Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-l2x17swqfn
Target 563F7_Client-built.exe
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Threat Level: Known bad

The file 563F7_Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 10:02

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 10:02

Reported

2024-12-13 10:04

Platform

win7-20241010-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2116 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2116 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2116 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2116 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2396 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2840 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2840 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2840 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2840 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2840 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2956 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 956 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 956 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 956 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 956 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 956 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 956 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 956 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 956 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 956 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2976 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1676 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1676 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1676 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1676 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1908 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 744 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 744 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 744 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 744 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 744 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 744 wrote to memory of 272 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LY2VSf67KEdX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgwyN173p8xf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAMPeQ5sfF1C.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2lpPhGz1dQNi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bNF1qbxybyDP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKC7NACxW1Ok.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\93k5Kbytz2ia.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQ3K6xqP9C9S.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uC0Im6Aje4fy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQMLDnRFoNEC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/2116-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

memory/2116-1-0x00000000001C0000-0x00000000004E4000-memory.dmp

memory/2116-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/2396-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2396-9-0x0000000001350000-0x0000000001674000-memory.dmp

memory/2116-10-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2396-11-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LY2VSf67KEdX.bat

MD5 4632b33559de7f6e4231b50f980bb350
SHA1 065d19c7b1fba35a0ca3c24bc35446fc5f4523e8
SHA256 9ece67d74b6bdb3c6f8b8cd720aec16bdc2ec881847644de9b32bc125da48391
SHA512 141bb13ce92f6fbd79770932738ea70abb82234c19c10a62603bf5a4bdaa5a36e04ef84ee9cb4b6744ed3c17a60c51b31c827a28759324ef9ed794b1e4425fb1

memory/2396-21-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgwyN173p8xf.bat

MD5 40584fcca32906451f9812b09661ab50
SHA1 a4a6c1824d18ae8d46b94bfc8f73df53da45bfb1
SHA256 76bfae977435f93003466174273c94220d823308416dde202c2a9060472318dd
SHA512 ea70b2b3b152fade58f71fba97ffab1f888a5c6bdee1fe967258389aac73df477850a047a1092d76ef8c02d0d202cf9706332e39d5eab53a862ff697293b44bb

memory/2976-33-0x0000000000860000-0x0000000000B84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WAMPeQ5sfF1C.bat

MD5 bc1bcd886d55d1acbcae8a2c3d4b2d17
SHA1 e0099146b6721656c97c2e29722533d20adc024f
SHA256 a34b38061bbbbe7dd65ffbdc9b637ab721c6452c9863d5c97c088854497eaf7c
SHA512 163831ef7ef5d19d674a97d208e376f0caaeb50e0b0a904d94bc07b8f8c60318aff27a02220a0d1cc2ca2045d945917beb92c0218c1823852962d697ac9bb35e

memory/1908-44-0x0000000000D90000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2lpPhGz1dQNi.bat

MD5 8ac5d795ea30ead54c580adee0a50d5b
SHA1 2b29f29938bd8bbf04bd35f889c7b7b3d19d191d
SHA256 f86248ec1ff2c479dd76898cefaa43cbc615cf17339b86fb01f633cd60810d71
SHA512 16da2cc57db54bcc974d44aec07aebde2cf9238d78537eae9042c247c7b5879a994dd684971720dac1fa27d454ad6a5908212855922b73715c1a0969c7c92a5f

memory/272-55-0x0000000000ED0000-0x00000000011F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bNF1qbxybyDP.bat

MD5 5e6d3bb4a37ef110febb93d06aeeaa4b
SHA1 ec3a5afd64821e12482bad462d1a4305a09fb116
SHA256 48033991b6ff2a0c8304ef57d530d687d6f95e77eead59fa77f9593fbd580b59
SHA512 171587b6717c2e7affbbc6f084f60e03f0a55ac63d43066fb5f63323784e66b27758b1836347751eed597db1cdd45f67207e2e3aeb12c598e75669303f19087e

memory/1020-66-0x0000000001370000-0x0000000001694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gKC7NACxW1Ok.bat

