Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-l9bsyavmhw
Target 563F7_Client-built.exe
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Threat Level: Known bad

The file 563F7_Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 10:13

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 10:13

Reported

2024-12-13 10:16

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2892 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2892 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\system32\schtasks.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2656 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2656 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2656 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2656 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 380 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 380 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 380 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 380 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 380 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 380 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2920 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2932 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2932 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2932 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2932 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2932 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2932 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2932 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2932 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2976 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2976 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1412 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1412 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1412 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1412 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1412 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1412 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2476 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1660 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1660 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1660 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/2892-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

memory/2892-1-0x00000000002A0000-0x00000000005C4000-memory.dmp

memory/2892-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/2656-8-0x0000000000200000-0x0000000000524000-memory.dmp

memory/2656-9-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

memory/2892-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

memory/2656-11-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5TJGcKVTeUNj.bat

MD5 1268422f71b0285c97f5561d7e20015e
SHA1 29860f5226d4e8c4f47f4c47078ee6b123a1c356
SHA256 77a204900b947d8b7bc2236cf6769b64e6b3523ed96e82028168ba2881862a95
SHA512 f5702ca0d6c1f04bf567d3182be43c412d2c076311f81becc7cd7c6954a7e1a79afa1f003abed75fcbf543551ac07c8afc52540cde703881bd941f55ffc015a1

memory/2656-20-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

memory/2920-23-0x0000000000890000-0x0000000000BB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c8vwK2UPntr3.bat

MD5 c08653ccff5ce73b4eaeb2293dedc6a8
SHA1 eaf7453efcd9b800807123e4bebdbbd6fa951a50
SHA256 3bd4457d47946e2ee7dadc34173a13af230a3445d3e4054749a42b645b137277
SHA512 1a5b188a592a25bc68c5250307302aa28ba78389f4f70fd25e22f5976b69efbf194da43cb1858d5b34932f9c4b0ab15b399c792d41260611304edb0b83b84be1

memory/2976-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LO3t9lGksHUo.bat

MD5 f56fcd1b95b1093235ec899018457205
SHA1 6cf99e9b63495aa1048556a9c2c314da10c9c048
SHA256 aae4fdb7f2beb28c9e74f331fbbbed2b3a16ff145f30b004acbb94a0d9535195
SHA512 a6427b519026f16bcb5ac4289e04bbd73266195cc63e9851eae0a8c0ff93cce22ab3c5e00af8ab007b5c8ad58e903272bfa2b0ae77398bda6b0b4ec49827f6d4

C:\Users\Admin\AppData\Local\Temp\xYtx37YbsTMv.bat

MD5 2677900c75c891f4b50917f9463a37e6
SHA1 f9f5bcd66f7516c98637d0d8335c3c5c0d0d0ba7
SHA256 6c66f83efeac06aa4ce0762c74099555fc0eb2cc9a6ebfeb24fa68d57824c348
SHA512 7914a01d4aa0b6e1cf796a79b5062a7bb36faeac0e18f776ad0108812445f8addc78b4e2d4e256b2f53f0ef5fbacf4868d306be3f5ebcbcb4a35f43ae305c811

memory/1044-55-0x0000000000F40000-0x0000000001264000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gOvHvcUgN9tJ.bat

MD5 2dcbd8255bbd5948ffafd59a499a989c
SHA1 fdd461dbcde8d6aae5fa469177f159be250ef0a7
SHA256 9b17fef4e805a77acd8fb709d32711da6a7e1b25aea87b2f2770697ccdc6a968
SHA512 568e9c383c1c1a5969adca94708ffd4c5e7d0914aea450d611966ef0008b23dbf01404faf48531b039d93adedfc9cb53503b41e442fa14e0490405e81ffeefb0

C:\Users\Admin\AppData\Local\Temp\Q0M6L0UJvkz6.bat

MD5 a8140d804789365848d9901e3bd15c7b
SHA1 3d59cee0a64d190c7fc5968a5127924b80b5b32e
SHA256 172f6d0a8c0baeed36cdfbd1d2601a22f31df68588cdc4a2207c98d40e5e39f1
SHA512 a1fca1524515db29230c22396c892e8efb7caefe0e923fa7fbe7034d7ed48559cf0cddf200041a22b407ee7657d76658384365f891a48a3a378707ee6859da2d

memory/1612-76-0x00000000003F0000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aS8qonnPYnNV.bat

