Malware Analysis Report

2025-01-18 04:16

Sample ID 240105-gf4jmsdfa3
Target 2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat
SHA256 84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84d49466f2599b3ecc7cb706a04ae6924532b046fb9056e74fafddf6e332eea2

Threat Level: Known bad

The file 2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar family

Quasar payload

Drops startup file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 05:45

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 05:45

Reported

2024-01-05 06:07

Platform

win7-20231215-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tbBVXgXcE9Dq.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dRp46F2WJIxJ.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tvwdHM0A8trV.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hVhHvHM519bd.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GpWg7BdzN3T7.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2PPSFZEyZVTy.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\V6fYbIToJY4b.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwRkZCkcKNFX.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YId92Y2kmSYR.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5wRH2nuSn1Qe.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RW1rhBbD0mC9.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DbX06elKQRz4.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp.deitie.asia udp

Files

memory/1676-5-0x0000000001030000-0x0000000001354000-memory.dmp

memory/1676-6-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/1676-7-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/2756-15-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2756-16-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/1676-14-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2756-13-0x0000000000AF0000-0x0000000000E14000-memory.dmp

memory/2756-26-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2644-28-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2644-29-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/2644-39-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/1604-42-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/1604-43-0x000000001B2B0000-0x000000001B330000-memory.dmp

memory/1604-41-0x0000000000CF0000-0x0000000001014000-memory.dmp

memory/1604-53-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/640-56-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/640-55-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/640-66-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/576-69-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/576-70-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/576-68-0x00000000003D0000-0x00000000006F4000-memory.dmp

memory/576-80-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2288-82-0x0000000000850000-0x0000000000B74000-memory.dmp

memory/2288-83-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2288-84-0x000000001B0F0000-0x000000001B170000-memory.dmp

memory/2288-94-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2480-97-0x000000001B1A0000-0x000000001B220000-memory.dmp

memory/2480-96-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2480-107-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/1532-110-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/1532-111-0x000000001B3A0000-0x000000001B420000-memory.dmp

memory/1532-109-0x00000000012F0000-0x0000000001614000-memory.dmp

memory/1532-121-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2576-124-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2576-125-0x000000001AD70000-0x000000001ADF0000-memory.dmp

memory/2576-123-0x0000000000330000-0x0000000000654000-memory.dmp

memory/2576-135-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/1492-139-0x000000001B100000-0x000000001B180000-memory.dmp

memory/1492-138-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/1492-137-0x0000000000E80000-0x00000000011A4000-memory.dmp

memory/1492-149-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2860-152-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2860-153-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/2860-151-0x0000000001120000-0x0000000001444000-memory.dmp

memory/2860-163-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2032-165-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2032-175-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

memory/2076-178-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

memory/2076-177-0x0000000001370000-0x0000000001694000-memory.dmp

memory/2076-179-0x000000001B450000-0x000000001B4D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 05:45

Reported

2024-01-05 06:08

Platform

win10v2004-20231215-en

Max time kernel

13s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_862a7ef9e5d955ccc15d71090c6c569a_icedid_xrat.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7c4xnfCrga4y.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0dX2YhlX3VpF.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmmFqCDyTBi5.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GFGp1onsvCAY.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lhnxtGbAOBTx.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mo5bH4MH49pZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwaY84O8f7ND.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eRbnl4lE2P2k.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tLNd8ELorj4Z.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y3MDmpeNfUtg.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mltce6Pqaj9h.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gPK9yt1jUwda.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsRJVnnAwDjo.bat" "

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 frp.deitie.asia udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 743b976d3895718d850ec93d3ff2804c
SHA1 7186da594e8d57e83f2903218b295063e6bc74fb
SHA256 38842bfd79d5a8e2a70a7911db1d229c2f8701c73fe5fc5e4e34ce3188e74707
SHA512 218246c9c0386d0bf44cab7bacb6cb6bbd98715742f99ec75ab3c9a6953e90e005ee044af31463004ad2511bc2e35126d24297e1e2b97d8740494ce26b0d1c3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 0941db0369b12c9694d21c0f1c3bbc0c
SHA1 bff987090eb82ea5ae1ff94725dc081382eafd99
SHA256 ab789bbf3a64776df537c077b654469aa97a0782cc5fb25152aa4ba923fe3dc7
SHA512 63254e663d3a5f35d5f6404fdb2b3339e81584bd7e79288265eeba72aa531499cefd9eafb8e98beb7eaf6e43c09e085b6ec5b1e38f9c88dd465a21eeb3134606

memory/3552-4-0x00000000001C0000-0x00000000004E4000-memory.dmp

memory/3552-5-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

memory/3552-6-0x000000001B140000-0x000000001B150000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 132e9466241a6af97f6ea2747425ebee
SHA1 fddbd6673c106d0750819b04397c23bce8045603
SHA256 f7e57a1899474450b68f061d785dc8972234ec6171ca930532d831fadf36c6d4
SHA512 a891ad8225209d800c8d18c70db904d6cc2b12be6b6aaa746c720b0602c9b2615169b302904ee8328b158cf5052c82f40b22fb740e78c084a9b34818a89f305f