MD5 5441a0d6079090143c959336188bd05b
SHA1 f397eaa67ec729638c2d62599a4a7b9eb16b472e
SHA256 8b51b5b1f4665a7aad96f79906a590060849eeca36426d0a45af4f66a6ef596c
SHA512 0e0ebc9451f84edae1565ddda7fab49af1c3acd0c685d7fc86e3b856ac044574d58f0bad60551ef22476e2a4ba46dd542284aa3dc383d0d8b70b1648d3ff6258

C:\Users\Admin\AppData\Local\Temp\93k5Kbytz2ia.bat

MD5 46073edbcdd38f495665cc0f402a6baa
SHA1 d279548da0b8bfc4fefa3e3462bfd99b594d4bd0
SHA256 6142065c6043c53a1b5a31164f40e9be84ab94b2ea87b4d04007a2fddfdf5994
SHA512 cb0ac6770bd62bab8b2df831183c0ba5044ed2698fd0f4c9eecda31eab42f6f46dd4600a6e5df46175624268544acf8210d400f691512d39fe692758af2415bf

C:\Users\Admin\AppData\Local\Temp\PQ3K6xqP9C9S.bat

MD5 d26fbf5a14144b5632b52c60330722de
SHA1 663fb260839808a6a8c9d6d9299ca1a2df1f65c4
SHA256 1abd08cf61437ece1c80d9c003399810d609c3da3fdc3318d908d4e069831b8e
SHA512 a24cd35c1db5895d805f8a37f70a92d145eeaf9cca8f8d203a45806dae096dd58d996015dc6695a7c1b34518d6b4f24b5601ed4fcfc94a93e1e9238907211b93

C:\Users\Admin\AppData\Local\Temp\uC0Im6Aje4fy.bat

MD5 a83611ee40526b4d957760f11d5ef7da
SHA1 1ba5d798d0c87a81bad4d45f622fbdeb8be05c89
SHA256 f38ba71dc6b288175585526b466b243fd52a5170b1dbef8d4fdddebad02724a1
SHA512 28e59cb0985802085a3dcfc82789c268c786c30986dda76a710a9632c2baea1bd0395a75cb97d5e98071d2363e004c29ffb04450eadecf84fb304d36052bf315

C:\Users\Admin\AppData\Local\Temp\jQMLDnRFoNEC.bat

MD5 bf4d706cab07916702bf001de855de6f
SHA1 8a5348753f1f23f24eaa68c919b560810cf1645e
SHA256 0b695b69bf19354baf3381be710c9f40bf2c5f543bfbdf422502d6a0ea537a24
SHA512 36dfac3eb121bc7490ca5da2f0fb790f2d786a2f42649fd6e84ec460a50ac3faf64c0349367e71092e142c732593c335354b492da911db3147099a7ea3e61df7

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 10:02

Reported

2024-12-13 10:04

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 964 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 964 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 964 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2652 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2652 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3988 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3988 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3988 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3988 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3988 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2624 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2624 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2624 wrote to memory of 368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 368 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 368 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 368 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 368 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 368 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 368 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 368 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3060 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3060 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3060 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3064 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3064 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3064 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3064 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3064 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2244 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2244 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2244 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3640 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3640 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3640 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3640 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3640 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1228 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1228 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1228 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1600 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5084 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5084 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5084 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 5084 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4040 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4040 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4040 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4040 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4040 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GNi90Bp4kRMR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Fl0hg9r5KIA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmCm4iGFKDe5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibD3VjnE9s53.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kjE7rv8JlY8n.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkUc9ZcnVdJj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gdGH6xnaeoFj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHcXFqA1oHsI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAwDQEyLke5x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkStATpdcZge.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ttx4rOMoeGUN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqfGSel4e4hQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNvV0KzLAiX3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgnZucRluzRH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\thECtKAm37yk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/964-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

memory/964-1-0x0000000000330000-0x0000000000654000-memory.dmp

memory/964-2-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/964-9-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

memory/2652-10-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

memory/2652-11-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

memory/2652-12-0x0000000002F40000-0x0000000002F90000-memory.dmp

memory/2652-13-0x000000001C240000-0x000000001C2F2000-memory.dmp

memory/2652-18-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GNi90Bp4kRMR.bat

