Malware Analysis Report

2025-01-18 04:34

Sample ID 240101-m8wmdshebj
Target 84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2
SHA256 84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2

Threat Level: Known bad

The file 84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar payload

Quasar RAT

Drops startup file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 11:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 11:08

Reported

2024-01-01 11:12

Platform

win7-20231215-en

Max time kernel

13s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1936 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1936 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1936 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 1020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 1020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2592 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2592 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe

"C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MLMIIxz0eAGc.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TVVkVOsI9H3I.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqC3T3EO7z5z.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGeFZTwok1bd.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uPjdWefgDzpR.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YUGI1VPdz8vt.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8KtWMzqAfE3I.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FTx66ZTnRzQO.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mCbdbpO2S3wh.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hFWHppPTg2v5.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGZkBDwldO7F.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp.deitie.asia udp

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 d42ceb97ae7693912d36e37a709ed192
SHA1 ce9eaedee8ab5a21b6ce1f8e9e76be9540ce6889
SHA256 b3e64c25cbbd36802511c48a3299e117790c9d9105d1e491a2ea135dfe8c9d6d
SHA512 1d0fc549f739d6d112bb8ec6f5b0a32d98deeb9deea020d6347c0be8dc07142e30bd652c58cd63977387a3e6e7047703c10fa383a29987e503a82a8f8db2db6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 8262dfcff9c181dfd930d54cd6cd82c7
SHA1 08daf29694ce5d599805f285814f212b7ac71583
SHA256 5c3e3156b0d74763fd8332af8330d77ed78548c337ea2d216b1aab45e11841f7
SHA512 8955635293e9fad53eb4cbaa70c6d594a16d102cef7737e943e949523195ffe307fc11c15b2ca725d09b28bfb387acbce429018cc437eb41c7d9f73fe07c310d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 c86cfe8094c055533455841d98cbb379
SHA1 80284dded5b813605a0958de40400759d3773911
SHA256 162f24455fd5f63b77e2a865fec8f227bd797906dcca1825900c47e92be2d1dc
SHA512 d85d34ab618431db96efe4d5d4c8f229d42b48d03ebc4e021713a774bf1553bddc08ca1491167c123718a5602295cfc97c425b6c7b73e22752844b7cc51a8642

memory/1020-5-0x00000000012C0000-0x00000000015E4000-memory.dmp

memory/1020-6-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1020-7-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2712-13-0x0000000000F40000-0x0000000001264000-memory.dmp

memory/2712-14-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1020-16-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/2712-15-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 79b26dfe24826dd254873006f54f979b
SHA1 8dab7eee8cb8fb38443bc96b9756d7ba3ce18dd6
SHA256 9a3966ed18c3506a2ac8baa6370bae1f927a352a89f4c82be6f9efa1494b1e41
SHA512 97521af3474c439e3bc37535cd1de3ebe467604f7c113090ac25a04af4ea9fe94cf5a30ba03fa12373038f2501f8de69143e80b22217100cc807dfe831e6a287

C:\Windows\System32\SubDir\Client.exe

MD5 8fa1754114f472809cda386151c0c66f
SHA1 2c83c338c54542e17ec4cf89c5922c5dd83ec322
SHA256 2b7d342ca3960cd4fc2491068a89395366938fbe69c12b33c53a8f3871683d5a
SHA512 6804a63fb4d4bfa207d186be2365fe29b1071f104f013991f6b143f7ff804c5d25b9e453498902de34e465bd1dcbbc587d83b4bc7fb25fdc2e3f1b1aaafce3bc

C:\Windows\System32\SubDir\Client.exe

MD5 9843233c1b247f64b8d1ba7216b5b400
SHA1 86e478466bed9c91d03b777432a40c0d1cb7410a
SHA256 9f5eebc7b1097ecf853acff1ae8cca753073121cadf6e89f6b6c839a563f0528
SHA512 ca503cb886e0aa81284123da2a3bb7489c575df9456243ea64422926173afdcecf3bcac13d3b62c5fd925b16e95a5a5fce89e00fb2a9c009a21b8ae130c2f222

memory/2712-26-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MLMIIxz0eAGc.bat

MD5 efb69feb13b470cb7075d97eec87b9d9
SHA1 8e50076bdc5fa8abd7db3c8fc3b72d842b1dc4e5
SHA256 37bfb1302777fd60efaa856d107e52a3adcb21dd873ec3526b3e115a1619b3b2
SHA512 696d598d5a2504dde1a31549840a1025f541e5ed09a558616499ef02988885c61583c418d3c99305a88e9a51504aad4f559ba7fa5e1d8487725168c59eee292c

memory/1676-29-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1676-30-0x000000001B1A0000-0x000000001B220000-memory.dmp

memory/1676-28-0x0000000001330000-0x0000000001654000-memory.dmp

memory/1676-40-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TVVkVOsI9H3I.bat

