Malware Analysis Report

2025-01-18 04:29

Sample ID 240101-m8jmtsheal
Target 5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071
SHA256 5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071

Threat Level: Known bad

The file 5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar payload

Quasar RAT

Drops startup file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 11:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 11:08

Reported

2024-01-01 11:11

Platform

win7-20231215-en

Max time kernel

166s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 2688 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 2688 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 2688 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 2052 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 2052 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 2052 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2616 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 1972 wrote to memory of 2572 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2572 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2572 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2572 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2572 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2572 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2572 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2572 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2572 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2572 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2572 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2032 wrote to memory of 2528 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2528 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2528 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2528 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2528 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2528 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2528 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2528 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2528 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2528 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2528 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2532 wrote to memory of 2468 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 2468 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 2468 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2468 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2468 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2468 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2468 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2468 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2468 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\Client.exe
PID 2296 wrote to memory of 1544 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 1544 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 1544 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1544 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1544 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1544 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1544 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1544 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe

"C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZmV8t2XmjfMS.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yva3cnk3iy66.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hlaC9jjAlcv6.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JVNlR3AG3w1y.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OFef84yoYYVU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PFOcGHq7klx1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5dlvhevgs20U.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2OKkeIJ0uOph.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hQrLbVYs6q3T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\32q3Ov8JVsUu.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bxLdIY244c1N.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp.deitie.asia udp

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 5af1a1728f92bd423591784568974a64
SHA1 09138f1bd3bed75c775ad102799d945f23f0e31a
SHA256 4195f7ca7d3823665451ea063ec8abc35b6ce00beefb21749c08559141bf3c15
SHA512 9c22a06e6499bd471601d1a73aa3b623a4ed29caf5784a900d79a3b9c46813d72b6563876d393727b59902cb3dfeb73ae4dbe0cc2a0ffb0bd90083695f03fa99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 470f0de756918f895988f1ef26e18731
SHA1 aed2137df6f2f167e3715d81e0533326893485e5
SHA256 e8f04230f7057dc336e835d8ea2b84e0a44844a01ff0db839da3a6b4f1c2594d
SHA512 1af47b25eaabf15ee867a9a72c46574e5366f5c7512ecb84ef15d0296d35ab85fc570df1432920ed5f259d5a2ec17716249346eea5b31bf0934c8ffbe92ee479

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 9319f71e6261664ac9bd6d3f5f07b0b2
SHA1 af82d57cae13b2abaf8b43092c24a6d6f500a8ab
SHA256 e59380f38e35e02ff4f49040e8d4530749ebb69e33dfcd277a3a2b95aababa99
SHA512 3b041468fc8ce2f66ab9f52e7b6442cbeb75db3ad7c0992e5745f356e6b83cedcbf83d3ab0337bdd7aad01ab414e1a06c8bd9258c03e3df4307840caa1d88fd4

memory/2052-5-0x0000000000310000-0x0000000000634000-memory.dmp

memory/2052-6-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2052-7-0x0000000000790000-0x0000000000810000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 0eb6562497832d8291dc5b999aacd3d9
SHA1 8867d3e58f96fc022b705b4fc1c54f5d8c85bead
SHA256 6d81e2c8e4acd837418cb3d1ecb2364c040e96dc2edfb01e08b5d4502c5864fb
SHA512 63058b105f38ae5c71944495b9f24cd17e829dca10458729a961f6b1a08767b1098b9cc36cc3b6a6ad52715fecc61d4e7f6c9c8619fa6002fd4993c979c78259

C:\Windows\System32\SubDir\Client.exe

MD5 9f1c35d4416fa1c71f0ba2f54c9b83a5
SHA1 2b25038536d5a1cbcafe015e5decc8340cf9c6c9
SHA256 2fac759240fa31c22d61eaaa783b06ccfe835280ef4cbb1c9ed4363695249aff
SHA512 6898b19d2d1e75c510073f2144bef4f42fd6f841883667ec3d34fece4033e66e5ce5fa7b0bb499cad84da3864161615f84bb087767fc01eca3a0abba1ad8991f

C:\Windows\System32\SubDir\Client.exe

MD5 9da3c2c10268d3e47b637d084175aacb
SHA1 cbe64e68470f60c620ada2a8e00790606f7e1d3a
SHA256 22adc86d016f7bacd4b89cc81637baed66e8bbc0225d671a1ea9121e35c355be
SHA512 e9d1d601b303b381224db48344cb8aeac2caf0b4a0fa0c8e4a26b8fc86ba2349a98d2b6ac92d1291aea4c0d32c4a04c5c42b5e7b769f649a432678829d829f14

memory/2604-13-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2604-14-0x0000000000E30000-0x0000000001154000-memory.dmp

memory/2604-15-0x000000001B0F0000-0x000000001B170000-memory.dmp

memory/2052-16-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZmV8t2XmjfMS.bat

