Malware Analysis Report

2025-01-18 04:17

Sample ID 240105-gfaasscdar
Target 2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat
SHA256 82dfd095c6d9f8e5e206e74d9717c0e5311d88906b7305052b3d9e5566ed1f83
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82dfd095c6d9f8e5e206e74d9717c0e5311d88906b7305052b3d9e5566ed1f83

Threat Level: Known bad

The file 2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar RAT

Quasar payload

Drops startup file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 05:44

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 05:44

Reported

2024-01-05 06:21

Platform

win7-20231215-en

Max time kernel

9s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1712 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1712 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1712 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 1976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Windows\system32\SubDir\Client.exe
PID 2736 wrote to memory of 1600 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 1600 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 1600 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1600 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1600 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\G5xDaK01VacC.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcxQUHTrc1lV.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7wRJtfMHMjVB.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EE38TOP2cvrk.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uoytDN2PKOHK.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wacB6pz03e7v.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kkhqbk4sXzDH.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5VBqXgniAgEF.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAskdJAjDVOu.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVvw3I3WnfkH.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgBNsMvsAJGt.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 frp.deitie.asia udp

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 913cf67dc23283ceea07aa3dfaf8a8af
SHA1 7e9f646668412c74a6be095afd91c5e2bbf393d2
SHA256 31e6de48d81462319e0703cd85a867c4a39d87628af7c9edcde09b89414e05a4
SHA512 7a90945c91d876e4dfc67a70b92e0eeb91bd95001da5138a40bd590837af2ca8fa79551f864b91be6a0813e384803903e16577df63b1f85d587732ba3ac63c5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 504be95061cb76664be226fc2dfb69dd
SHA1 b119e65e1cf0b7969552e35ca55c1fd619b7ccc8
SHA256 73d3b333f39628362572450d2f95490ea0970ebf1fabdcea05ec19d40d407b70
SHA512 9c236d64be44dc69811c555fea2d1c55bd0e2f41db95386ae77e9bc0c7010770fd6ce5b10451fc37b86d6a453f5ee4b728fc90306af559630c9b94f125abb146

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 9a67af8554d9852da4f1bce882602bb8
SHA1 9eef00944dc2ac438ef61370ddc2613a2bbc7f72
SHA256 efeb62f1d379a126fea9ad523971daa271a3bb8fce362bfe3556f454f3be123f
SHA512 f816b25e8fd7443bca423f74e1c5a496855e824f0578e6aa267321577b2d4806b0a1ed2f33b7f975c90e3b8decb47bb4ae0b2273c0a25e4f3fed75bdbc2b4da9

memory/1976-5-0x0000000000A70000-0x0000000000D94000-memory.dmp

memory/1976-6-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/1976-7-0x000000001B340000-0x000000001B3C0000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 634916b408ebdc096b27f8693afc0dd3
SHA1 c8ba0e14e0f98cfedd451b9b86617caa9a6023e5
SHA256 8d08753cf4a52cbf23982bbc6112fe8ff51881ef32b6cdeb0727c3047bef0512
SHA512 a341ef14f9dfef8b651ec0b76ea9471a1478f090d69824fa850f9c67c7f6a7e17188fd9fd5dd1b53fa2bbdc98c00833feb58fcbfbaeaa080f09de2683f15213f

memory/2736-14-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2736-13-0x0000000000360000-0x0000000000684000-memory.dmp

memory/2736-15-0x000000001B240000-0x000000001B2C0000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 ef9fa1b0a1cc9084326277b08d6fc481
SHA1 804db86772bd903ef1db26eb4afcbfa03779d003
SHA256 13802dc940cfa597965bca20af55d6e185cadacd5b8b66c8748973463ff1721b
SHA512 161221e6b8299a005b8887b7ca95b77af9a0c770c873e197f9d2e44dc39c1cf3022423d9d94fe9fe1301b0c1d97bee9ebe5aca56418c45a85132eb5bc5470ee2

memory/1976-16-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 2e213336b7719edcf453d93de6f3f7ca
SHA1 f502e7d340648f6a6d6006fea554e9897cfc0000
SHA256 dc51313e7d6d84adaf0102a7e241006d409c61ceea4ca12448aa37cd87c06da6
SHA512 d6574c39a28458ab3621b69131b4894883feb6f5673b3d5b1c41e0bfcbc5f23ec258bd066556f4f20ab3a955a2ce719fb5297ebd364d975c01b817424f5ab482

memory/2736-26-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\G5xDaK01VacC.bat

