Malware Analysis Report

2025-04-14 04:54

Sample ID 241214-eh7yqstld1
Target 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d

Threat Level: Known bad

The file 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Checks computer location settings

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 03:57

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 03:57

Reported

2024-12-14 04:00

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Windows\system32\schtasks.exe
PID 1920 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Windows\system32\schtasks.exe
PID 1920 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Windows\system32\schtasks.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3024 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3024 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3024 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3024 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1736 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1736 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1736 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1736 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1736 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1736 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1736 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1736 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1736 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1992 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1992 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1992 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1992 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 676 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 676 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 676 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 1524 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1824 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1824 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1824 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1824 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1824 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1824 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1824 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1824 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2092 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2092 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2092 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2092 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1696 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1696 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1696 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1696 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1696 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1696 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe

"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/1920-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

memory/1920-1-0x0000000001220000-0x0000000001544000-memory.dmp

memory/1920-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/3024-8-0x00000000002E0000-0x0000000000604000-memory.dmp

memory/1920-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/3024-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/3024-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9p6jfvOMXfDH.bat

MD5 825b80a29cfb8e44199221877ff4dc5c
SHA1 9c0b8825caede309204350c1400a8c0b1f2558d6
SHA256 5be94294b929119f6ad2b9f82c9eda9178a1e155ba9b76bdecdabf109c9d8d7a
SHA512 9b86dfe8321b174c43270bc21b50dbd50b99ff7422d570e869c615ee07bded18bcb4742d2af18620b71233a3e0bd4217da7960af1575ace0a201050aab34ce65

memory/3024-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1992-23-0x0000000000D80000-0x00000000010A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIRJQaP5ihBA.bat

MD5 cb88e3144dfa2ebbb8ecec4e7225a896
SHA1 0d3e34a670e751d2734b16eac509fdcbf5322bc3
SHA256 09b7c9d520239400481d149fe3dbfa161f7e5f153591019adfae6c5fe03b8c8e
SHA512 746f988d2a74900ed8af768a59cc40a03ac6d645a49a4d844343c9e917c6196d17c62bc97dabda7ac815c9a9be7da979136dc72ac504063538a4f46d4a67ad93

C:\Users\Admin\AppData\Local\Temp\m26rPSQxAsbt.bat

MD5 f8d60dd83cf9493e22241c94fd7a5456
SHA1 25817067ca48e1f5f31bf777d73f3d0f6c76d3f0
SHA256 8c571a06a9af29ade00f32bb8091622296ce60cbb60c67c9353333c04931a06d
SHA512 8bfb9376229618a40860f616e3f8f1a92dde91431e42f4164c059036f1e4db6c983074f002334b7dea41ad531f7cf2ac3805ac6a66dcfb45582da1c82e40baff

C:\Users\Admin\AppData\Local\Temp\hBK6TgfDc3GA.bat

MD5 ae4abafc05bcfa53a95a3f22408be2ed
SHA1 24308680a9c0d0379cc40293b9707054d498542b
SHA256 35f42f48a39cb580671e5d7a99d74fcd4c7be0dabcccb307c8b6f8c0548b9684
SHA512 0a16d847d4e938310efb3c7641be906a8c5317c16e71738e4a60d93c69425d80ca118830c26dcd4b6c62938aab7218436a26e2e4e4b5cf429a9c16222bdadb27

C:\Users\Admin\AppData\Local\Temp\7zI0hxVDy7G7.bat

MD5 e2794245a796bfd648fe482bc9922e4a
SHA1 9ffae589448c4431bef780504d2a9ec90a46454e
SHA256 e18aa937e913ea7dfed4834d787d8e6314957817dd108fcdb22ae518beb33233
SHA512 ce55987ed93facf5b15a4ae48862d0ebb5c9f8e723e8ab3198f0130bba3555ee56d503f04cd9217724f115487f419997eec2391decf5ac3682b9fac743529a47

memory/2452-64-0x0000000000220000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UiSr8Q7ztQVD.bat

MD5 9747add7cdec457494a6426ec7edcdb3
SHA1 923a39b9603fdcd01d28a792fa0ece93710353e8
SHA256 e04f7694db9ae871e747634525570c9e6cb60f5ac36ade15204d3cd34044c1fe
SHA512 8788bc02cf555013e874f9c0e4ede38381612dd30494d8a4ce97bcfae7bef5e37945064b508ffa7f987ba9003df6fda2ca2f33860f128849d3c1e3f52856e8a7

memory/1980-75-0x00000000003D0000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91PDUPvQLDBJ.bat