MD5 b96bdf9850e00055e12eae1b409bc1ae
SHA1 7106c999300b90461d5c2cd71c36ea34708b1643
SHA256 57375599cb212e5119337df246e110308be0e0c54efd30dac0a51b28e7b107ec
SHA512 714e516e2755c14b989afc5540258a6cae1f0fb684e2953dfa4a5f385a8c7a743c9272527dfe9967a011be11a956cf0eea77652c8d796cc624ca4b2e128dbd81

memory/2604-26-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 546753310f8867172388cc779b44c1bf
SHA1 a77c47e2d192c1a6af257a2f5edea4cfefefc76b
SHA256 f5e916891cb6585fb06e655518a64223aae96691f77e768398b32bfd7d9a90e0
SHA512 feef354fb21f4bcf5b84d1dbfb5be6754e51c9d18167fe00d01548f4bb8bf0a6f9edc1130a869da3072aa1a65d792017c766045a53a2822ee000f341d0417adc

memory/1972-29-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/1972-28-0x00000000011E0000-0x0000000001504000-memory.dmp

memory/1972-30-0x00000000005D0000-0x0000000000650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yva3cnk3iy66.bat

MD5 fac001841df97862267a15f339bf5294
SHA1 aecf17ed9d1f4c0923cb2c1aeb220bd4f2e23100
SHA256 15e18fd4f8ff5a08444a7438906c8f0c90e37ca6f6c6ebcb86e6406117ab8d7a
SHA512 6d125160ddcf47ade8db43508c66baa18da2537372c9a11ebf235ffc4e1f1f2356ecfd33cf4167b83ca68dd230ddd926701fae6807d882247c1db6b49f263483

memory/1972-40-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2032-42-0x0000000000390000-0x00000000006B4000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 dbb8c95b6139d65f013e2e173e48909e
SHA1 e650048efd5ff0039d5bb513ecdcf22578ba0117
SHA256 1c260ff40eab60284d41db9717cfe410a462e624f22fae5a7995864b529fef7a
SHA512 6327bb041b991e4aa767b84f0df4d17c4470c3bc7e2d3511e68a6427e926b775c22b2bde3b37c58c7027fb7695bab8bc8e9883e58ec58aaecd59a09805648061

memory/2032-44-0x000000001B530000-0x000000001B5B0000-memory.dmp

memory/2032-43-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2032-54-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hlaC9jjAlcv6.bat

MD5 0f3bab89c794f4f9c309391cdb48b0d6
SHA1 cb8b17be759149b430b9095240db30654fa37edf
SHA256 ee50a9c6cb4b80077855823584aca563ec079cb6d256ffb85d35e4f9a6562428
SHA512 86d42f5384018a9ad3fcad1d481d51737ede081d10616c3e759503a5254208c162828f4558f868821e3fd35d3fe82f1282f5ee3e7a1d13bdc3bf0d7110fbfce9

C:\Windows\System32\SubDir\Client.exe

MD5 e003be0252352706047c56de28d65310
SHA1 48b1a43cc0165d5416dddef6916c554c6f772fd5
SHA256 27b8d59ef25b55ba20ebf656a93d44ce40005e6592b0100aa11fcb7e2e847624
SHA512 c0b8fa1a9a80729a1b9631872cd000fb64acf1236941beda7aba235fa740fa5e63bd029dad7a086c20bb58bd54417ae30653d3c8fa290a65e44439180d3eb415

memory/2532-56-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2532-57-0x00000000003F0000-0x0000000000714000-memory.dmp

memory/2532-58-0x000000001B150000-0x000000001B1D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JVNlR3AG3w1y.bat