MD5 e0d7b04d2d51c32ab114032a30b3839d
SHA1 4f2583e88cded6e03deef1fe94224836069bcece
SHA256 ba4e85f4cc00e404ed564ff0c2eec5c471675f12d89070a21a466a1ccde32fd8
SHA512 fdb4d243461df9e0eac2a6ccd01f6ec999bcb13b6774db099948627c1493569c9f55fc0ae560b0d5ce6219870c97743f120c1ae7e6d532310816f96e9c93daaa

C:\Windows\System32\SubDir\Client.exe

MD5 bf43490a43ca760b1ee9ff07c12d31af
SHA1 5ad27eb5aebba2119a5750a1bf7c673e51ca1cad
SHA256 40e2e5c284483d0eb7269734aac77a76f935e37981a0bf0e09f15163a2d94161
SHA512 5d66cbfb6b95ad2b75597d43adb4e3c715ee0c35e75ceb3f66df002ac6b965498336cae5bf17db7b36f04a5dc26251e87400f93654528cc0db98c48ab270c246

memory/2632-29-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/2632-30-0x000000001B130000-0x000000001B1B0000-memory.dmp

memory/2632-28-0x0000000000040000-0x0000000000364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KcxQUHTrc1lV.bat

MD5 269ddadf66d32d2656fbdc9f3b10115c
SHA1 d83591c86f645a35ea76651ceba145760bb88ff0
SHA256 c96baa3d92ab8bf0e9248607de59258823dfbed8715cb0a04e3c3c2018d41b44
SHA512 a3dd9bef6360112fae3c7b1d991ebee6d7236773d9c30afb218a8139d31bf73d1768037f443a49ba06834f4ffcd502aaeb3af4a7a43bb8f6af2d0de7df4f6e84

memory/2632-40-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/2988-42-0x0000000000990000-0x0000000000CB4000-memory.dmp

memory/2988-43-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2988-44-0x000000001B0B0000-0x000000001B130000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 ecb916ab757a8410adacd89a27fce5bb
SHA1 a2a6fb0d2aaa60aeb33b8d12ae3d6aa8087172ca
SHA256 8aa9888cf7c1380ff0a127c9e44140e2aa13a4432dca7559623ed5c3838468c0
SHA512 6b8d86f3062184203bc58b8fcb7316bd3f8dcce476711a7fb1972b8b54e18b32baec797203485037ec6e7155959a85b16238f6d811308140972740c07cbfd7aa

C:\Users\Admin\AppData\Local\Temp\7wRJtfMHMjVB.bat

MD5 5d48580c4a25e032a34fe13d0e82a0f3
SHA1 87e59edb5f501f0faafe1d7214474a22c367e13a
SHA256 380d8f23091564b2614f707b6afaddbab70c74f90aadcbb75051ddb73d2e27d8
SHA512 6a8f8fa7974391450bfebdcd3932ca3f449e623d0e1e12721182bfe23692de3d86d47425ce67be0de783e8555436a728b4ced97b72e343fa714cef7cc13e379b

memory/2988-54-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 15106a4342f35122137fbe2704151668
SHA1 e38a4c9536733b91ccea38ac6e30852cd8e96ba6
SHA256 c41711e790a63606e0a0b91df294182a33bb202214de5d07cd2b39b9f2c591e4
SHA512 ba4253d3ae369f43134eea5af20ceffffc31a0c25e481c9ceebc631f72baa64f293d9ad2c3f46994a11a7594730fcda444f9ca3fe9a5a7aac4d0ec02c3112dbd

memory/2828-57-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/2828-56-0x00000000010E0000-0x0000000001404000-memory.dmp

memory/2828-67-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat

MD5 5286e1816829b4649e2658b14b31fc12
SHA1 c9e850e04f526716d2a429ea3fe251c48c9ab87d
SHA256 3fadb43753aae963bba07349fbee3ff3a21ca947650fa54df87c51cbfbc7a7b1
SHA512 822da521bf030e64dadb7269913203e41c3afce1f4fd8b7081ada1db4ee7f2c0f725177aec0c4d4ef640cab2f90e634cda84feaf2bbb0946d222dbc28fc41b9f

C:\Windows\System32\SubDir\Client.exe

MD5 58dd36d021ddb2cc0026d6fa5a023a32
SHA1 7d622d79d4f885b899693e5f859f6843e1d27aaa
SHA256 ccec5adb88dd1fe0031542b55b992e87cb289275238326268f5001fee825b3e6
SHA512 a393aaefcf9500f4b6074682089e432f4df172b589730557358e5dcad3ec427eb3014f39a3225e57c6c90f1217b0e6258d3837de83b52aa1e2630f19e10b7e5c

memory/2448-70-0x000000001B1C0000-0x000000001B240000-memory.dmp

memory/2448-69-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2448-80-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE38TOP2cvrk.bat