MD5 72e4decdd25f3b2e5d30f4c9b2c4cdbb
SHA1 4ce9d814c019bbcf6ccd21c5e348477c7c003a95
SHA256 1251f3574ad810be0e5c445a24e309bb61b42ace6a9dbab7743eab182e3666ec
SHA512 c6263c064ce8916f63d1eb85d885a0bfd1cfcb39ad19bef285d3a0390b826a27bf887a2738f81c3d589765528d5fbce2a53981b2b4cd93da5fa7f110b9f1cfb2

memory/2240-86-0x0000000000C70000-0x0000000000F94000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\yiebMAUTyzAc.bat

MD5 ce386a9e7d5456f383423fd6b61c04f2
SHA1 c9f34c8222301150551786812f84368e986b3669
SHA256 d57c8dbf83892e8147943db76d06840e29ed15bad87186afb613a08ad4ab4cb3
SHA512 2fe4b055f466b845688000318d33c586a618aa28dfd042c3ac9ebd8faab5ac195bcbd33a57b821ad20a5c411a5aae1f20f95b0cc53eb48b2c7444696fa26dea8

memory/2612-98-0x0000000000E50000-0x0000000001174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TvB5I58rOK3W.bat

MD5 5159bdea8a3793d8f6cd463e933af60e
SHA1 bf3defe61f52bc9f8bcb8c26882745e4d163018c
SHA256 cd1c5c379abd77a8332ea002c456e8e9e6ad83cde2474f77c4b6fbc44a60c6dd
SHA512 4a0101f6e94d3bc55803fabc8515c5b69f5772b4243ee2a78ee084fbc439468a19b868fe4c3cb6bbea1e93a49c0c074d8f1f3df6cc0462d01b58604929d817c7

C:\Users\Admin\AppData\Local\Temp\1NRFjWojImMI.bat

MD5 869f08e32031f75121ef5bea1a5f47dc
SHA1 2daa72bf42a33706ad782c3e7c02a2967f12e812
SHA256 97f87e86dfc6da3373b9380f4d84a74efe5037113e4dad38d2d0f0260a438a5d
SHA512 376b8004da677e4823c64626298a6f4f0650aca183c212b5e83703b9a93c441c282d62dadd5e2c6228b0ad3ce56ac1de46889b9cfa70363b2dd3f30c346ce87d

C:\Users\Admin\AppData\Local\Temp\FfPTit17hTX2.bat

MD5 ea0858f74f48f04b9a8e8cc1d7afa492
SHA1 c0754bbca0349025057f6115d95965289d175791
SHA256 7e84ce70544e5891fc41205f1c1738da4e315a4f56a0496724ec48d2cc6079a5
SHA512 f78f15cf62fd10d0389357e1a5e9523305f389915fd7f5b25014b070cf1462e99999a167a4fa94649161dd11252e7ee8de23f77b546f7add8bf3731aabd8efe8

C:\Users\Admin\AppData\Local\Temp\FZZ3kIN1kCXM.bat

MD5 7bc14e4e18e53ddf8c09c2d5473da45c
SHA1 8fd6a964c4e870ecba0d367ae61440ee6e464572
SHA256 a7954291fe7ecf6f4cc6d19770a96f2b8afa1c6ad9c9ec8d09244d603871de29
SHA512 c35ab1b4d41e31386d3d6a101698d46cfc0cfd171e611a8bdc2f5a4dcaae4bc6d44697036c0c024de24425c7931181cc72b5c733cf347b8209245db6a4154321

memory/2232-139-0x0000000000E90000-0x00000000011B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 03:57

Reported

2024-12-14 04:00

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3196 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3196 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3196 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4532 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4532 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2892 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2892 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2892 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2892 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2892 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4392 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4392 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4392 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3144 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3144 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3144 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3144 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3144 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1516 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1516 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4784 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4784 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4784 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4784 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4784 wrote to memory of 100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4784 wrote to memory of 100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 100 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 100 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 100 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2076 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2076 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2076 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2076 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2076 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2076 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2156 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2156 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2156 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4272 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4272 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4272 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4272 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4272 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1732 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2904 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2904 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2904 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2904 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2904 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe

"C:\Users\Admin\AppData\Local\Temp\5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp
US 8.8.8.8:53 havocc.ddns.net udp

