Malware Analysis Report

2025-01-18 04:17

Sample ID 231231-eqqpesacg3
Target 278d30b853f49e6a13cbe9f34f1d41ca
SHA256 42f38e100ef58aface240a755a20d02d55a574e7c8c78724ec5e062948d07a54
Tags
evasion themida trojan quasar office04 spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42f38e100ef58aface240a755a20d02d55a574e7c8c78724ec5e062948d07a54

Threat Level: Known bad

The file 278d30b853f49e6a13cbe9f34f1d41ca was found to be: Known bad.

Malicious Activity Summary

evasion themida trojan quasar office04 spyware

Quasar RAT

Quasar payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:08

Reported

2024-01-05 11:40

Platform

win7-20231129-en

Max time kernel

0s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\Temp\Client-built_protected.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Temp\Client-built_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Temp\Client-built_protected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\Client-built_protected.exe N/A
N/A N/A C:\Windows\Temp\flash_install.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\Client-built_protected.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\Client-built_protected.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\flash_install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\Client-built_protected.exe
PID 3040 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\Client-built_protected.exe
PID 3040 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\Client-built_protected.exe
PID 3040 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\Client-built_protected.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe
PID 3040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe C:\Windows\Temp\flash_install.exe

Processes

C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe

"C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe"

C:\Windows\Temp\flash_install.exe

"C:\Windows\Temp\flash_install.exe"

C:\Windows\Temp\Client-built_protected.exe

"C:\Windows\Temp\Client-built_protected.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Windows\Temp\Client-built_protected.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8k423yFdurrz.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vlSJvDVvbcPY.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\n5kTbnSQyawI.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\deowAMHyrUTD.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZFTtKPQAk0Pv.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImusJUv5bIZ2.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\instUpL6bU0J.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vxBUutgYrNfQ.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DqINHfvgEPS7.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PZRfCY8jUAvx.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.flash.cn udp
DE 43.152.26.58:443 www.flash.cn tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 api.flash.cn udp
DE 43.152.44.160:443 api.flash.cn tcp
US 8.8.8.8:53 freegeoip.net udp
US 172.67.75.176:80 freegeoip.net tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
GB 23.213.16.160:443 tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/3040-18-0x0000000006CF0000-0x0000000007564000-memory.dmp

memory/3040-19-0x0000000006CF0000-0x0000000007564000-memory.dmp

memory/3040-20-0x0000000006CF0000-0x0000000007564000-memory.dmp

memory/2576-39-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-41-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2676-46-0x0000000000090000-0x0000000000093000-memory.dmp

memory/2576-45-0x0000000077E00000-0x0000000077E02000-memory.dmp

memory/2576-54-0x0000000000080000-0x00000000008F4000-memory.dmp

memory/2576-52-0x0000000000080000-0x00000000008F4000-memory.dmp

memory/2576-51-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2576-56-0x0000000005570000-0x00000000055B0000-memory.dmp

memory/2576-44-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2676-43-0x00000000001B0000-0x00000000007E3000-memory.dmp

memory/2576-42-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-40-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-38-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2576-37-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-21-0x0000000000080000-0x00000000008F4000-memory.dmp

memory/2676-305-0x00000000001B0000-0x00000000007E3000-memory.dmp

memory/2576-313-0x0000000006BE0000-0x0000000007454000-memory.dmp

memory/2128-315-0x0000000000DD0000-0x0000000001644000-memory.dmp

memory/2128-316-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2576-317-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-318-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-320-0x0000000000080000-0x00000000008F4000-memory.dmp

memory/2128-321-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2128-325-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-326-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-328-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2128-330-0x0000000000DD0000-0x0000000001644000-memory.dmp

memory/2128-333-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-334-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-335-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-336-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-337-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-339-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-341-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-342-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-344-0x0000000002DE0000-0x0000000002E20000-memory.dmp

memory/2128-345-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-343-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2128-340-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-338-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2128-332-0x0000000000DD0000-0x0000000001644000-memory.dmp

memory/2128-331-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-329-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2128-327-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2576-323-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2128-359-0x0000000077040000-0x0000000077087000-memory.dmp

memory/2128-361-0x00000000746E0000-0x0000000074DCE000-memory.dmp

memory/2128-358-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2128-357-0x0000000000DD0000-0x0000000001644000-memory.dmp

memory/1520-366-0x0000000000F10000-0x0000000001784000-memory.dmp

memory/1520-367-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/1520-368-0x0000000077040000-0x0000000077087000-memory.dmp

memory/1520-370-0x0000000077040000-0x0000000077087000-memory.dmp

memory/1520-375-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/1520-377-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/1520-379-0x0000000077040000-0x0000000077087000-memory.dmp

memory/1520-381-0x0000000000F10000-0x0000000001784000-memory.dmp

memory/1520-380-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/1520-378-0x0000000000F10000-0x0000000001784000-memory.dmp

memory/1520-376-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/1520-373-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2676-391-0x00000000001B0000-0x00000000007E3000-memory.dmp

memory/1520-369-0x0000000076F00000-0x0000000077010000-memory.dmp

memory/2676-434-0x00000000001B0000-0x00000000007E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZFTtKPQAk0Pv.bat