MD5 d5b55281090d91a983041f0852de995f
SHA1 9fec69e6003e60ade5bea59409a5d42ca2f267cf
SHA256 eab418616042948426f484d27ad5cccf7cf30fe9e09637778489c2ff1b71f0d2
SHA512 9587c8dfd82b975d68e39de8ec07052eb5732cf657d8b4cec882d94d5d6e276d03d1dcca8e4fb9223c6df412feaa0fb1d8d84cc19fb141f153c6848ee17f1888

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\4Fl0hg9r5KIA.bat

MD5 1782270d735302425cdc7e4acbec3ab9
SHA1 20af3cae665a67c27ce5d034f31c02eb9a54c037
SHA256 b8b0e34750e387b113362c846763e80a27c1c1ca24e1352e8c9bc9c3006293d1
SHA512 0362f7b1711befaf500fdb29804165983e29c43191d18d4fa8d708c068f440d359f7b4dafe82d215f023947c66c50fa454bc3a6d97a6791415d46aa52d612320

C:\Users\Admin\AppData\Local\Temp\lmCm4iGFKDe5.bat

MD5 b46fb483367c07e882ac21eebc04b387
SHA1 4cf4bd1ad37f799e155e5a558fe5d55e6826fd75
SHA256 22e43092fcdc7257de5d8ef3ff21b5e19a659e80552731e120a317939fa114b9
SHA512 6a41dfa45df33d1dc75eb74754c62fe624f9a7469f84144eaaf69e9c85ffeb5bd7bdbe4b052afc3e167ffedcc284a9e38d50bd809befbf1719cb07a513a4a9fd

C:\Users\Admin\AppData\Local\Temp\ibD3VjnE9s53.bat

MD5 3fcbcfbe74b40cb236f97884d4d1cb64
SHA1 93068a03b855294cd53c199de7b09521642e896e
SHA256 07aaf777a4ba6e7e2468b59fd4f063239b139032c86176bd15006a3b1bde7f1b
SHA512 4570b541b4eca86ced973095a3b16a4cd0b44d56c843ba9a7edc12ef51b9717e751399b080b39c2e5a5c92fdd066687bc346dd031d17879442f1629ee25bcff8

C:\Users\Admin\AppData\Local\Temp\kjE7rv8JlY8n.bat

MD5 fe757ad57977ea2780b275754fb7dae6
SHA1 7995d158ee5b04dcce75dff98370af52138c55f1
SHA256 8fe2c0c551fd063fd63d143873aee5da0870ec8201870e904b6389eb12492312
SHA512 ca210e050fb9284b559dcaeac308292774647cd5394a5b8127c6286382739aad902410872e35a85d26ddc76df4aabc86f9bb149541b2ee39ddcdcdcf17d764f7

C:\Users\Admin\AppData\Local\Temp\DkUc9ZcnVdJj.bat

MD5 9d5a969f84555db095c2714fdffa9465
SHA1 f16d0d64f39b78d7402ee96e77b935a46adb60af
SHA256 a954eb4e577fa422963fe8c7d5b6485509412b15d9e6bbb0128cd14a4b335934
SHA512 02886efa7f429491d1acbb15fe0f71bf6493a61dcaf43600315a89763bdd1e91c498633a64ede75bf77e20223895d358f0ded6745232ce7bb50543ccc3e34813

C:\Users\Admin\AppData\Local\Temp\gdGH6xnaeoFj.bat

MD5 51141db8bd443d4447baacaa81187049
SHA1 6574f426a310ad0d0615e068bebf6a4f9521afa0
SHA256 0bc64499e7e5e96a8b3563acdadf6dc049075671240c74e945cfb29c5136bf27
SHA512 704f1991b64d28f3a7985a464fc1ed8d2a3ca4da9e505d70bac172f688d291d47be645c267a6066abbe3ac0bc97f3679d2612c7f43cafecd9c3f4b1f6ea6bbaa

C:\Users\Admin\AppData\Local\Temp\VHcXFqA1oHsI.bat

MD5 86cf708e8a9c5b5890950c2e09e41293
SHA1 1446913b0a1137c2f10347fbefca7598c3d6bbfa
SHA256 76a03b24678c2aae78162ab642a57bd79669128b3bf086fccfbf4ae1023df10c
SHA512 d403616385c35d73fd24c78d40bcf507636030f9ca2d6582dbbaaf4b6f49d5c11548d74c9a2f1436ef9ff233d85844ea9ab8f591df21fdc456fa52dcb8caf706