MD5 e971cc8b166f7850bbed0a5249ffa37f
SHA1 06d28f52cf06c9d2f900300435c6ab8f280b7b03
SHA256 c0f9f2c40537e500b2ca586130f1f298b0c496496a9f4ec3a860bd62b1c17017
SHA512 855e2ec56f860a25a12ecc0cd94718027e76eebb4097fa584bba957cda76d8fa4efbb2c8ff397ea8b60817cff486898025b597610f4965df33df473cfa526ca6

memory/1792-82-0x00000000012B0000-0x00000000015D4000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 aebf1f88d1b7781d98c2422d27db1e27
SHA1 ae607c5835d74c90b3809c25a78e5a7a26a9a049
SHA256 8464b798269472425a4aae58e52f6bd43e98e652008be8db4e98450be3dde544
SHA512 5b97db7fb1b2b24806fd0e48cc454479ac6cd1a091cb425c5d8b4aec3ab86f2017c74a7fbba36bafdfd4fa364599d7e638e205821940dcf7425054724614d9c7

memory/1792-84-0x000000001B490000-0x000000001B510000-memory.dmp

memory/1792-83-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uoytDN2PKOHK.bat

MD5 b95a34f8cf25ca63bda941392c89d72b
SHA1 46ad16ebb5e718b5e524e2185a7c3532189c00ed
SHA256 10fa80cd0f856b7f14a7b0e6cbf20afbfc020667de4e92f6ceccceba5eafbb80
SHA512 5cb6b6ac07c3705686d1349ff9b7ca609071a1e24e262d5e82b252db23e9dcd49bec736ce6aeddbe037394df4c5c3222c400fa2d2c60454135a304cfbdaa122f

memory/1792-94-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/2504-96-0x0000000000290000-0x00000000005B4000-memory.dmp

memory/2504-97-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2504-98-0x00000000022A0000-0x0000000002320000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 db8ef07966ce5ddf7fd6616c70456d4f
SHA1 a2ae47eecbabe4bd753c92935728bbf17b4c56a5
SHA256 2bbaf6e943afd6eb9d929bd4cc8df1aa642e5baa0505be4565a08ec75379bd8d
SHA512 8a8351509301cbc796f210b49d3ddb6ade4f2512ddddfb5c8d0667b3e770afc106e763d075c0d5dc9f63a2afdbdef2488508b6af24a9d1dbf19e1fd130ece91e

memory/2504-108-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wacB6pz03e7v.bat

MD5 8651716b4aa31d08b81e1cd39706ab77
SHA1 14f0f3c63bf7bce2bee952011bfa942ee32ba8ab
SHA256 83fe094060b4cbb1f22efb6f6599102547864e2601a8f31f29e14636c06c4779
SHA512 6237e570338e2680bef83ebc632b2612d34d4caefe76f29223f6460c1fd75349c51cff479a78270c9ec8a66fbd394e1b1c3122303afad7eb4a3029b4f13a82f6

C:\Windows\System32\SubDir\Client.exe

MD5 c05d8fa3ef604f6673b0c1e8761dbad3
SHA1 262c0f2c8b34c331fae8157f81012dff2f4bd7dc
SHA256 bfd0c2b20177feda723f9837c3fbcdf378c4c9258d92a30a6afdc576f77e2198
SHA512 a00b0daab5d885485a8824298b96719d360d3a0f55843f19bb13c58febfb87a1df5520424ea2af82ac151982d4e0ebff4bedd7f28080684d00f6fda23960e377

memory/2292-111-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/2292-110-0x0000000000910000-0x0000000000C34000-memory.dmp

memory/2292-121-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kkhqbk4sXzDH.bat

MD5 94c1509e4ede0b7f644da36f69717e3b
SHA1 7c51d761ab38c018f58afa95791cef1808976e4c
SHA256 7957d00dcede1305097b9a8cf3ad752833c588ccae9941dbf799ae0fb4e4dd76
SHA512 43756e15677bc5c73a43b607223b15b933e8bb95fdebb1e137ec3fd93bc06105cc07ef5b638b3410b182ec746164b281b26bd873152aa4d5f581a3158b73e34c