C:\Windows\System32\SubDir\Client.exe

MD5 ce082f4eeb8686b3bd3b5631de78f11f
SHA1 3acf9dffb3f88bcd59782c0c7cb23b1b4985cf3c
SHA256 ecec5f861406bb9cf0eb9cf62180ffa49f6bc1bd078d453f4d5350830073f785
SHA512 f389e906c1c97565b5f85b7ea18b6ac6976b6e14e027c841ae2cdebba0b7e41872be186fc1f9a1e1a875752db24869b35e26c848f46ffe87f9fc90ba25e07adc

memory/3196-13-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

memory/3196-15-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

memory/3552-14-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 a58b35849ec16a91f06171c6ac9ea1fb
SHA1 5a0c313b3aca0a1dc1ed5a00d83e34f0d0226a65
SHA256 1c1995b58e25614f7d571cfbf6b4d32046fc5f78e6fb16240682feb8776f2e50
SHA512 36c55b9df87c8307c98f31e1824c917938db20d59cbfa789303b1b367baee469403fe1d28327b40e86ca4a6364d64b55b2f1c178cad80062343da2737df33467

memory/3196-16-0x000000001C600000-0x000000001C650000-memory.dmp

memory/3196-17-0x000000001C710000-0x000000001C7C2000-memory.dmp

memory/3196-23-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c4xnfCrga4y.bat

MD5 7b3d786112da9159b9671888c132e285
SHA1 4a49d2b0f4086b33fc0518a11e503f223724895a
SHA256 76a1136797d979ed8bf11b4f8a961c66f1ee57ba8c876c99296f81e5ee2fa027
SHA512 e5cc41238fa82804725b4d369ff82d6b4452c5a1801086907e00f762c6b8e5101851f962ba8717700b7e26dc24926b801bfb0b6098286c95f7c942a387becc9e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Windows\System32\SubDir\Client.exe

MD5 fe0518365d490ac28a5dba2bc88c03ad
SHA1 830bf59eb0aaf86499de4d8e79cee504d0e4b637
SHA256 76e7675d5b9f3f7315a2dbb5aa32016958f4704abff53bfa6c944ee2b5aa40b1
SHA512 f1750678cc13bb5859ff0db9b33c8968a76d4277eee0fab0f7c307f69f555821ba464c6406bd59c0881d3c2812b7e1046b15f92a0d2a8dfca3bfc7e17e588519

memory/4040-26-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

memory/4040-27-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

memory/4040-32-0x00007FFB6EA10000-0x00007FFB6F4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0dX2YhlX3VpF.bat

MD5 fe4422fbf1acca10543d375a4d042a45
SHA1 2fd928e89b4e0ed66cf12b358b6e2d9e365eb6c3
SHA256 e9cf0743cd701bc9bc7e5f5f0ca6273cc71a9fe684259fb848768e3f504d649c
SHA512 faa7501dec345cf8c90f2aa73fcb7e2f96dc794a0eff002a0612b65399909c7d02ed53515439149d81c79fa29bafff6caaa8400b64b5efe3f04cbf61acd0507c

C:\Windows\System32\SubDir\Client.exe

MD5 beab43460bf75f01fbf3c9f8d97f4025
SHA1 e4756a551778c8766e6932425271414b54f80244
SHA256 3c2db9fa09c58830db78fd09ff802b064aa66ce730e69666508c246fdee83bc1
SHA512 12570e400b1355dfa0c13f06b47c7d1a6457aea77994acf5e8a18324a34500604dfd54a5284f0415e988193e3c053ef1ace2e502abb99614a1a65f4f04a1c899

memory/4756-34-0x00007FFB6E6C0000-0x00007FFB6F181000-memory.dmp

memory/4756-35-0x000000001BF80000-0x000000001BF90000-memory.dmp

memory/4756-39-0x00007FFB6E6C0000-0x00007FFB6F181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AmmFqCDyTBi5.bat