C:\Users\Admin\AppData\Local\Temp\lAwDQEyLke5x.bat

MD5 c40ea480aad8055a295aaebf6c9b2ce0
SHA1 fd07b08204309aef649bb9e1d7075b9025934916
SHA256 f3b930a28afcbc3ed05aca10ff1753369a84e67d9b015a8d1122abc8b3afda29
SHA512 56f0a6b8535948fdfc3d88c5c4d7734d0eb1a1879b62aa778d423572e3f46bbb2465674d8d4d0301291ff0da2ab67be4776926f9de77cd43f6e9b69e2380535c

C:\Users\Admin\AppData\Local\Temp\IkStATpdcZge.bat

MD5 419f818ad1ee2a246d77349e4d3710d1
SHA1 ecb678886faedd8b529cec23d5081d32e0035771
SHA256 1183c16b3f3ac245422b8924999d239225d4f3511c3479584c1e2a7898924ffa
SHA512 8ad41d3cfebba924467d79fe42c8ea6a8a81c60e9244de82b37659b191899ad75a482555acc0eb83d9490b3ff1d53753149c4c8f93926b02ef3d9b27d8fa5270

C:\Users\Admin\AppData\Local\Temp\ttx4rOMoeGUN.bat

MD5 e4cc2b9e4f7858c66e9ae4ddc8d9a60b
SHA1 960be7504b8f7f8cb9599830371fc07145a70c8e
SHA256 20db73a882e7ed8ee9e462f4221f527d99873e9d6a1292aa45cf97b907948fa4
SHA512 e75ed5a4e9287b318154ee5efce6eaba5295a5dce0214ff37c17950021f9f681c00a94d64c887ef2c4f99947c31456d603cc900bd94fc05e9282306ff8c654b2

C:\Users\Admin\AppData\Local\Temp\KqfGSel4e4hQ.bat

MD5 9210f3482dfd1a6dc5e48464b637543a
SHA1 2d182dcc04ef02e006a5925024a90bdad286dfd2
SHA256 77e37ad2d1f41ad91cd906271620dc932339d0eee371c62db7f215bb8db34f9f
SHA512 8d48d96c7a42d957e6aea51ab23acbb3d7515a66e7ba123b2a8e12ba29116f44fa3ef871e0bf55bd0f6d4a929680602b7c1476c20ff5be75f999ed4c6d504ea7

C:\Users\Admin\AppData\Local\Temp\ZNvV0KzLAiX3.bat

MD5 f70eed94128ee582d0cd4d4e7bcdb3dc
SHA1 a448f9061f156bf94925562d2ab839fff0cef946
SHA256 989f30c88e239531e20457206206ffff7dd9db803e814e7806e871cc99835482
SHA512 d7c422067ef7c9472c67a6272743b095421438d68e013d6d5665650117f5d096142bf8603879b25c007d4973f8f8709ff5bbf3f30c31d318b671e25b9d171739

C:\Users\Admin\AppData\Local\Temp\lgnZucRluzRH.bat

MD5 d18b48ebee2150986d6149e287cf87c4
SHA1 45bb8d511751379d902b4d2ea5ab8d4cb6680b0a
SHA256 0e2494b651e97ff907cf544c1a6b3fe68ea426e586ddfdac5b2468b7f8a50e52
SHA512 dcae6657908b07d2dd01ac14db32b63818b379e76404eb19e9a07346a45c836d790d7df4a4f2bf0c9fede5731ab6aba8401fc4d31a26011a0908ba042188886b

C:\Users\Admin\AppData\Local\Temp\thECtKAm37yk.bat

MD5 b5f05ef2454e9e671a0bb5727c622853
SHA1 2dd1b32837b69cf297b99ad277da6979cd31d588
SHA256 9e794c70e7b1461dc6d7deddc4b7cee068154bf8c54dd54e67b16274b82d8c86
SHA512 e0609d3fd0720cf8db63fc3d19de0a31d527730f3d452306ae44264f3f454c50561fce5eff862539e6edc4692954052502ae45dd9d902b043cef20f31966c98f