MD5 4a09554995b68cccc81ce04b4bcc3e34
SHA1 40d8c96ff25fedb7a93cc65ce759a2b79dd973ad
SHA256 15aa74793d53f8092ccc45d8851c72d23791a84bf58a2656adefcc21b16b4865
SHA512 fbd02c82b5ed35940b92e20aa1ec640a6d44e31f092b15ceeb08f8595586d7fbd5574cb054a50194f9712d5d151cdcf99e7299d658a31e7f4193aa66a9ba01fa

C:\Program Files (x86)\c3pool\smss.exe

MD5 19ccc3f9dfcbd17e0d972fc069860e09
SHA1 0f6d2e5e46bc97d18ed49647aea6be4c5b83e734
SHA256 dd7c7a94f8b75cfce3b1905274d7dfa7e02bca3875f2d28b7b434e4a35e5e3cf
SHA512 b9dc12d54b27bbad6ff078dd2703603185e5e3dca167a916d91c21ef77c787c5cc3e254b2596db63eda34ac923c98fd2a3bd12e0998660d046cd2ae604468a7a

C:\Users\Admin\AppData\Local\Temp\ImusJUv5bIZ2.bat

MD5 87ad6c0a8f8b2a9ca892a79b955f1d4d
SHA1 0de814f075528f338fa0ab9e7ac724998aeb8695
SHA256 40879fc957f91bcc6f0052347cfa2e6a3681c8b018ede071df0b4e153300de38
SHA512 ae08caccb65f14cb314dd6de6b2c2a1ca973b51f995199177290fc79289b1ed1418fdef53f2a4538d3431f597369b0935f3954697a5aa4dceb64eefc715be42a

memory/2676-706-0x00000000001B0000-0x00000000007E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vxBUutgYrNfQ.bat

MD5 701d401f453f3ea2dea42ff31d573d4e
SHA1 b64aa00948252f0a977f31e690edcff4ac0a289f
SHA256 d31cb2dc997f99b37d4054795f204775735f910d57bffb530d7a4dc4788b902e
SHA512 4cf19c09332092a8e7328029e424934b52bc485289efc98b5b1457b679fc7f05f2d37f6d8d46577a6c9d963af51dcecb6f6d601bec514dfd10cb3c5907e306d2

C:\Program Files (x86)\c3pool\smss.exe

MD5 eb9e613834b4563d2b75ea24d8449630
SHA1 202503c7a5fbb63dbde419081336e5ee3e45c69a
SHA256 200dd1b7ddb4ec9adf979f931c103487936a41cbee03727f51060ff5f6ab9635
SHA512 42ecfd14e8adec222e36b4c0af77a3b9f62ce629f2d64526743b6dc82e2ae42e5386941a8e6d192a717d62eada791a5681c0e495cee14db68a6c746e2255dcb0

C:\Users\Admin\AppData\Local\Temp\DqINHfvgEPS7.bat

MD5 6814bffb486d20928e1b8c94e0e3d8e5
SHA1 447c453c4a58de614e8a1584eb8b5b7f82111b7f
SHA256 043ea77c0da5ba6ee12ddc45ff7c389d2da83111901c5bf1e305c09ac060e01d
SHA512 7ee4fa733d08d1287e7233ed4fae3e217c5180feb7796e80fc06566200ce658b9e98aac7c4ac54e1615b602dc47c0f04d6ee8b9a223cf691092040e7cf108568

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:08

Reported

2024-01-05 11:40

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe

"C:\Users\Admin\AppData\Local\Temp\278d30b853f49e6a13cbe9f34f1d41ca.exe"

C:\Windows\Temp\flash_install.exe

"C:\Windows\Temp\flash_install.exe"

C:\Windows\Temp\Client-built_protected.exe

"C:\Windows\Temp\Client-built_protected.exe"

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Windows\Temp\Client-built_protected.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKwd9fB37TXL.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fA4WaBm8agDH.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZUv4Ad5dhrv.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WVB0459uzpEE.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LdoAlei8afYo.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EP6AzpZzjG6R.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1HLqf3KUziA.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGm3j9ySv0y5.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9em3IGeJZWX.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wvajTA9f2c9.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bY6maJeURmEs.bat" "

C:\Program Files (x86)\c3pool\smss.exe

"C:\Program Files (x86)\c3pool\smss.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "c3pool" /sc ONLOGON /tr "C:\Program Files (x86)\c3pool\smss.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 mushiyu123123.f3322.org udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.176:80 tcp