MD5 8be077034dda2949b6bd80a639993dfa
SHA1 b4d429b2c2cfe3cd56511300d916937b8cff8098
SHA256 92aa798f48c678c4ce3fd884443504f4f5d1cff4d0087e6e9a22d57d3a7c0d96
SHA512 30e0fcbac61056f0182d7d44db2ace7e10513df07aab541cf94daa9fd7f46bb115cf0101047008fce2f0aeafc51a9d2374a7c475a565e676eba2016fb7743393

memory/2196-87-0x0000000000300000-0x0000000000624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kdzx4nxs0ZKU.bat

MD5 023712e9ed6707eabfb57a4251e0ed55
SHA1 fba77b934ed799dfdde306e0eb07fbe11c748856
SHA256 0d543fbe86d430eae93cc2df3bcdad12777a1c6c2a743b533d83f66bc26de277
SHA512 69a9176a968e5b9533893063d6a63a713128d31832a5891c1436e7dcea0ff4855490e64ce9f7335bbbd132cb42f9fb2a0baed817910d77100dd8b14f711ca070

memory/860-98-0x0000000000D70000-0x0000000001094000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67GJp2xPP3ih.bat

MD5 3fcc4c7b97a7e8636933d33d18c427f6
SHA1 fd9a1a59beebbec0152ae92d043747f8bbe759fc
SHA256 e136ea4a9f9bcddfdd9c1e3cbd0ccbb61996091af64312cbe9cd2408fc648a10
SHA512 deef925b93a0605f5f6e956e799060b5c2968a0ea52f56adaf981bf53704f206376da470f1cbfa534dfeb6d17f25f0684a1403c5d9a8e2fff161fd0a68041011

C:\Users\Admin\AppData\Local\Temp\9wzmFnUZUocY.bat

MD5 901363ed00eee4d98fa458b28bba7fd1
SHA1 7b179ac262728ba6fcf7075637ad7c00dbedc651
SHA256 045f908912e84c716b96a386115f65da5e9de0e21e6a82e2a1f5a1fc5a0c7255
SHA512 042de58fde6e2a0d3e0bda0440930fc4ad45464196ef81964d20dd2d54f08aca4be11133b074298044136e3f42a5e6f2e301bedd7fa69cc104c8685b38515d18

C:\Users\Admin\AppData\Local\Temp\xh2OsVRzfHFp.bat

MD5 8325889681de641980d32a7df4120150
SHA1 5d4fe08c3dbbbeb29c00f5cce3936d08b1ea5d62
SHA256 448b187cceb8da1f643091bede885084a2f933fee5d905950517f822338774c1
SHA512 ae192c5852c34e24bc9075e952855094ed5df769e4ef8da1da19c47bf46a350aa1b6d13a37380b2fbe66d825831eb665760dc33b2f4d402c46b1548a95ef87fe

memory/1568-129-0x0000000000E00000-0x0000000001124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rNr5rHrmqLb2.bat

MD5 63eca2793cb6c38adec88dd511600f31
SHA1 57b985b67e1daff211b99f1c511a36b10aa47bab
SHA256 e094722ccddef7f61fdb0917c8d7addea727f67f03b9f312b6b52eeb0b96f09f
SHA512 848e5ad5dced853293c578d361b84d668d57f4895a917575a398ecab01b39ec24e8d881b30b59452c8bd783882c07c6311bf8523195a873c6f2a1e72b35d16fd

memory/316-140-0x0000000000160000-0x0000000000484000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 10:13

Reported

2024-12-13 10:16

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3628 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3628 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3628 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4752 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4752 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4752 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4752 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3656 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3656 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3656 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3656 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3656 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3604 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3604 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3604 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 8 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 8 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 8 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 8 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 8 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5036 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5036 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5036 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4456 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4456 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4456 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4456 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4456 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1028 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1028 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1028 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4320 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4320 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4320 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4320 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4320 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4320 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2844 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2844 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2844 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 220 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 220 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 220 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 220 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 220 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 220 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2484 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2484 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2484 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2112 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2112 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2112 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2112 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2112 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\563F7_Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/3628-0-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

memory/3628-1-0x0000000000410000-0x0000000000734000-memory.dmp

memory/3628-2-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/4752-9-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

memory/3628-10-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

memory/4752-11-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

memory/4752-12-0x000000001BA20000-0x000000001BA70000-memory.dmp

memory/4752-13-0x000000001BB30000-0x000000001BBE2000-memory.dmp

memory/4752-18-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gKD3xYCyxjig.bat