C:\Windows\System32\SubDir\Client.exe

MD5 c3503e940b29ca52c6ebc96166a0fdfb
SHA1 e2d3b2388edeb77a7787297b535cd0b4cdfe4e06
SHA256 5eb303fc91049204ece966e17dffc3ac1f9af325a6438320ca001e37bfc85adc
SHA512 74bd168fa0eb21f44e9971c934597c3e1991887ad47419285ae6f1ece9636d60bb7cd0dd2cb98a53dfc4f13bf996a3f5a1699640ac293effd42208f328221401

memory/2576-123-0x0000000000950000-0x0000000000C74000-memory.dmp

memory/2576-124-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2576-125-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5VBqXgniAgEF.bat

MD5 f89bf0e3de10453d4548520ab10cd36e
SHA1 478d69b9810d5c25bdff9a4c1bc1957a874e17db
SHA256 07378a97cc670ec23acb5bf4e38f7cd971b459b8c0b1f47ca5cafaa031633f8a
SHA512 4dd74ea8e67d86a3008d2b58d5555d912e9c916993e00f6294c27890d324becde42ac78dc67a423bb0446402bf410fdd6ca90867323a52ae5fe41c1e97ff6110

memory/2576-135-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 097bbf5d5748290c58295373009deb0e
SHA1 734db617bbbb8d84d4e4b2ab3265763b83f2c076
SHA256 72bc48b0b4f1d32d081deb68bb95a8c6613fba33d72c22eba02a1b0f490f6182
SHA512 6b023c372c38fea7c190c4eda08c1b4061802b2f20d28846148a9ffee6480286ba38ce9dba11ce3a7890be5b29d9e7da14ea2657854256bbc37f66d40f910061

memory/576-138-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/576-139-0x00000000002B0000-0x0000000000330000-memory.dmp

memory/576-137-0x0000000000330000-0x0000000000654000-memory.dmp

memory/576-149-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAskdJAjDVOu.bat

MD5 dd5c706d4cd1bc93fcfdb98897b7b2ea
SHA1 4f095fcfbaff8e4a1ecdadfa0ff4f1f43688e086
SHA256 538c434e0c79cdc9427756073420843d3870b0c3262ab063a36f7784854ccfcc
SHA512 f6e2b3022db1c163fb91d640cf8adf9220c03b796de014102db3c65c390f1090608500274674e26ad5e1e16f7f8619f4373928766ac32fd83790aff80f94aefd

memory/2808-152-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2808-153-0x00000000007F0000-0x0000000000870000-memory.dmp

memory/2808-151-0x00000000003B0000-0x00000000006D4000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 07adbc03ac19b736cb03c2d4d2041bf5
SHA1 2679be8c50e1fecb89a88c7c20db3f09f2585b41
SHA256 729c746ace11f233ef3b350f5331a9113325343a5cf34cfa210b133de4d08ba9
SHA512 bf0704dd15074d70420cac1fbe006e1ca08e0f0ca59e349361ed0b6458dc827e07c59a37dae3cd22e37dbe257c5d05ca9e71225b94421c1479838bd2d6b028e6

memory/2808-163-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BVvw3I3WnfkH.bat

MD5 dc0dd486cbc59ef258d9933ff1f84b71
SHA1 b50875674a1db01b5402aa8254cc8f066b19b5c8
SHA256 da965f2d8fc7c277df921dec9842b7b70b85547aa1e638e5ccb168b04e30650a
SHA512 256e8c6cdfcbd490c467a49fac4ce7979fccf49d71ebf9e44d77dd86867331c9a145103bbd16113e734f42290962a81e1247f5606fefa3110c64e22cfcdc0519

memory/1064-165-0x00000000012A0000-0x00000000015C4000-memory.dmp

memory/1064-166-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

memory/1064-167-0x000000001B450000-0x000000001B4D0000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 bbfa4cfa5954fba18192870cda200841
SHA1 fbd8d56c312ae4dfa8b24e6503271e63c110a847
SHA256 2bd86058d97cb08e40610ef49482c92c2c74cd4d7d35d7a040d7262afebe8dae
SHA512 cc15ebd3127d9ed361c4a1080abc13f1a0efd5b7869faf5b549f195761e34dabc67c244928938187d641e74ac52b2467fcc53d9f3117a1f04ef47158ecf53bfb

memory/1064-177-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xgBNsMvsAJGt.bat

MD5 35029052f8d6d7c68dd1bd4f81b25c70
SHA1 f1dd7709a7b51443ebbb610dbc39ecf9d5bb3f2d
SHA256 84d8d9b53b7709a08aaa65ea38bd6f47a30800253952e501cab684d8b181ad0d
SHA512 d16a18c64423b5010bbaf98eb55cde59bec25a4f03b3a1da924ebd52e648b34491a65ee38ab68f87b3361be1299c1e67ad56c8186b0f610f6f4e91d4f9ba46b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 05:44

