Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-lycabsvkay
Target Client-built.exe
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Tags
quasar office04 discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 discovery spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 09:56

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 09:56

Reported

2024-12-13 09:58

Platform

win7-20240903-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2936 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2936 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2932 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2932 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2932 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2932 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1648 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1648 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1648 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1648 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1648 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1648 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1648 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1648 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2008 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2008 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2008 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2008 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1072 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1072 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1072 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1072 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1072 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3012 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSn760WZH0Uz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MxxAxCinORN2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQvj5PvJlDNZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fsyB5A9GxFv0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKZOsStaHnxh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YHpQVsSxpO1H.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmF1Veg5ErJJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5RdUZjzPLTbX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\moRnlqieH7yY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E2KoZnzKMp4t.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1qgtLArCXLYb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WbEeXeyoxzs3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/2936-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

memory/2936-1-0x00000000009A0000-0x0000000000CC4000-memory.dmp

memory/2936-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/2936-9-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2932-10-0x0000000000920000-0x0000000000C44000-memory.dmp

memory/2932-8-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2932-11-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VSn760WZH0Uz.bat

MD5 9c867f88188d47a90580b44df93ef17f
SHA1 fcb280656ac9c6e520b7c76dc6902f00b7fa8967
SHA256 18ba331591369b75a3c125b1c9e6adf67703e62bfd5dacbf710adc19308f9845
SHA512 817e76fad2325785ac70463ef57a17dd399f44ba981b8b1a432e08443328262813931668c85f9207b050e1018c2a806304b97505f7395e4573413a4a09075a29

memory/2932-21-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2608-23-0x00000000012B0000-0x00000000015D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MxxAxCinORN2.bat

MD5 61d2f284228a54a6e7e9e7b613d36095
SHA1 bfd6468efc54901b6d4fd1d3b55816f83fbb2c93
SHA256 2599fc898e2f2ea626316bc2dcc2bc1a2047be0eb91de004609a659fc631adbe
SHA512 5c389c3f8b69f4a24283899bf61793f0b653724f2ec50bca64db2d286f94c3762244908ed79cbd5afbf6796c3d417e87916a2ee3b9cb5d499b6e3b8e7be13d2b

C:\Users\Admin\AppData\Local\Temp\nQvj5PvJlDNZ.bat

MD5 418dff7a3f8aef3f167ce38fb0c17670
SHA1 902ed1e10caf53bd02db9ad6870f510a3218ad0d
SHA256 58539ef046bb814272f3e20ee4afbf06ebf5d1f7e21306f162d506a395164052
SHA512 af5286cf6276ab5ba760529545a91d4d2f8960af73694784ad248e64f25af7de7d303501b2ffa735725f66357c1109e9852da2d55a4d3d9aea0f09d36bc0ae08

C:\Users\Admin\AppData\Local\Temp\fsyB5A9GxFv0.bat

MD5 c6a5021a20cb3670ee1632c3976c82ba
SHA1 705b5e6af3840ea8afb35990d60b3c5a5748eea3
SHA256 9a4e9303a931b423747471a1a7e46dbbce492820086094b862c5b205f6cfc793
SHA512 45216fc49f0196daebe57cb102af352d0e8a67161bfe087b5640a3a18b0e51293d3a3a2f5f898fd6328667bf01792b55d71cc46919b073a3ddb8b88345b30847

memory/1324-54-0x0000000000060000-0x0000000000384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NKZOsStaHnxh.bat

MD5 4a293e9aa0526d7dbac00349d64f2860
SHA1 71894c0fbddee67784e06c01d543447705e76fa8
SHA256 1028e9e01e916c365ad088ddc4fc7a9d597a0fc301ef51249723c2e20d821032
SHA512 bf8abd42272cd13fb2bb1ffa95b1672d2f51d942f9f742bd9be0eb4eb98d332fc318550063f83619477c5b4fa97dd03f3dcac2ad20f40611e3bdde156fbefa0a

memory/684-65-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YHpQVsSxpO1H.bat