MD5 b45c6542f7956be7029ff4369db525ce
SHA1 a370d631cd2817725c14efbd10bea84d90d1b220
SHA256 6031020effb37bd27d64029b7a94c3756e2726a46a5c2575370a498602c5c69e
SHA512 2bf0ead4dc6a5391dac88fda0ac845a169f5067030b9a11693e7c67c510959f1cf18a08df4da9b1e041c2206adb1881224bdd3c257ae8a72b8e14934a3968cc8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\iQoDyU07Mu7I.bat

MD5 e4305293840e4de706c2a00c9d228f60
SHA1 5b7ce655d678127481e714f023080744359fd39d
SHA256 5ef3aa33cfbc433360147f607b4067629cd7e08838eca4c5859e0983fdfcf5e8
SHA512 f164fa9baee5b52febfd2d047f392d99fdf614c089c79ad8233682dede47a3c5df2d625d4fac2862dc79ab65be75a4323576bbf4f417cac06cb0233e4dec7fb4

C:\Users\Admin\AppData\Local\Temp\1PZcVgwt7lR0.bat

MD5 c1c659c956e113b8eaebfcbb2955679a
SHA1 b6dfc79c32cb06df78ed01d8ddd4f33602287c2e
SHA256 293485257a4e26a403e4a88b9a466e78f94dc2e32c69410240fd1a49671d16a9
SHA512 cdf1b897ac3a3ffff6de194a7a87a4962cf69e9b65f76d12292f2bfc1656da45eb90d8e2d9f23a6cbb53491c1abacb9082629306ef975e0cfb11f5282e314b47

C:\Users\Admin\AppData\Local\Temp\ijyRXBjdKXC9.bat

MD5 b0cbdc06b2cd34df0f71a1cbc544a172
SHA1 1200ca821cf9cff0b0f737bb3249160e285bf4b0
SHA256 def49c50ccd7be01575dfe810eef6ffe29641e3f81b0f71171e4245f08bf5c8d
SHA512 2e8f31ef5f2b674da231f116ffa9e7aebe9cdff1d5cebf9e6e96fd3963ce1010acd6477ce236634b47cd471d69ccb939982327aaef564eb21b82c861a716b10c

C:\Users\Admin\AppData\Local\Temp\ZAlc2QtJKO2t.bat

MD5 6efb4a6a4391668128d362cd9e8002ff
SHA1 714c64247400880d97df22f55c640b42c8be0b61
SHA256 90218fa074ac2012772dbc2b6027ba6e24ae24293688686b17906fc2754d3d41
SHA512 930b8c0a42666f60e722452b23a8bb2796e02034a7310fbe638f8c304edf8b282d321b22f4412124bb7ad9d45a1b2c89fc6d81dfd3ca0a0c7ee83ed747cab15a

C:\Users\Admin\AppData\Local\Temp\XFfLm4LcwFhr.bat

MD5 01ba09981995f814678cd9d1ae6a67b0
SHA1 b9e67c1a56d9fceec1e64630aa9f3cf7023c2183
SHA256 1fe672b5d71b9b258071ccad2bdfb141e05280b0ca83324a049eb7dbb3400a28
SHA512 224d8939126719f06af779dae68074a104a134af87de72022a9968393724b20cebd23b04b973e6e36346b65f1c376084c3768e5d85e3624033ec124230dc10bf

C:\Users\Admin\AppData\Local\Temp\rHoWaGjqGxbh.bat

MD5 6f2c978d70e1d3938705c4e9a473036a
SHA1 c0e9c1dff81496aba1a4a80cb5771c4811e51166
SHA256 2f58226a5e498c63a6eb47e0a63f46626c51fff0d92a92d070c16be5373bbdf2
SHA512 0eb623436180eeb0b16c8886525926a4324c89a72618e37610cca3bb163083b358bb20650716225744af10d2d878b7718e27cebfe27e192de4e4cb473db09d34

C:\Users\Admin\AppData\Local\Temp\krkFiWqtJPMd.bat

MD5 c8f8a20f2ddf8ba2777585e645bd7c16
SHA1 7f4e9044e6c3cae154ce8b221cae6a1381b1e922
SHA256 d0449e59052c19ca61b62f287d51f79781444ec92478755ba81045643592d0f4
SHA512 a1d1b3af007372d83e3c64063afaf31a04af8ad527ea420867952c3970a264348dc0619099e56c562851f2bfbef6121b2d84d6e20c63f6104eecc73b2ccef456