MD5 909519ff5f844605c20e48b33b022bf6
SHA1 15cc61c137d18b0e3d6e6719b2ebfa7df95d2a54
SHA256 cbb58c0d471ebc3aff6182f2c2a71c6e7916c7a882c3733826ce196b09e89a78
SHA512 ec4f60230ef53d18c18d0f09d199ea07b81bdf0d8a3595f520e2148229cc44cbcbb4fa0550e3962812b0b24665d20c66c818640b1017063d2295c901fb28cf3a

C:\Windows\System32\SubDir\Client.exe

MD5 afb299485150b132f0510ffc22f27a98
SHA1 646856bd2b24f21b95e5b0770ca4297b3b654b1e
SHA256 44ef72eef8500591adc7cdf85dab89c1d31ff34ec7968c0605815f80f6ba9bda
SHA512 239296caae075dd1dc1192bf79aeef61319479c500020fd686d13db26165022c58f4e1875876bf7d979b11b17baab06470805f5cb8d28ae92fd9624b051da8c2

memory/1156-42-0x00007FFB6E5C0000-0x00007FFB6F081000-memory.dmp

memory/1156-43-0x000000001AF50000-0x000000001AF60000-memory.dmp

memory/1156-48-0x00007FFB6E5C0000-0x00007FFB6F081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GFGp1onsvCAY.bat

MD5 fcf91b20487daee5d9fb25a49429fff8
SHA1 0ec2d34a401b6d029c6f7d9332734f422766f1b8
SHA256 8ba1ba7ba0740e8d336ad295876e26ad91fed14961883bb89353f1ea32189ffe
SHA512 a090a2ae7043f0db35bac739150090489d61c008be236a046a67a596962e2491e4cac9d08ea4e31be5c7704e387a4b00816c7ecb4dda69d671bcf0b1dfa33afa

C:\Windows\System32\SubDir\Client.exe

MD5 c87c145aef94feac037a1673c5a1fe1d
SHA1 7ff1e2b56ca4f8e6571e87432d5f85fd4531f91b
SHA256 04c8e50bc5f7a08258597eef20805c722939577f15a89b9a8de39520e782310e
SHA512 a8944d6520813da5ca4fc92dcd32fd562c6bbce7c2ffae733459f36c558537f19c29f2628faa989050b6978a5a9448e4a83e06aeea61914e56d5fbb754b36d3e

memory/4840-50-0x00007FFB6E330000-0x00007FFB6EDF1000-memory.dmp

memory/4840-51-0x0000000001980000-0x0000000001990000-memory.dmp

memory/4840-56-0x00007FFB6E330000-0x00007FFB6EDF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lhnxtGbAOBTx.bat

MD5 c7ccc575ff7fe7d4bfd22d4eb163db69
SHA1 f24d1841bea3ba86f1c7efac0a95844037b596fe
SHA256 cb6588c01050a5a7c1f2e573bde68be24351bded4065fb6020b5fbb58e2fd4b4
SHA512 b3eb4f4dcbb257a35edb957dfb4412492e9c609fd5d4552c206322fa1cdca0ea05f613ac5413196c4643156dfbcfb1161c46a9422ab5804e08efc47fada8a4ee

C:\Windows\System32\SubDir\Client.exe

MD5 fa0f8245304b46aafea520b159110837
SHA1 5dbd1d4a160f27027a1f1fdb62de8548cae44d8d
SHA256 f2d584cced8d594bd12d81f2cc39cc6311a43fec11afed803c083a517d56bec5
SHA512 78ba980bab61af0422fe10c1007cba8bfaa912f94fbefdffc30c2e7ef6688794293cd9bce97d6fcd0fe975de68c99cb54acb958e9c53baa5e02742117a376456

memory/2604-58-0x00007FFB6E330000-0x00007FFB6EDF1000-memory.dmp

memory/2604-59-0x000000001BC90000-0x000000001BCA0000-memory.dmp

memory/2604-64-0x00007FFB6E330000-0x00007FFB6EDF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mo5bH4MH49pZ.bat

MD5 f8015d012127100534ff14140c3ebaef
SHA1 33f413dc34b11ce35b3dd731669581aa23f65a3d
SHA256 debdfacedacfb2648dc7df7dd1daaefe9a6951fac86a285bf1450176a1f3867f
SHA512 f4d78531cd5a3da648280826e91076025579557c1d98f57e6a48d8ce62da136fe659b010e1c79b1b2944c454e65743dc1c86197bfc18dd55f5488afdd3d10501