MD5 184388fae3cf8ce39bfd5d99af269ac7
SHA1 f0ee494b5ad6d78c2e92fe21b2ca717268025439
SHA256 dfd9940d37599512208e1441583d20628eda9d1518c7a4ea16baee5129c8adaf
SHA512 9d859b6f87126de3b642517388d9c7b82d2ad0bc8e520c81b2a69c96e931442070ab2950791276170300a5a5c092564e8a1cb09e60195f071cd4d22f541d4d6e

memory/1884-76-0x0000000000E50000-0x0000000001174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmF1Veg5ErJJ.bat

MD5 7963d5c8431f11caad3715d40e291c7d
SHA1 cc3078ce097402c5ebbc14a88fa07abec03488b7
SHA256 46c387ffeda4969931344ef391c5555bb4dba87ea1c8387f35761acafdb07d85
SHA512 e50f3af8e5a45f6826dc69d5617cac0d3f063baf2beb44e02fdf644f9824488d66a22ea140de9d98f7cc7de6100f79e9f7c752ee93584b30527e6bf09f87506b

memory/2804-87-0x00000000003B0000-0x00000000006D4000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\5RdUZjzPLTbX.bat

MD5 dfaf153f76f79d490d2cbd4afe5881fc
SHA1 7728cfd76aeb22ba74a2a9513fe23ef53f6e8c5a
SHA256 4ed755d367f4f82714bf6873a0d5535cefddf1a2e6cf0602e1ed2f93e1d3ec96
SHA512 94146f096376d7f265c02ab52b60e0ca681fcdde6d22c3935dd5dc0c213c3567575b821234780a440d3f14ffedc6f11dd75b6e42f0a8404aeeccdc4d55698828

memory/2404-99-0x0000000001270000-0x0000000001594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moRnlqieH7yY.bat

MD5 899c8b0a278cdd5d98dfb5b490003f62
SHA1 fd0f9971c9c0745be7c61bcfdfdbcf497b7ee2a6
SHA256 e0e23bbabc04515e666ee516e0bf2d96ca35e013b633c65767f3bba1b3cf2e64
SHA512 9d89ecb916c79d18fd567494b31efcacf824efcc79d534606cc4659147dbb1bbd903421dad415a588eb0cae398e32cfc7cbc38f7d51b4a0808b76efcd55fa3ba

C:\Users\Admin\AppData\Local\Temp\E2KoZnzKMp4t.bat

MD5 d9ff5a36d8bc09990f5445db4d6c2f4c
SHA1 9dc36d4b45aa5ac83678e3c1770877da00969e8a
SHA256 0c6d87317ecd4e9813620693b8de63c82df71240ef96964e85243d53d659faf4
SHA512 941d988ee73b6221b7665c8db435925f0a3d2e8f66226b87bb301171c5a7f33a93e6ac75ddf5093e9fa33c2a6179a90390c63e496362d6a14853f3182cb90927

C:\Users\Admin\AppData\Local\Temp\1qgtLArCXLYb.bat

MD5 ebb69ed0407180a01cdac2b35999916d
SHA1 b495effa95d6635dbcc77e717f90e6eea524fbc1
SHA256 3fdf076e97b02ed991d5db56754ff33054aff1537b06e48309acfaa6bb28051c
SHA512 e9d421900c71aec086cc1c02806a33d1bcdb438d075521d75274e0cb142a8497ed72c0b58bb834bdb1187203dacfca7b930398d81e1fb95bb0f3c2d759a87ffc

C:\Users\Admin\AppData\Local\Temp\WbEeXeyoxzs3.bat

MD5 848ff23a0c10d1ec8e1cd2e633ed14de
SHA1 1b492b849524e38ce7ad6a5e3bd389b6a0e7f3aa
SHA256 677aa9996e475d89c2e812f2801f17b2a03fe7fe245ac76525e0be1e0711643f
SHA512 44e02e68c915bc15fbd80e12609d8847a7d0b87d53cce848e2f01509514163338c3d30843c97d603fe93e9d0604662444834534a61de3d78eb5c6f07b7c46832