C:\Users\Admin\AppData\Local\Temp\hZhZ2K2WVe7P.bat

MD5 1570d4670645736672a09840037b6f6e
SHA1 cf6c3d5ce9f0f0dba8b99d296b0dfdc077bb0f25
SHA256 e3a1b8077f5174705517a3944df986f8d4a37cb2d5aaf6d76f3bc85db5d87c43
SHA512 876f8b4615b310ec56186ec379db1d98a1f0d81f63f3a108e2aac77d663a5c64a314b0ce51aca3d51cac79493611745e5d8fbcf95cbee6b60b1832aeff43a594

C:\Users\Admin\AppData\Local\Temp\XjDBMJKp6PrI.bat

MD5 1e92ae51b85a36eeb6391f730fa9de1e
SHA1 e365499d36683a12973d1575203758dc643b2268
SHA256 4ecc4f230d0f09e5e476561fd47a7b99cb3c82b1a1b961d9766bdbe3030713e1
SHA512 77f6c21879d74cb019768dbf65821004ef9f6f2aba06282c8a23f1caa2332d9654ca96e572276b0682fdbe5fd9ade76f778697eef9103586f242b379192c58bb

C:\Users\Admin\AppData\Local\Temp\GpxCCm1OSf4B.bat

MD5 d985c57c8bab51cb125f4447288fe77d
SHA1 11d35bd955635aefb4a0a12b4ed49e5e28cb7788
SHA256 68b113ce2ffbd29f41ed2d7d4759c23efbbf7b99401ec80b5a6dcc100660c239
SHA512 3147226b8cf30d16ab0a92b23182538ef6a8774d6ff8d54b6eed123b54ad055104ea639f2f10fc0437f144d753dc80c4f758e4a8f1309e2a5b83664b5721a752

C:\Users\Admin\AppData\Local\Temp\9dpySN8UUPTb.bat

MD5 29f9836ab3257a5ec0f57835335464f0
SHA1 87b66ec917d8fce9cafdbf7c440e4f6a9061ff11
SHA256 714613cb2ae8ec6e4c2b283b56b1a712f920f470fd44f2001ec7cc302aecbcc4
SHA512 840d52a6221105ffeb13d18421442e6e1b4caca2ffb5fad6af5646bad5cacb073b20e5a1c31100abed1cb206f1622cb3669e8504d4d76cac4842ca3a6d1f82f0

C:\Users\Admin\AppData\Local\Temp\FEWqDdssBYYJ.bat

MD5 545a94b3193964ef5240e3938bd87180
SHA1 5c933ae87276ebff103a56effa5606f225bcad27
SHA256 972b1c38d1ad4f84691bca134e628e615dfd6e11c0558ba2b9f6debcb4fb9a05
SHA512 d63305c14ecde4b33972972d1fc8232f9cf7ce0d0ba48c1677cc350c0abd1a0fb5987ff1d38d49744daf932e40cd1cfcda623553244a0a622577a591a91d795b

C:\Users\Admin\AppData\Local\Temp\yODjpPXoCPNz.bat

MD5 ae98f4d79eef9493bd8f7d60d24a164a
SHA1 5574bc418dac50e79a100dbca0e4212d8c193718
SHA256 0bbeeb723c47cbd5d2e09c8e711de389551365631cbf47021ba90f9617ff4a25
SHA512 e7a75cb55093d2c3ea8b439037526dc28034d65591d08e0d5a2495854f019ddbd025b051dd23c8e4b1feb880e2335a4f8ce12a22d04514acb51144a4b088e58a

C:\Users\Admin\AppData\Local\Temp\FQ6p621r2v5F.bat

MD5 5eafe89f46ae1b52e84d23c9dd574cae
SHA1 1d08492bcd786823b787d28ca7289cde6153cc7a
SHA256 7c5298ce3267b49e9103cabd9b6f340cb6e91c59d835b0d6254f069752235a4d
SHA512 de94a6cc628ccafa3fcc61eb4196bc8e4d78a724145e5df71562159cb2cd7975b249fdb309744870b0c8e46c3b5387012675693d427f2546d095a721381a95de