719196fe3fc9621eb4d539cbba06 |
| SHA256 | 950eb2f30ecb63970e602c57264bf6196c066239a558d1d5e5ce951c03c68aa6 |
| SHA512 | 1606533dc117f00458905ff70f6b670912897b8e5441ff996366d9dca351c2b9e37586e98d7b1bd803aa99f11b7bec3676cb46109626f084d0a43ad9e1bdfeb5 |
memory/1688-75-0x00000000003E0000-0x0000000000704000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\K30zZncV3M19.bat
| MD5 | 96190234e8c34feea8af2e52c6c816b5 |
| SHA1 | ad672dbbc70dd3ba5525a05a9c4af504e26606ce |
| SHA256 | fadfdecefade7154a7a9391f365fb887123e48a7796379b1c4a3bd958f0ea8b4 |
| SHA512 | 800110acaf7faea29c4345a1a093ec53fae04f00e1d1c5ad00fee5cb8b41f84fa0a0753f54369af6a8d965191c5f957b57c1c4e4fc015045873de7f28749e731 |
memory/2412-87-0x0000000000120000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ipwofXrjRYR.bat
| MD5 | cdd6f97289ed5fc3e4b15f04d718ba0f |
| SHA1 | db211b15ecb3bd298bf20384c30c8c755632c641 |
| SHA256 | 51ce08d888f13bca79d11fa0b69c3b2eb8f37de3a9699fab776f2a4bc8ccdc8b |
| SHA512 | 956a5ab1165f17edafafdc0947077bf1221c69c2d43f82c3bfedc5feae9d285dd9c2cbdd6f95a627b865ff2e5579a977a7aabfe76daba4c5bd2e1db0a58a2dcb |
memory/2096-98-0x0000000000200000-0x0000000000524000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rjrB9coWGEXd.bat
| MD5 | 07081468c0d2c9f92a6d34d3791738aa |
| SHA1 | 61cbbf706214da0bd74dd005135edaff1e74634d |
| SHA256 | d21910c77fe0a49b09003bd137d3b799ce7e2cc78ba0ec4ed1b4c389bcdaa72d |
| SHA512 | 7ca9ab9c120fbe91d2a38da31f9f7ac4392595e73e95cca6a40f21bdaedde328864b52327addcfe1e188a427562a4965f7cd55f72f4a55aebd29d80b04399df0 |
memory/624-109-0x0000000000EE0000-0x0000000001204000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ty8r2l16kZlz.bat
| MD5 | 99b60b6eaf5647ec76ce358eb4908ebe |
| SHA1 | 06d6a8f43e822f38477a0f2d2f0bccc4b9b370c9 |
| SHA256 | a4dc397ca0c6b4029b5d772be3fe46d34a6497129da0d456aaf5f4047716a9fa |
| SHA512 | aac689932ede21770540763de462c42a0bb452861870e6a172a3c88d12c01a2ad583fdb380d39db44d8d6ad0ce196e5fb305561e6546c70a088c68d625467d72 |
C:\Users\Admin\AppData\Local\Temp\gRY3QvHRKyjz.bat
| MD5 | cbfe23c09a3e1edc69383d99cd403cd6 |
| SHA1 | d299be4af93d10d748b8692011d195e1f02fe41f |
| SHA256 | 7fd73af4f5506fcf61308f2158b3a5c4c07ae524713d930b5ea196460337c008 |
| SHA512 | a04d33c428c96d1216a055dfc5bd83852fcc79ed2e64af1318363043483fd5b96b44df120d6797ba076fe7bc0801c7cc3fa712759026187fc671b8deb836c0ec |
memory/3028-130-0x0000000000E70000-0x0000000001194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\L5w69ohX9Lv2.bat
| MD5 | 570880823c49532b8adfe33960b217ff |
| SHA1 | bfb8909ac6b25ffc87e623c101cbdba045166051 |
| SHA256 | a3f415d96c9e75b586d38b0b5821ffa4d84cf1dbfbec188443cb3ed25cba6f41 |
| SHA512 | 0512b9d7964bab8004b46e9ff69d031fc2512a24473324016b1a682bc866661740327ed9aab54ede1ec0dda30e6fef866f2a1adcc73960fc74fa381ebaabf637 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 0a7cba9342d7bcdbd9eb985a1907b5cd |
| SHA1 | a28214f8b9e7a78994d02908f4c956ed8c5ac01b |
| SHA256 | 48d9916bda8338bfefc64bd0296b4dd4be00ae0690cb03931ba27640d0388898 |
| SHA512 | 41459191eb81db3ab5911089eda144c7dcbbcc85eec57ae4323295cfaf837d231449825f23456022f33f7049d18ab2db25648b26ea5e4da1c9b812c3c85c7006 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 23:00