Files

memory/3196-0-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp

memory/3196-1-0x00000000003C0000-0x00000000006E4000-memory.dmp

memory/3196-2-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa5f99ff110280efe85f4663cfb3d6b8
SHA1 ad2d6d8006aee090a4ad5f08ec3425c6353c07d1
SHA256 5b41a8ac5a68ab33e4891ea03533e8ea650c16dd669d277decae2f00217a1e4d
SHA512 a3b898f758060f124c443422c6dc88ba80d9892890b25d21e37a1d3947cd4b9dbef403382ee6e28c1007785a63c5fa387f7d00403db433eb59c03d0b2a88b50e

memory/3196-9-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

memory/4532-10-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

memory/4532-11-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

memory/4532-12-0x000000001D5A0000-0x000000001D5F0000-memory.dmp

memory/4532-13-0x000000001D6B0000-0x000000001D762000-memory.dmp

memory/4532-18-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FvDUpwVFBb3a.bat

MD5 b906dbc84570e73337746ac8f7bcaee3
SHA1 f900509d11115b340a6d787371982808d1ce641f
SHA256 97b2b2618da0d3f265a66621ff18e1950a020e890d29044d0779bd56a1b87155
SHA512 caf995d8de81d49a09eaf2d35a049400c9bb42e9ef19dcf929c2eb0d538f4e1404bf331e7f6ed09ff2f799ed486c409d1fea9293e9fac765ba7d2c816af76242

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\aSFz0Ffm8PGn.bat

MD5 c6c1a39b692edbd324fccd5a9e9c43c5
SHA1 7ce04961bcc6f194616ca8e64b455b0567f86925
SHA256 f0975fe3aad93e571390c09b713f9d46f633b325537289542b846ceb79dec6f5
SHA512 2656f7eab7b9845f06f6e5e92d4bc2a5a10241951101501fd447cf53fadca89153af36b8d348704c759fd0b4731f372c840cb7ef642ccdbc71803728f4cac04a

C:\Users\Admin\AppData\Local\Temp\7G7plnZIsHkC.bat

MD5 9cc0d941b596afed1f5c6b7e739ce3ee
SHA1 33d6f783866b9783bdd551b77ddc3c7a3329c0dd
SHA256 7721b13e47de0fb9548f55e3551dfe500f473bd7a8a32bc0baa3dd398a60bea1
SHA512 b389460556aac3b70a28216d7b0379b0ed898de9cb1f4bb6fd797452bea38402d1429aa68c0d1dde23a7d2604e30be02c5a2c22f866f84e2abef2a152605ef18

C:\Users\Admin\AppData\Local\Temp\fBhbkTo92kz5.bat

MD5 944e3f55b77218ab1cc5baa3dfdae67e
SHA1 758e1e95636cffe6423fc7193ed865ffc5661609
SHA256 7a7491a4b934a8fdcda295a301b4140df1ee2efbae7aae5ced6b55a869cb712b
SHA512 51221a7b48169ca63cbaac774e72952b0fdc53ac3e3aec659e3764195ce524107bd71fd04244ce2fc90eddba36659f9f91bfa562547c63df3a254a8fe9d10ef1

C:\Users\Admin\AppData\Local\Temp\robz33hTKw8V.bat

MD5 370874cdd7450758e2c85e49bd42298d
SHA1 e2659476c72c2595eb8b13ef8d9ed19204414a45
SHA256 f2a098f1a169527798e4cfc463f359bf7704f138467929e0dc4566626b26e3ea
SHA512 3bce54b15c9523b7ea2f82e413503b3cf0deb0c6c55187f557b713e0fc373f3c43d2c617ae928a0dab85d4bdd48cc6cbb883695038e27accb23387805446b730

C:\Users\Admin\AppData\Local\Temp\FcTQS7K3g8ZX.bat

MD5 3805cca89884987ee135d533fc2f97aa
SHA1 8bf5b5ae7935bd0b97b708f04afb2544c9427f45
SHA256 194a6749e4b9ba8bfb57db695cb5709e85e24d1fa7a6ab01e4485083fbf21f3a
SHA512 355487dae6ae70c34ea92b3a65175839f8c81927d22f2fa5bc882548f56294b22be81b6655c767ddcc06d4f03e11c166283998003195eaf0021588f13c4237cb