MD5 20d7514ac00372a28cd04f4f104f1bd2
SHA1 7d8ea9ebdbacb564672e8e6acb1a0f4d4c9a4ed4
SHA256 85e0826abf4d74daddea9e1e7f2f1cb314ed6cbd94c3d401a6144e7bdc37d082
SHA512 c8cd38ea1e15cd713ced0b2c25e133fcf90878a9342c2e4ddf08cb605bce6610ac890fb6b8532c0551a599c8ef6df9cc38b0575da061cdef49d6feec8fda4c20

memory/1696-42-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1696-43-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/1696-54-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1432-58-0x000000001B210000-0x000000001B290000-memory.dmp

memory/1432-57-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1432-56-0x00000000000D0000-0x00000000003F4000-memory.dmp

memory/1432-68-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1476-70-0x0000000000010000-0x0000000000334000-memory.dmp

memory/1476-71-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1476-72-0x000000001B0F0000-0x000000001B170000-memory.dmp

memory/1476-82-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1608-85-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1608-86-0x000000001B290000-0x000000001B310000-memory.dmp

memory/1608-84-0x0000000001090000-0x00000000013B4000-memory.dmp

memory/1608-96-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/2484-98-0x0000000001350000-0x0000000001674000-memory.dmp

memory/2484-100-0x000000001B3E0000-0x000000001B460000-memory.dmp

memory/2484-99-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/2484-110-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/2204-113-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/2204-114-0x000000001B240000-0x000000001B2C0000-memory.dmp

memory/2204-112-0x0000000000370000-0x0000000000694000-memory.dmp

memory/2204-124-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/2632-127-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/2632-126-0x00000000003B0000-0x00000000006D4000-memory.dmp

memory/2632-137-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/984-140-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/984-141-0x000000001B210000-0x000000001B290000-memory.dmp

memory/984-139-0x0000000000070000-0x0000000000394000-memory.dmp

memory/984-151-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1740-155-0x000000001B100000-0x000000001B180000-memory.dmp

memory/1740-154-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

memory/1740-153-0x0000000000800000-0x0000000000B24000-memory.dmp

memory/1740-165-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 11:08

Reported

2024-01-01 11:11

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe

"C:\Users\Admin\AppData\Local\Temp\84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Idf1B99FxvA.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyjPHJ7d97Fz.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rr2c79qi8cBL.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crc8hDUP7RJl.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naklM1y3RtXE.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGvLLrJXiCk1.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GXFKEnGfwA2g.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nJtYFSO1AnDF.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kFj5yWxcEjB2.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X0NNPKKTI7sW.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azBBItm3qRRQ.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7CDJfw2HOmld.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmf2sQOWh89L.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarmoiJOMmp8.bat" "

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/1556-4-0x0000000000E10000-0x0000000001134000-memory.dmp

memory/1556-6-0x000000001BD80000-0x000000001BD90000-memory.dmp

memory/1556-5-0x00007FFE25EC0000-0x00007FFE26981000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 abc269a09c87b1c91668c4751c2986c1
SHA1 8cfc7349d6b2931d2b59ee2c184fd114499ede37
SHA256 a432425d402e4d83258c1debe1c933d77a95971716d887c40195d3f9abde4e5d
SHA512 3690029856979952078959488ad563ed51e67e8058e4834aed1942979fe2928d037a732c03ec2115d5b7c3ee9b2f02683398e9c8ade256ad4801fc4d1e927e45

memory/4752-14-0x00007FFE25EC0000-0x00007FFE26981000-memory.dmp

memory/4752-15-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

memory/1556-13-0x00007FFE25EC0000-0x00007FFE26981000-memory.dmp

memory/4752-17-0x000000001B850000-0x000000001B902000-memory.dmp

memory/4752-16-0x000000001B740000-0x000000001B790000-memory.dmp

memory/4752-23-0x00007FFE25EC0000-0x00007FFE26981000-memory.dmp

memory/2452-26-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/2452-27-0x0000000002840000-0x0000000002850000-memory.dmp

memory/2452-32-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/944-34-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/944-35-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

memory/944-40-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/4020-42-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/4020-43-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/4020-48-0x00007FFE258F0000-0x00007FFE263B1000-memory.dmp

memory/2324-51-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

memory/2324-50-0x00007FFE257D0000-0x00007FFE26291000-memory.dmp

memory/2324-56-0x00007FFE257D0000-0x00007FFE26291000-memory.dmp

memory/3344-59-0x000000001B280000-0x000000001B290000-memory.dmp

memory/3344-58-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/3344-64-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/1296-67-0x0000000003340000-0x0000000003350000-memory.dmp

memory/1296-66-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/1296-72-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/4376-75-0x0000000001A20000-0x0000000001A30000-memory.dmp

memory/4376-74-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/4376-80-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/2900-83-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2900-82-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/2900-88-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/4988-91-0x000000001BB00000-0x000000001BB10000-memory.dmp

memory/4988-90-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/4988-96-0x00007FFE25770000-0x00007FFE26231000-memory.dmp

memory/3020-98-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/3020-99-0x000000001BB70000-0x000000001BB80000-memory.dmp

memory/3020-104-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/2680-106-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/2680-107-0x00000000016B0000-0x00000000016C0000-memory.dmp

memory/2680-112-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/4976-114-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/4976-115-0x000000001B130000-0x000000001B140000-memory.dmp

memory/4976-119-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/2012-122-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/2012-123-0x000000001B970000-0x000000001B980000-memory.dmp

memory/2012-128-0x00007FFE25890000-0x00007FFE26351000-memory.dmp

memory/3564-131-0x000000001BBA0000-0x000000001BBB0000-memory.dmp