File name:

23s.exe

Full analysis: https://app.any.run/tasks/12dc19f8-1042-4c23-9381-889c8dcce2f3
Verdict: Malicious activity
Analysis date: February 14, 2025, 21:22:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D39434C1AEC5F6EE59D40BDEA642CF32

SHA1:

01D7DA2EC2F27D29426FA6FEF55A8E1F7D820D2C

SHA256:

5654139565228C2F712F7AD79A04BC875577915AE58FB2984EBB20DD0D59E36E

SSDEEP:

49152:7qEcsT90z2NkvSCmRf7uY1+DVlYZ+hHjGmt/3Dgb8Ecv+h+ltmqHx1JdReCzjF6c:62NkKCmRf7uY1+DVlYZ+hHaIDgaRe5c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 23s.exe (PID: 1932)
      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 23s.exe (PID: 1932)

    • Starts itself from another location

      • 23s.exe (PID: 1932)

    • Reads the Internet Settings

      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Reads security settings of Internet Explorer

      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Executing commands from a ".bat" file

      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Starts CMD.EXE for commands execution

      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 4072)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 4056)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 4056)
      • cmd.exe (PID: 2476)

    • The executable file from the user directory is run by the CMD process

      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

  • INFO

    • Reads the computer name

      • 23s.exe (PID: 1932)
      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Creates files or folders in the user directory

      • 23s.exe (PID: 1932)

    • Checks supported languages

      • 23s.exe (PID: 1932)
      • Client.exe (PID: 1816)
      • chcp.com (PID: 2264)
      • Client.exe (PID: 952)
      • chcp.com (PID: 3396)
      • Client.exe (PID: 3188)
      • chcp.com (PID: 3484)
      • Client.exe (PID: 3736)
      • chcp.com (PID: 3776)
      • Client.exe (PID: 3340)
      • chcp.com (PID: 3932)
      • Client.exe (PID: 4072)
      • chcp.com (PID: 2100)

    • Reads Environment values

      • 23s.exe (PID: 1932)
      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Reads the machine GUID from the registry

      • 23s.exe (PID: 1932)
      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Create files in a temporary directory

      • Client.exe (PID: 1816)
      • Client.exe (PID: 952)
      • Client.exe (PID: 3188)
      • Client.exe (PID: 3736)
      • Client.exe (PID: 3340)
      • Client.exe (PID: 4072)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 4056)
      • cmd.exe (PID: 2476)

    • Manual execution by a user

      • explorer.exe (PID: 1780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:12 16:16:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 3261952
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x31e3fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.0
ProductVersionNumber: 1.4.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Quasar Client
FileVersion: 1.4.1
InternalName: Client.exe
LegalCopyright: Copyright © MaxXor 2023
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: Quasar
ProductVersion: 1.4.1
AssemblyVersion: 1.4.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
27
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 23s.exe client.exe cmd.exe no specs chcp.com no specs ping.exe no specs explorer.exe no specs client.exe cmd.exe no specs chcp.com no specs ping.exe no specs client.exe cmd.exe no specs chcp.com no specs ping.exe no specs client.exe cmd.exe no specs chcp.com no specs ping.exe no specs client.exe cmd.exe no specs chcp.com no specs ping.exe no specs client.exe cmd.exe no specs chcp.com no specs ping.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
188ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
952"C:\Users\admin\AppData\Roaming\SubDir\Client.exe" C:\Users\admin\AppData\Roaming\SubDir\Client.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
0
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\roaming\subdir\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1108C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1780"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1816"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"C:\Users\admin\AppData\Roaming\SubDir\Client.exe
23s.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
0
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\roaming\subdir\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1872ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1932"C:\Users\admin\Desktop\23s.exe" C:\Users\admin\Desktop\23s.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
3
Version:
1.4.1
Modules
Images
c:\users\admin\desktop\23s.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2088ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2100chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2244C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\RLdwvgPCWFIm.bat" "C:\Windows\System32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 886
Read events
5 727
Write events
159
Delete events
0

Modification events

(PID) Process:(1108) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
Operation:writeName:{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
Value:
525400363EFF
(PID) Process:(1932) 23s.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1932) 23s.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:smart
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
(PID) Process:(1816) Client.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1816) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1816) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1816) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1816) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1816) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:smart
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
(PID) Process:(952) Client.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1816Client.exeC:\Users\admin\AppData\Local\Temp\RLdwvgPCWFIm.battext
MD5:3A88F3131B2340B15C4F98BA3FC4ACF7
SHA256:0C596A470F4792ADDA3EE1D95D7F02F72B8FCF98911995D0599D0E5C1DD81135
952Client.exeC:\Users\admin\AppData\Local\Temp\2CXJiyhetjzg.battext
MD5:DB0F261BB836B8058DCE2AE4D35A1E28
SHA256:CACFFAB7DCBF68835D43ADE7372B707B818566F5FF6BC36841CCA5CD0B2E7B38
193223s.exeC:\Users\admin\AppData\Roaming\SubDir\Client.exeexecutable
MD5:D39434C1AEC5F6EE59D40BDEA642CF32
SHA256:5654139565228C2F712F7AD79A04BC875577915AE58FB2984EBB20DD0D59E36E
3188Client.exeC:\Users\admin\AppData\Local\Temp\pmCAGJl9u35Z.battext
MD5:1A2A5D3E805722FBD73E93A0B6566E0A
SHA256:0155B9097DC0015E64191905AA737340D7C759DA6A501FB4CD494B59F63882DC
3736Client.exeC:\Users\admin\AppData\Local\Temp\5uEuu1QcsG8a.battext
MD5:93F37288A0EF523F2B276F8D1635FBAF
SHA256:B2C45187B0FB0280149A169A7BB802A954C45A0DAE753217DACBFA537FB9B765
4072Client.exeC:\Users\admin\AppData\Local\Temp\pdtzhfGAybu4.battext
MD5:19F3E23F3A730EFB8944AF7E76800F21
SHA256:EA5FEB2494C19DFA5FDE07EB9FC6B6CE18D1FC8503A19063731B14F91177B79B
3340Client.exeC:\Users\admin\AppData\Local\Temp\ZcWoGZHV9oOS.battext
MD5:07488AC703AFC92F6BF1E12D0FD14B87
SHA256:1C0B10844C98CA2BE66E63B2BF61D59B3B8C8EA79D77B90AA36A9B91A42611F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
rnnlc-176-18-48-249.a.free.pinggy.link
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
23s.exe