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 09:56

Reported

2024-12-13 09:58

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 412 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 412 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 412 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3692 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3692 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3692 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3692 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3752 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3752 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3752 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3752 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3752 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3752 wrote to memory of 912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 912 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 912 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 912 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5100 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5100 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5100 wrote to memory of 4504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5100 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5100 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4316 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4316 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4316 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4316 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2696 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2696 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2696 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1072 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1072 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1072 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4924 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4924 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4924 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4924 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4924 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3336 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3336 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3772 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3772 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3772 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3772 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3772 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4184 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4184 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4184 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4820 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4820 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4820 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4820 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4820 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4820 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Li3juIFYobtN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/412-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

memory/412-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

memory/412-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/412-9-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

memory/3692-10-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

memory/3692-11-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

memory/3692-12-0x000000001BA50000-0x000000001BAA0000-memory.dmp

memory/3692-13-0x000000001C2F0000-0x000000001C3A2000-memory.dmp

memory/3692-18-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fFh5jVii67mP.bat

MD5 76d306b8ad5c6d9e1279f13a2efa7fd7
SHA1 b3ace7ef1c503750af6de1c153421c332a2e1abb
SHA256 d54bfc50491c5ed7c165629afeb5fed45e3712e9b4e074a1ad3ed47b73d87617
SHA512 e4c57835247a453468291369d3431f93302fd9792d63d194efe00da67cabc8897d7cd393875057772aad8cabadd5645cf9f93b67b659efcb61e2f285b2c9ce77

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\k2UJXDOrX0AM.bat

MD5 4c068844c8f5e96652586d52e8735f13
SHA1 ee8d55b140fa254cdf89b322e63c103dc73053ca
SHA256 2b098e5e81103eefbaa18280120325f1e6ce82974d4b80542c94de4bf67ff669
SHA512 7707d17a5799db230811d635c3eddb57b68b9e92385c80ba8bb73b15c68538eddb45883487ae510fca903b061f7f70c55758b414730ec25150abb6961b822f55

C:\Users\Admin\AppData\Local\Temp\eScUVmF6gFri.bat

MD5 6dd7e5ae49690e9e6560437e6c7a648d
SHA1 9b18bf417e0f30d63e2bd123b885ee73ff397cfb
SHA256 2ec8a707ebe68f3d4d71994e3a4a4ab0bce1977b2e845b8edf052d406479c7cc
SHA512 b7e40c2f597a89e85a2e3bdb57b0001c47edd64c8749077030af8a3e73bc39c8a2cbee351b6e50a68ee302339456c62280f8ab50a59f3a68ba53d18c9243e936

C:\Users\Admin\AppData\Local\Temp\zi9NUpIWE1fD.bat

MD5 c31ae425d4dbc9a593e91a962fd945ac
SHA1 964e3404675a72e0a66db128e56db17cb4f1394e
SHA256 59d7c939f1b172054fa5e82a9714c8ebe6879ce1fcf8f88f5916b5f46e87db0c
SHA512 7c32c7eb339b36ebce887eb521dd8df5aaef912369e75041228230800b8192043835eb68b2db872f98c9c8255665044238f15f69c32dee5344075c4d43e59145

C:\Users\Admin\AppData\Local\Temp\wWaAzurqEDxr.bat

MD5 054f8ac6ecf7281b55f8a1f90c9f8712
SHA1 0cc203e0f27fddbbe55297ce5aff94c0b2e26420
SHA256 58992f0ce6df598bb3957341675b4b694e9d1aecc6a19ba0b70a1e56b2d6fe64
SHA512 57f8896e441d966147de23a748f9643b3b8d4843535c10453246565d883a6d6e0d82e9f8679bcf485c485ed240b2bb84799003668c7590e9105e1b6db633867a

C:\Users\Admin\AppData\Local\Temp\tfVX4gGrtDUy.bat

MD5 adf57f3400fea775759c743cc3a6da78
SHA1 9b0b38ffb70585259953cc71102299add61592b3
SHA256 531a273f7cf8631c106da8dffa739816831306f0cc8be6b86d3a8ef0c47afe05
SHA512 2923ce96590689ccdd5336a816850192eca132debfaccefb62aa667da2a8b7af773f7adaea2f37a3d2ee4ea5599cf3948626059d921ce66983f31aabac16c5bb

C:\Users\Admin\AppData\Local\Temp\wL2qfIqxDyl4.bat

MD5 102a4c1a55a675e3f0df134301f0a8cf
SHA1 4339cb35ae13d60dbf0a472f880968ebdce404b9
SHA256 fd39ba8ea2161a1ff0044cb1fde074f16ae7becd10a79ba192c4ccd7dda9cae0
SHA512 fffaaee254fc5d68f34355ca6a40fdf5f777fd53449b4814bfbcb60599977a80101654d0ff586b5938dbf24a1dba5ac6db96cdaf8340978824cb2b7071a9ab30