C:\Windows\System32\SubDir\Client.exe

MD5 87df40a86fafa19c7b88903442972991
SHA1 f2a98fc754da10d08b351aee20ffd2bd15b38901
SHA256 72bdd68b266950f7a76cde8766679918c5ab92d1d8880440896ffef1ec6f0e70
SHA512 3c1ef745a605dac74d6e645cc6ab124335eea13dc434f5a15c7bc5e91dd5225e62f02eedbebdc6c005ee82809c57a51a3091c1268c0a2c13991a5d9d8824fd97

memory/1840-66-0x00007FFB6DE10000-0x00007FFB6E8D1000-memory.dmp

memory/1840-67-0x000000001C000000-0x000000001C010000-memory.dmp

memory/1840-72-0x00007FFB6DE10000-0x00007FFB6E8D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XwaY84O8f7ND.bat

MD5 56dfcf18d1bfacd0ffbc0b5951808d0e
SHA1 0d47871ee7e038a4cc9363478c0ca66dadf260d8
SHA256 477423b58fdef060e20fc8dd034bfe3b86191a095c08deb13996b7bd18b70031
SHA512 299da781e0aa3cb3b2f94e220a48e29aa280cec0868820498f0802ed555d77357e59a090a846fea9014155503808dc81d5f24d467d1c1d469d28ad82416336e7

C:\Windows\System32\SubDir\Client.exe

MD5 3419b08664a2b63bfae5a6ee7e5536a9
SHA1 8fd03facec02e300cbe21bd10ec3b965683bc265
SHA256 8667a047082cae2213485cbfadcaa404662279c9bc4f5a375bc44935265f712c
SHA512 7eb22b9d53155fc1dd08ba3cb403ff00ff8e6d77b0296fc92fb6874944dec92a4287e456783b9a102f614b96cda23a2e26de1eee155661a0865a809d49142cf4

memory/1584-74-0x00007FFB6DA40000-0x00007FFB6E501000-memory.dmp

memory/1584-75-0x000000001B450000-0x000000001B460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eRbnl4lE2P2k.bat

MD5 6619f5e518dfb73c6eeb3aaae1a43446
SHA1 f5abf0471d3e8302d32b583637e7614d8706df4a
SHA256 641474aa1cddf95603f1d3e578479cbe7052cbe911baa44f1931b63548a1da2b
SHA512 9be1d3acaf97728e17b9bd68636f13dcf9ffb101c3f53edbc953a173c8067f0621d1a2cf43220da96a4beca719b87a35f0fdb23768bb519371f5f233231ac936

memory/1584-80-0x00007FFB6DA40000-0x00007FFB6E501000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 7841b6db27d1684475280ee749028b82
SHA1 3adca901e29aa79104449f6a4e17c23250768da9
SHA256 449e682cc6c6d992e3472ed50bf0192fbc71d9d41d103c24003a557bbd6b2ee9
SHA512 73d17d0e772cc697db5f8e1c5ae2e7da8b95eabc1a1932aeb088a7e0350b9a898eb1f365871848e7af1b7276f8ab93cb9dc873a69eebed08fded3ca1453b90e9

memory/1432-83-0x00000000014E0000-0x00000000014F0000-memory.dmp

memory/1432-82-0x00007FFB6DDC0000-0x00007FFB6E881000-memory.dmp

memory/1432-88-0x00007FFB6DDC0000-0x00007FFB6E881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tLNd8ELorj4Z.bat

MD5 c3a034ebe5551c94dbf603885670c89b
SHA1 3c8f2de9395349553472e0f76465f6f10dc27c1e
SHA256 1a4bed5e9d52584d627d077d0bd8814176df5cbe26d07098278e90fe406f1c6e
SHA512 d74e42bb6d68a3dac9d70e5ab869340cc0158a68b5fc612766a5242a4510a56fbb84cd981fb00ba36b6055291806873bb2db5a91c9d2ae0b6871d61045f0fffb

C:\Windows\System32\SubDir\Client.exe

MD5 6e4ade9df035dbbc874b5836c8704518
SHA1 61d8e6b12401f7db06c7a28c23088f5b5a080f10
SHA256 c1e6c33c67bf06fd9a1f04883899a41aaa6d430fa152e4bfe7befa4668e3420b
SHA512 496cf7da3de1ab94e785c91a8dc384d9985793f5300aa5f668b15fccb3d2fd3035577e98c4edf0cd80655b1d431d62afe068b32ebf5e16f2d7883f3bbdd8c25e

memory/4156-90-0x00007FFB6DE30000-0x00007FFB6E8F1000-memory.dmp

memory/4156-91-0x000000001B890000-0x000000001B8A0000-memory.dmp

memory/4156-96-0x00007FFB6DE30000-0x00007FFB6E8F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Y3MDmpeNfUtg.bat