Reported
2024-10-29 23:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
memory/1052-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp
memory/1052-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp
memory/1052-2-0x00007FFB82540000-0x00007FFB83001000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | cd8d41167dc2fae9b0ae6a8648d5070f |
| SHA1 | 97a475e752d8bbd6a66bb2231b5ab830f86fdc06 |
| SHA256 | 9cee560203681db0106de96c3fd5ed335bed6abacd9724a641b42743adfb6220 |
| SHA512 | d107718753acdc5495222d28cb4323b81dc7a30f5891b37cb95d39f58302e3c5535defe14e01c9602ec8f83e4a6df8972ae1281fe326347e7a6456536dce9c9b |
memory/1860-8-0x00007FFB82540000-0x00007FFB83001000-memory.dmp
memory/1052-9-0x00007FFB82540000-0x00007FFB83001000-memory.dmp
memory/1860-10-0x00007FFB82540000-0x00007FFB83001000-memory.dmp
memory/1860-11-0x00000000031B0000-0x0000000003200000-memory.dmp
memory/1860-12-0x000000001C350000-0x000000001C402000-memory.dmp
memory/1860-17-0x00007FFB82540000-0x00007FFB83001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gkjSuq06FxLV.bat
| MD5 | fd5be971eefbd7ec9c94c6f2af289381 |
| SHA1 | 79394287d00320402787fc6ae5f0ced6d22b159f |
| SHA256 | 427b2df17151f83a87b0f05a0c8c90d79f97515ec6f12bb182c9dd56e0e8feb0 |
| SHA512 | 9d09abc3d89b3d1f0dd28548ec1337f9450623c511d95cb81370dd276847e9ef8c4eac2aceb99588e4cd749d35888f0a591a42c813099603b980b86c667d8a9d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\3hC18WW9WCvT.bat
| MD5 | 581ad13978c4f2d063d8b575e254a151 |
| SHA1 | b04db8b3f9afed2461734c8ddaebcc0f24b1dfa3 |
| SHA256 | bdb2a72bcd7028a7095e735fbdbcb476aad4e1396530ff39d7bd6c08df011806 |
| SHA512 | 605a9203fd9790a219ca7e5dbac32cf222bf37041cb13d144ef683ffbabda56a76d009784cb1478ea428d7cf8036aedd7d082f8b90b3e68c935784887d5629c0 |
C:\Users\Admin\AppData\Local\Temp\FaY7zj6Y5B4g.bat
| MD5 | bfdfea9b1b8c3d1dd8e7b527c358e6fe |
| SHA1 | 36084e844f8b2a86160e845a8c9a86a3a69998b6 |
| SHA256 | 187e93d936de7668f711752280065926e80aaebb619746653be6f3cefe391168 |
| SHA512 | 68a8901f11784bba0c8f462cb8f4735ccfc516dac6c1b2001db1bdc273bb790ed80fd35b9cf5ee04f90b720cd5c61c28ed63e8f76732e094eb3f95f6f0146022 |
C:\Users\Admin\AppData\Local\Temp\wLVSCrRm3b0b.bat
| MD5 | c026636222ba27ebb2e3642645ac4d04 |
| SHA1 | 290e46214c185bb6b72be3d1659690004c31122e |
| SHA256 | 5c25f73a610b701f63a7957fc73d3b8393348823bf2b33f0878f3cf38bed54a0 |
| SHA512 | bf938209668eea5d03ddc459eea40fecdb3a86b738dd8d6b9aedd005c814469a36d505340e7a9a1fc6b691d659562c71d9cf9342964cc9ae5a672d4a2724295b |
C:\Users\Admin\AppData\Local\Temp\8qyvATvVnCRn.bat
| MD5 | a723a49440c4e67da632ba0bfcef0ea3 |
| SHA1 | 30feabd5a92246908cfc569f6bb0bd6d56405e1e |
| SHA256 | 4dbc523742f4ac1f1b37440623aade437462f5dc6e96bd57ddf478acdb3a7fda |
| SHA512 | a723044f1b8249d6603f14a4ad739e37e4be0c6900df93ff11e95bf9dce35db98cc9430decd7488cbb96d498930718810c344e62ca5a77dec0c33383beba692f |
C:\Users\Admin\AppData\Local\Temp\2ps5ibXO0XaA.bat
| MD5 | 1a3c7edaa4976cfd20c270a6272e83e2 |
| SHA1 | 188f7253b4d93a6cacce15c10b3ef461369ef068 |