Files

C:\Windows\Temp\Client-built_protected.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1372-21-0x00000000006E0000-0x0000000000F54000-memory.dmp

memory/4064-23-0x0000000000D70000-0x00000000013A3000-memory.dmp

memory/1372-25-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-28-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-30-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-38-0x0000000077694000-0x0000000077696000-memory.dmp

memory/1372-37-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-36-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-40-0x00000000006E0000-0x0000000000F54000-memory.dmp

memory/1372-41-0x00000000006E0000-0x0000000000F54000-memory.dmp

C:\Windows\Temp\flash_install.exe

MD5 8ee26f388e7bf7c615f102473988c186
SHA1 58651f13e6b5036619e98e9f48581a5ec9579e4c
SHA256 2e8bc883def55f202a81c0201d0f20d664dfd522d98645d6c9eb38e955cdf2c5
SHA512 6e1b799ae918786df35d265459ec6385f783bdc86bbea8ee6fd6e58d019e692243fd90fbdf602136cd3771762197364b196400b5f040e66dca1babc6b4cf1c23

memory/1372-43-0x0000000006260000-0x0000000006804000-memory.dmp

memory/1372-35-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-27-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-56-0x0000000005CB0000-0x0000000005D42000-memory.dmp

memory/1372-26-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/4064-24-0x0000000000D40000-0x0000000000D43000-memory.dmp

memory/1372-265-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/1372-266-0x0000000006910000-0x0000000006922000-memory.dmp

memory/1372-267-0x0000000006E50000-0x0000000006E8C000-memory.dmp

C:\Windows\Temp\Client-built_protected.exe

MD5 7e77cd09e566130204598b3ef7e42017
SHA1 3a7eebd9d55b5bac5ff667a666b49c7390d076d8
SHA256 47dd00fe872c569d2c9f40c3d24dee0d0655ef543ab8a0e444a6d8cddc4850ea
SHA512 dfb9485acadff7803e93b967dac603fef35d3c800ff33b7e213831d6d27c12d7205ec7cb92f36aedf35888d5640e4c2318707dbc3977b20892086dedde9ff52c

memory/920-275-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/920-276-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-279-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-280-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-282-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-284-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-287-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/920-288-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/920-283-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-281-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/920-278-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/1372-277-0x00000000006E0000-0x0000000000F54000-memory.dmp

memory/920-297-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/920-295-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/4064-298-0x0000000000D70000-0x00000000013A3000-memory.dmp

memory/4064-299-0x0000000000D40000-0x0000000000D43000-memory.dmp

memory/5056-301-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/5056-303-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-305-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-309-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-312-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-313-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/5056-314-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/5056-310-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-306-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-304-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-302-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-321-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/5056-320-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/548-325-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-326-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-328-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-330-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-334-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-335-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/548-336-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/548-331-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-329-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-327-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/548-324-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/548-343-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/548-344-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/4668-347-0x0000000000CF0000-0x0000000001564000-memory.dmp

memory/4668-349-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/4668-350-0x00000000756E0000-0x00000000757D0000-memory.dmp

memory/4668-348-0x00000000756E0000-0x00000000757D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WGm3j9ySv0y5.bat

MD5 49916f6026782c3e20442b401595dc1a
SHA1 90efdc10ebede841d63fea7d9670e6ae9af3af42
SHA256 d430e47288b43d5c81ff2b3239a843ffff149fb00dad887128831d78f60cce3d
SHA512 a65d85a452f860faaa4656d550b2858f3d9998bff48baa6273901aed389131dcdd598f4aec483d3594ade8ee66a2a1765b7c85debae9824ad0d0df4feb9c6600

C:\Users\Admin\AppData\Local\Temp\4wvajTA9f2c9.bat

MD5 1a8b91ceb6656c2b7be94457a1be90e5
SHA1 0de6608d5ba5839c871e8d12365fadf40a65db21
SHA256 0854e54c3d78c6f82e9b616a70e1b88b64b45e1e6adaabb947503838e192b3a7
SHA512 c0b947d77225b39b430eb83563d3b2265d4ecda348da8a464926bcfdce8dce42ab4a57d685388b7d95c38ff23264fc69177d4e16395569eacdbe0d8423e17293

C:\Users\Admin\AppData\Local\Temp\bY6maJeURmEs.bat

MD5 284f67429cdad61ab5079d1fb9f5de88
SHA1 688fee366cb309500c8cb7198f25d9fa16344432
SHA256 1837ee21deec1df5beb72822ac1645f6a6f5df4654b9f722f2b5299ad5ac6c63
SHA512 eb7c2d73ea224522791f4cd98d0db63ce98b67cd25d6e214c072123aeb3e0fcffd08e1530b81106a2bded978f009263190abf8999b64289b24f13bd16fdec978

C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat

MD5 feb1a30628bc2cdb7dc21b33f3371f52
SHA1 7ca5f1cad31e58101e34e3a251dd757e5529ad56
SHA256 264b346c371fcc406f574ac3501eb61c98ca5c5b48c3d8f3ed430ca316fcd6ad
SHA512 ec28ed3d3d1496687a1ebb59300c5c63222e186f1d7bb98e9f1ef771c89b37b262c29d738880fc277be17c7108837ceb5540247a23f778102341368e7bcde177