C:\Users\Admin\AppData\Local\Temp\Ny6Fx6Z6EXIA.bat

MD5 a5f807224d4a9f5c12281818d0772a04
SHA1 62e9be343e7c434efa71c1d2f159f68acdb06401
SHA256 98860e1179cd581e4499df1b4434b578bb6661e0da1bea01867723af649bb60c
SHA512 219ce28c188052c3234b4c97f266826882f6c020b1db76c28621993e5b1b36400994e2eecbf06d1dd8e125f2dbf75bbe9d62302dbf5d884db4322869d0e8f809

C:\Users\Admin\AppData\Local\Temp\RYlKbv9laYl7.bat

MD5 8b4fa3ed132dc225b1b2ccf2e63f5ef1
SHA1 1262fcb41b1dc124ae5e22b5d87464dc5a720d79
SHA256 84b5d44e7b29805c74b8f582607c72b5af953612986fe69c0af283cb7281fb90
SHA512 4a0797862ee464b2f028736666091ffbd126ce80572e894d4f3bc21bdfd91f235681090028a26885df43e25d40cd594b1b652c915d5c5d5575a608b4ab2d252d

C:\Users\Admin\AppData\Local\Temp\Ucgs6qO25FaU.bat

MD5 1427dbe19f9dcd5eae60cc7b3c4a2ff3
SHA1 5dea284ad210f33993c50ab2ef30dedf3bba7359
SHA256 17646bfbaaeee7e7a836cd21804488f86270d4f9686cd69ce7a6bcd96d766681
SHA512 dfda3bf3d72ff32c142da73ec3f61ed51b5c4067e93826390ae25f236d03d7058e0c01c17eb818f34229fffecf1115448b24717dc1420c67a498b3ac17a17c19

C:\Users\Admin\AppData\Local\Temp\pyag6MPSb6RE.bat

MD5 f26b96353835b800992581edb6a6711d
SHA1 9f72544006041150307c8bd7ad2e0793efafce1b
SHA256 34c549bffb9facbdb2fb97cb62dde39f43acd04edfdf1f595f432853dfbdddef
SHA512 a44ee7a1a88f0a22ea6a1af7e7ca4e3f25c37d4932205b3cccf355a2de96cbddfdfe6557958ddb7c1b6e2b054042e11cbc3fdfd5571f250cc7eafda5de90e1db

C:\Users\Admin\AppData\Local\Temp\JVkhqUCYv2T5.bat

MD5 2fe18d90b07816ace656f79cdf20394b
SHA1 d8d55fc84c8b26efeab20cd872e1595366a90231
SHA256 cd5820ce7dc6a5341cab1b4581f32e61fe93ebe6e37b86a94c4e8eb4899237d0
SHA512 34c41f7c1c624497cd36c0955f382943b2bd1331a18589e765cbf750fb83cca874351c8ea73ff6d5788f33d7a60cc40d49ccd64ff8b7833268b4568a1a83099b

C:\Users\Admin\AppData\Local\Temp\2F9tE2C143ZX.bat

MD5 8a193172c5c0b9969b7af8989b6118a8
SHA1 0490846b8d5b58a2fa393de9985df4a87dd57d7b
SHA256 9fb4a03acdad4fc249aa6bf90f03bd99446fc1011c5858792f9618f2a07253a6
SHA512 f709096ac9ceaa6f11d7c278f323b02d085578d2fa4befdaa183f2f95c6dcd046a3fab267c97f71c549625dc903c6076d2136ee57ea7a5a40df20cf1cdc86832

C:\Users\Admin\AppData\Local\Temp\Va136ZCIJrkC.bat

MD5 7728461a7542e5b4f3a4d145bbba7c13
SHA1 1e6d592f841cff0a1c05c8d35a5b454a3adc1c3c
SHA256 b2709b9d89de932ba836de6be0913d71798afbbdda328f1b2726a097c477b7e7
SHA512 ed722e0b038aeacc17dbd9e364d23075a9415fb2a5ac5041b9612b7a4dcd2b132425d24d459b1942dd2763f65176b01c14356189feaaf039788a5ee2c794ee69

C:\Users\Admin\AppData\Local\Temp\njbtU04eM45g.bat

MD5 be6c7da4c90a5ef0c7480a8a9fbbc1b6
SHA1 dc57c041aa0d061a894cfd792a46423cea92877e
SHA256 915867a60e7d1f81f5dd828fbb1aee8ad96ae7a32151f173f2819999b3683de5
SHA512 93eb3fe66306471a0c12c2e2ad168a0278603fd832d9f17b48816e37127ea0b0878ba5c23a0f79d395afb271f3da71cb5f1439a81d9b11be266f1935c02d64fd