| SHA256 | 830233d65b78edef92aadd4cf096fd5d21e6184c6fcf23f1956e72be545248d4 |
| SHA512 | ce6b45066f102eba6afac5cab5ddae63ea3d59078ecf0e557e1b6e55beac89ea5abb7c78db641125c082653108bd147f3f41cac462437a2a177c846223575ced |
C:\Users\Admin\AppData\Local\Temp\baxOfMTeC36y.bat
| MD5 | d49087af4e2aa84e7a14f35b9b6aa0d4 |
| SHA1 | aabebf38da629654894cbb64c3b8c6a6423a1b5f |
| SHA256 | b657361f8d47bad911e229f34784fe5dc7269c435ce63381020b7d0cc48d3bdd |
| SHA512 | 7b8d1eb196b8ce8142c9fc75bd3be6d473f64c3e7c03efaf03faeea0a752b0b3d5f2d197baf305ed3658c0c5d822755cd717512ddc8b830f5a5539aecf55b4b6 |
C:\Users\Admin\AppData\Local\Temp\bt0tKfNxeDpa.bat
| MD5 | a208cef53201e21f8c705b246f9ff53c |
| SHA1 | b5cac5cfab520ecd0c6cbf747948576cb7888083 |
| SHA256 | 2c05fe8f85c427dcf5d24eb982b916a5f59082238f00750a1180b815427be304 |
| SHA512 | b2a10e5b5da86b5c00c7e6000c57bfe05f760ccfa2941e6b6098a783487a63c2712cd15914d3e5ccd39389c1a0008656e0133e9260b16623e56e08b703d1fa23 |
C:\Users\Admin\AppData\Local\Temp\TA7OlsVphrbk.bat
| MD5 | 4b0570b31a18aae65fe90dd8c4cb76ff |
| SHA1 | d9c8dcd1cfb838df045bfde06b6e33579d5abab5 |
| SHA256 | d8969505eaf98ee40c118e813c979d1c027a8e010bad7e34911841da7d915bb2 |
| SHA512 | 941a232c76a799f6ee97ca7cc30115d788f7891cf6cfc7849896e8874359a2a50e2c54abb6eaf33f5554dd4592b25ae9c9ba9f0c1dac3717ada0777ce4ff8b41 |
C:\Users\Admin\AppData\Local\Temp\eSU89qRZd35G.bat
| MD5 | 81d7d5326d718a4fe3d7852199ff230e |
| SHA1 | 2a8357cd742fbb9bb3e5f59846e4bc0beeddddd2 |
| SHA256 | 2160159ed9e00a64cb505ae6fd6309ee3449dd5871e56e888053ee5b8961386f |
| SHA512 | cc518238a9dc7e1d80eb4b6690c62235c92d8eb3241cd58c27630d40f0cdd2bc57dce517191493bf9eb51a337c5d173c9605cc13ee5dd5b19b4800165dfa75ba |
C:\Users\Admin\AppData\Local\Temp\TebG2cn9bPEN.bat
| MD5 | e2313dddf756f98db9a01021112d48e6 |
| SHA1 | 3bde279840268527660f43412df2690c012da310 |
| SHA256 | 64602250401c4cb41eaf6392f20343a3554c0a86576bba7bdfa3d8c1fd4dceae |
| SHA512 | 0e8da7b04e86d6023656a9d61332b3c2237e07aa54fe35714efa38d4c1712948f66d88f97fd8edb6419839d9ee2af3f74995a5bd2a273f50eff4e3f6da966d65 |
C:\Users\Admin\AppData\Local\Temp\NCOY1KI2oo4e.bat
| MD5 | cb9a80992c7f67e9d358fe4910670c23 |
| SHA1 | bb9a17578ed3d29ad7bb65bbb66d9e6a2334265f |
| SHA256 | f4ddb0f19dbc0718b026b156048b7f0bb9cc3878223ec36f27208f52db10209b |
| SHA512 | 7f2648e58d9d4f6da488b37a4e4d71fff09d47d0dc09f2d1913dac51059a89d35bdaeeaa15505608a217934f944fea2d5a51cf0fd31c0fb4db683b112bd6ac09 |
C:\Users\Admin\AppData\Local\Temp\59I1gFU7czO1.bat
| MD5 | 3732a1e779536acf4796c37024759fe9 |
| SHA1 | 75836b87a801344efe96ff384ec29b9004a43037 |
| SHA256 | 61482c4bf405afe58661e50a556f9bd8c8eb90133d0c8807780486626a2303d0 |
| SHA512 | fb5770b4422c5219998581b59f75abdf23f57c39c0750d24fd32bf20ad1954860011836f5011b312500f209f495e1842509986e87e6a6775ea8f743e8f9279f8 |
C:\Users\Admin\AppData\Local\Temp\1XFAnwjsu9bA.bat
| MD5 | c0f111949ecc62bf455634760b9c4c95 |
| SHA1 | 7d976d3b5282d99960e6d8f6a082e6a1d05295fb |
| SHA256 | 426a10c87b730cb78642d23fcd5a32ee1d9ff695ae90a5d02bc18c0a34c7645a |
| SHA512 | eb0db23c5b0f033862e5514fb786b33e2ada35f4c618fa21f36bcf475db65bff3509a7cc7155d8d440e4e737a5f0d5743a76385d3d1052460f4ee330aa313861 |