MD5 bd65d795da67d747552f543b4ec72ac4
SHA1 a107899da6a2bd9badf0d530b004052d20e72133
SHA256 ad02aeac877118e0d3a92d83299f0444db2c8ea415552079a86d238e94e92c86
SHA512 479cedddf02d79e702b26eedb8c37a78d1cf4b12f1badabdc31d8eab956f29ce89a1703be888f511b6c3e32020a1cc51834e3d20bdbd3f66870d815d6b9f8215

memory/2532-68-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 d26222db1a875a603597f61cc5f9a840
SHA1 47e96290745337281e8d45256fcee9953a7cb9d2
SHA256 e5117ae9a5e7315c8def3dfd735e03ed1f11f4736d53b194089ce335e4c65a65
SHA512 b099092917850f8256f7cbb0370cafa1352d9421ee3ec3420070730efdc99a2119a4173b1d2279788bfb0dcfcac81656e5eb5892535aa3596fde81fa6f4d7e17

memory/2296-70-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2296-71-0x00000000011D0000-0x00000000014F4000-memory.dmp

memory/2296-72-0x000000001B440000-0x000000001B4C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OFef84yoYYVU.bat

MD5 7989128b052e6d87abeb4e84a45086f9
SHA1 2c849e190a3cef79ec09e0da78926baa569e4165
SHA256 94495cb795729e54282999d4c78b44d2f1e9ab56c65ff9f221838534b8c0696f
SHA512 bda3fa89e52e2684d83abc444d3779f3f11c16675e8f094c7be7fa43b4af1007ff1ca67e04604f0ab548c8788e5b5090aa0b53bbbefcf4afa5a54b168a7d7ede

memory/2296-82-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 cfe515dba27f8c2fe751bc5d34d5e5d7
SHA1 ae5a8684f734f14f050abe7e441bfd215d86f237
SHA256 b49ceaa9da3e3663457272b609d45058c8a952a50912aa2fdc4c5ba5133f60e9
SHA512 d0c93cea381b0eb88d742ccb75d6604e05560e870308500fa3a7078ace1cd0101919928c31632cc2b18d764a2b33ebf3349cd5b678bad189b45ad06a9354635c

memory/896-84-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/896-85-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PFOcGHq7klx1.bat

MD5 45db4c1e0bc99f5410dfd07b12b1e366
SHA1 6a0190363e4fb664008c52f07f60df65f4d73e48
SHA256 077b97a267d026c3c451b8cca3c6e9df77d0d4af19743a59e62f3295cf06198c
SHA512 fba07beb6ba6f15776f4fccba7c0b59c818b33d3da76d642e4ab68a9c699f35ee6a766129ebc234ab188534f3b6a6486e6d8572b97f8525a6149bbb871a3a5a9

memory/896-95-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/3016-97-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\5dlvhevgs20U.bat

MD5 0d2e01a6c29a7ec92d0d28d6cdcc0ea8
SHA1 9daf6fc89b840e166893483a3247d617b83f5b01
SHA256 062b51be0210adc5f792a278942139d9e72d0a68d6262b12161db4bd32b81255
SHA512 65cc67bd3574f2d152743822dd82b51cfa3f4ac4668cc6c10642a8c1749892fc8a3fdd9d79719091b93dbaba45bc9afb1220907a131d64403d7c338665bd9278

memory/3016-108-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2704-110-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2OKkeIJ0uOph.bat

MD5 1af77601f540a0fce7a51e9e0694bfc3
SHA1 a52c3d760438d6bfe497ee211e87756fbae9d8f6
SHA256 dfdc99c461665747d1fc4fffd9f00522fd25d7edf3c22d0c3e3715bc18f3fa75
SHA512 fc0e23534753eb0351cb60d8abfb541096dae544c5b03d79e9f98f11c26f525edaabaf9964597137441e13c88cf1e9689bd52e7a10497068ed5f10b7989b4ffb

memory/2704-120-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/988-122-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hQrLbVYs6q3T.bat

MD5 0f1918e40ea0d5c7137c660082fb2693
SHA1 b45b6e155cd8766efc787a5c46fa0c363ef21ea7
SHA256 39b999c161faffabc5250927b586ac2088a6822731aef04818630ab44cbfaee5
SHA512 9f68d87b4d255c506cb8206a1433c47cfc78380e08471b29fced714f6dc20937716b5299d9abccd5e1a5316fa68ef46d92958e9b62448af8132c01b2d5976431

memory/988-132-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 c306ed6c07c7f6dc689c0e894c6cba66
SHA1 db07b49f8e0d8681214a4853c1e35e768c872d89
SHA256 9fdbc521cb1c02d2a6a0d406fa3bd1c471c1d1a571873afeacbbe3300b95ae84
SHA512 c89a2b8641033315c09d454add677259c55cb80f280a08638ad491dd92fd51f7e53201468cd51503372f85ce713f1006b1f1f7d2dc610a52279400c7f1c5b4c4

memory/1972-134-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/1972-135-0x000000001B120000-0x000000001B1A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32q3Ov8JVsUu.bat