C:\Users\Admin\AppData\Local\Temp\PlusibdCCLGe.bat

MD5 eaad5864c17eaa5c71afcee81b55dc27
SHA1 a0ee90b3357ecb7efeb8d627f7a832f0519434c5
SHA256 7045669e1f69c663ecab023d28fcff73412d51249250711f1d8c722a40bc1309
SHA512 02509a03b86aeb2fdf40b052927c74b1e60d0c4f4bcf996441f23f04d120ec6beffdf31d0124927bfa671cde4a49e978e51a697716dcd4a30dc1eab2dc842f14

C:\Users\Admin\AppData\Local\Temp\2TylDycB1Hbb.bat

MD5 ac386dd330765a36d868ec8f5cf41ae5
SHA1 0dffdc0632ba2921dc9a026cace8e11555780314
SHA256 c88ec5c28f0c5e89bf3f4a9b0388e78fc4a0f5996daf6f3106b3f445220ba69e
SHA512 3abda2bd5f4d5228424e5fe4de3749614646d5e6e675afe3a2b6728ca4465b6319ec9b05e364f11a36a2ef6743c15ac861991d0975f35c9fec0cf5088e0ae755

C:\Users\Admin\AppData\Local\Temp\fbxCnKCYmlg6.bat

MD5 3b5ff3829b8753d7e04cf129fef32635
SHA1 40f79b0004164f64131fef229b1b8dbcbfda368a
SHA256 7d077013a6e93a3c4430f8a3a8cf3a9e5ce028820a6e850fccc655c7ded03c6c
SHA512 b3fff4b493adfaee973a7da938046cb5481bfa4c1171e9be0c06c2e616e829f8a118774c144c5bfbe4f42f052d30687596d7515bf5f5e03da138f8cdc13509fc

C:\Users\Admin\AppData\Local\Temp\sZO6qNsu0l4M.bat

MD5 61ffb47f4992305c958f3377b0976d43
SHA1 5d15011943d600d270515f6c209424832fa59b54
SHA256 f8e5dbff504000bc8ee65eebdca04e1a3d658da89cfa75d4313349b9113e8b74
SHA512 f633d3105e45a4b519c6e6e84b368f5ccaa5ccdd9fa6033fb767b18c122d23f4563bc9233f87f71a2491a7f349a6a93c20a68c0042af5fe75cd8dca8053ca8cf

C:\Users\Admin\AppData\Local\Temp\W69nOr8uR805.bat

MD5 e2fea06854189fb603b9e1ea9803c846
SHA1 3c3057d87f4dadfbd1d9d76dfd6f059278392935
SHA256 791f3639f81c3420ac385b3a428533afae5576ec8cf10d2bdb05ec8044a80705
SHA512 125e793ece5bf1c6737be8792be0dbfa8a47e437888c0fa5bca18ea721c044fe3b6d08f02880bcb7a2015bb16422eeba84bd7530360c7e8b311bef1a00723464

C:\Users\Admin\AppData\Local\Temp\LzYfG30hSPNr.bat

MD5 9c0545e11ddcf396a61be3b115b8de9b
SHA1 3bc31bcd5aec2ce10c26d1c81925cce5ea09d4ee
SHA256 fa4908ab61a3077cf39c65509fe06fce69ee1650d9cf74e3f1b9c2ab72c415b2
SHA512 7d56de1867682276f128abd5225213efc8ed96e7f1aeeae448fbe0a61ab8379fe994f46212a9cee8e1543bbf4469e2946f642ee12b8d67175b5e60bf9859666d

C:\Users\Admin\AppData\Local\Temp\aHbjrxvkRK1t.bat

MD5 83300664108d681e3a82dd913ccfdf6a
SHA1 bd4473c6eddfcec5bbe51901ae22e05d9c280862
SHA256 0f7f4337b2364a1b389e09aa4e84c6b5a74b862e2d713c9792546b4053819643
SHA512 f3d9696476b49a225faeb12b07c64c0c1f5954efcb317e786f19aae33721888f318849f106dd7eb6eb3e3db45a787a3c2976ff987345fc8799f4bec28d3bc57b