MD5 331fc7400014d24ad60aa51a2b5eee1f
SHA1 9bcf2284b563167284445dac2134633f0a38a56b
SHA256 6f7d454c4fec483b3510abe521e57c9786b55e5c5903daffe86fd51900a4b6d3
SHA512 a734f32b975cf42999fe97349b9c9d35d53120d42d002a48eb3af9ccf3efd3a7cae1617f2d7edb65d8e282d20b27d864738b132aceeaf66c8defa3ad8f3cc666

memory/1084-99-0x00007FFB6DE80000-0x00007FFB6E941000-memory.dmp

memory/1084-100-0x000000001BA90000-0x000000001BAA0000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 92ccece66d153eb5a55897c9e1719409
SHA1 b4a41b1c67289683f03e500d80c1678ba270e1bc
SHA256 3f6341d93540ba92d803e7489c58e7d082aa9720ec7c4c534de1e0e319a7f8ed
SHA512 522c6b5aabd1fd974a9f778c8afa628d25114ff9398de7baad28408555623fd73679e38ffec68883708aea42f32f13ce81a10f0607cc7ec7438e06e2eddb0d98

memory/1084-105-0x00007FFB6DE80000-0x00007FFB6E941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mltce6Pqaj9h.bat

MD5 164158c9f47dc6dec1d18743901a76d4
SHA1 b0d23b9993b4be88a5af3c9d667b4fae5cb7e188
SHA256 46188bdb05195ae548450b2e3c88d91bf2af9847ccd64e6ee13217220b61f2ce
SHA512 909234c868861af0827f23cdee5189f4eb59e12a952932e9b69040e5f50a479dea9f3afb43ffe64ccbd312cebf9a68dc3c9394148db96b6e52f3a355c098e188

C:\Windows\System32\SubDir\Client.exe

MD5 7f769c90005a59ae4994082eda25b532
SHA1 7373baf8711345745d37d001113b2cf1adbec1a3
SHA256 4efc6dfeec85d1c1a33b5b3bcf6f983d2306e9b6d064e7231c1de78dd842fc82
SHA512 6d5a8977502a4bf95ccad4fc0c0cdfa99c8de25300766b3fcb502019bb1f0616f6b12e15eb059967aea7b50aac50cebb8b3c7eb2f5fa14bbf9e0a9ff3222bb38

memory/3824-107-0x00007FFB6DF30000-0x00007FFB6E9F1000-memory.dmp

memory/3824-108-0x00000000031B0000-0x00000000031C0000-memory.dmp

memory/3824-113-0x00007FFB6DF30000-0x00007FFB6E9F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gPK9yt1jUwda.bat

MD5 c0433f4fe11137c7dbade5e51b160c1b
SHA1 a19e5bf12193909f97e64f4733aceec4f200b42f
SHA256 30022118de71b46e76da5fad2802771f122c59267a2c862e8968032d88ad961c
SHA512 76a5a3f879a43637fb14fcc9f8637d4ca93a14c112a6e469800425c575799c5d5c181ad5d8a92cfc4c83c48f9c21d493975e578b77b0c6f63aeb6e1575c0744b

C:\Windows\System32\SubDir\Client.exe

MD5 66f5adcf59804dcd0c97025bce07b075
SHA1 bcb55241797da2b0146f9e3f86e7d2607d6c0a7e
SHA256 96e73ac51ece786631dca9b8dc82c981db885485f17d6f84607a800523704c1e
SHA512 62b79dd57d7d0a05a2b1767b8d37f03de8f62e984bcb04995da474596bf46c111c33de83f9f355fb2ce02e2d5cf3267a0090ff90ef533e1f03eff24113e9bd25

memory/1372-115-0x00007FFB6DF30000-0x00007FFB6E9F1000-memory.dmp

memory/1372-116-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/1372-121-0x00007FFB6DF30000-0x00007FFB6E9F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SsRJVnnAwDjo.bat

MD5 38154454226a9e3fa37fc8298006f35c
SHA1 850d669b09b91f08a12fb73a8fafe9e6140bdb2e
SHA256 b93388d5171745023f3c32c76a63987a0a56992ead604d12ca3da15d22adca76
SHA512 385b20297f3f7a6a2b13694286c3ed462b602584862a79176a2621fc0113bb5a85ff1da33c4b646dc403897df34df2c4df344486965cab78e81a2d46fe75b1f0