MD5 50a21c02d87106efe129ee7f9fb05863
SHA1 9244a9ae8f91d9efc3d4c25b5c4e27a2223aad7d
SHA256 b78875f99d4060dbd13e731ac5d0e8a151e6e73b6c4c71ecb92b712ab4319588
SHA512 83cce03f2cadf510350e69385c9a72e222d6d32904e05f9db0a916ba9d0c42d0e2645569cf2d17b1a3cce30329b40381bdc158779211e6be01ef437fc523a934

memory/1972-146-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/796-148-0x00000000012E0000-0x0000000001604000-memory.dmp

memory/796-149-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 7b21846cc06ac2cbde3df57323fc598f
SHA1 750980da49ea9528e1e1e36cc767051d9c0c0822
SHA256 200a1e9360de14c4dba95357a57b79f157f957c796ffb92cde46250fdcabaf79
SHA512 2d89afb9aad1a596c294d9a2797bbbbf680591d2b6e9a7d4456c6acf0d74ec5239160764a558655c2d29143b880bbba70fa2b9f775056b87ffac337e8bc2ea61

memory/796-150-0x000000001B050000-0x000000001B0D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bxLdIY244c1N.bat

MD5 80204a0c37f3843f9922c7eee7a5a38d
SHA1 736b7d88e6e31755e5a65b4499b9f55614dc02f9
SHA256 21d031b977f4d9f9e1d31dc4b4299073b2e3242acb03e28aa4c92d5c56fdd127
SHA512 b973e379be000b1610ea0339ea9b2b03e622e69a29a11e0bf64ead65a78b3798a231c48af161e8efafcbfb7cee982da578b99927750f93463906fe3c2da2ae7e

memory/796-160-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2204-162-0x0000000000290000-0x00000000005B4000-memory.dmp

memory/2204-163-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2204-164-0x000000001B1C0000-0x000000001B240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 11:08

Reported

2024-01-01 11:10

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe

"C:\Users\Admin\AppData\Local\Temp\5815ea9a332e6998a7a360564c44e812229bcff03b1ce3249238579eb84ac071.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zphQuIW3gJlX.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXTDiuQrvazG.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7snAnhEBHt5.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkNXWOwan5V7.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oER7kBxCXtDP.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z7twUpspVflL.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\305tJvhCyj8h.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1fOu2dzCAEyE.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0OOUVW0AvrbJ.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uj9vvsKL0NKG.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\232vyHyI7Wwa.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kJFZ3hXQKiZf.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fvSIjduiZFeq.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4zihURQAvcNR.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 frp.deitie.asia udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

memory/3096-4-0x0000000000A80000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3096-6-0x000000001B920000-0x000000001B930000-memory.dmp

memory/3096-5-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/3244-13-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/3244-14-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/3244-16-0x000000001BC50000-0x000000001BD02000-memory.dmp

memory/3244-15-0x000000001BB40000-0x000000001BB90000-memory.dmp

memory/3244-21-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/2956-25-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/3096-26-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

memory/2956-27-0x000000001BE50000-0x000000001BE60000-memory.dmp

memory/2956-32-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/1948-34-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/1948-35-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

memory/1948-40-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/744-43-0x0000000003130000-0x0000000003140000-memory.dmp

memory/744-42-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/744-48-0x00007FFFE8210000-0x00007FFFE8CD1000-memory.dmp

memory/5072-50-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/5072-51-0x000000001B050000-0x000000001B060000-memory.dmp

memory/5072-56-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/716-58-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/716-59-0x00000000014E0000-0x00000000014F0000-memory.dmp

memory/716-64-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4836-66-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4836-67-0x000000001B310000-0x000000001B320000-memory.dmp

memory/4836-71-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4236-75-0x000000001B820000-0x000000001B830000-memory.dmp

memory/4236-74-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4236-80-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4468-82-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4468-83-0x000000001BA90000-0x000000001BAA0000-memory.dmp

memory/4468-88-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2024-90-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2024-91-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

memory/2024-96-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4968-98-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/4968-99-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/4968-104-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/976-107-0x0000000001A70000-0x0000000001A80000-memory.dmp

memory/976-106-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/976-112-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2388-114-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2388-115-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/2388-120-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2688-122-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/2688-123-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

memory/2688-128-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/3264-130-0x00007FFFE7F50000-0x00007FFFE8A11000-memory.dmp

memory/3264-131-0x0000000001A60000-0x0000000001A70000-memory.dmp