Reported

2024-01-05 06:21

Platform

win10v2004-20231215-en

Max time kernel

6s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Chgp1cuxHkVA.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIrdQCj5ZmHr.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAKvcgVE5o0r.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmuzBbM7Iby6.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEHBkXzICv8B.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7UbQQQvTjey.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmWmpYoog9K4.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6EUQLovqokVd.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jdf6mKqHukzz.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7RKsgGDCY9AU.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFB3sVAY7WVp.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z1xIW5KbKyIq.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmShIJt0siQA.bat" "

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgiBzfDUCGQR.bat" "

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 frp.deitie.asia udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 d0df40c55cb3aa4237ef6a55d7b4d994
SHA1 187a806154c8c2890a21b092f16ba419cf605ea1
SHA256 1d4ea166c828182972c9757abd8fbb5045232932c7c58b744627ad9a7dabca92
SHA512 7c6419a79c7ba9e17d538457830a8b30ac8c3c185cbcd7f949b79dcc158db789bef957bb6d18a06fd09a37c8c49ec36627be6075d73dbec869632a2bb5da2a14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe

MD5 d3672120ce42656a2ecb0b223569864e
SHA1 e9e1861b713355658e698326bc3200c644728a3f
SHA256 0285eb337448b4554f7a4249ed597dda840e4203f3c4442b8929532918cd94b2
SHA512 536db817d7fdf80c2e8577d0c0fecc6b0bb00726f8df885e380b243449318cba1e576301a2c6e34a55effd6ca78b17ce046f5758af6e7ad47ed5656fc02b6cc6

memory/628-4-0x0000000000930000-0x0000000000C54000-memory.dmp

memory/628-6-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/628-5-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp

C:\Windows\system32\SubDir\Client.exe

MD5 bd5a7685285ad86eab6a273d445e33c2
SHA1 b5ad5b3191ba2e433156fb87e0dab769bf88cc85
SHA256 786c3d778f1b424388532477caea02c8a1bd2fe4b000738e32d845123d8d1f5b
SHA512 a7855bb1a5eeb73921caa0ea23938eac7c4286660dde2291389f26e11baa21b1f5d7eb72849f1ac1f1bd52928ffd82e3f6bada52ed602c25bd0aa79fb341c7b2

C:\Windows\System32\SubDir\Client.exe

MD5 e68b098936c3b553c9af56688058bbf0
SHA1 cf83753e73e91bac71df4a42418c142c25a4b566
SHA256 edd5c2078dec30d451835c5eb4c7c2bcb6ac8341d9847c03651324b46736b69d
SHA512 3f70d93600c524c6a763b8ccdc4c80247c409eb7c9acd188f81bfabf7d58765eee2846a6d22a5a2d6680300726309b5da39a6139e83fb7ac2069f915d8253f58

memory/1684-13-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp

memory/1684-15-0x000000001B770000-0x000000001B780000-memory.dmp

memory/628-14-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 768087968033c325aa278f04825d77dd
SHA1 f6699787f9b29203c461f6f78bba973748ab97e6
SHA256 fc125c9856850ea6e87faf9fbd0295ac78538dae743d1f769057d8547353647a
SHA512 d8de2726abc40bbad1d1a5b84fb7db403669fd6e7cb06d7912766ddc1f73c22e165adc2766de2c36fd780345bf107a1a92e998e2d67022bb79525a041bbdf228

memory/1684-16-0x000000001B980000-0x000000001B9D0000-memory.dmp

memory/1684-17-0x000000001BA90000-0x000000001BB42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chgp1cuxHkVA.bat

MD5 3341f1463f52a06b80b03fd476b73b12
SHA1 4ea9144184797aefa4ee3071a43829861fd47810
SHA256 8fabc81a4ae81adb8398e93e5beb7e9489f0887cfb8ac74247a8ed0f4eab5a75
SHA512 d22345bbe5223c9f6d6d468c8538e2925712c4f243fa0184c3dbfbfa705fd4ed70870c9b93d168dd829cb01036ae7ae62630f5dd28b7c51e7b679e72803e640d

memory/1684-23-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/1312-26-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp

memory/1312-27-0x000000001B570000-0x000000001B580000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 92f7650293d68d045a82dec8e52d3014
SHA1 6ce00d91c58ce6387f284574736ad5c4572188de
SHA256 82cb85f0b379c9451151f6dd49f2d6ee1067bd4e2a7389e4a2b756a0c7cbecd1
SHA512 ceda783de55decb6af8491525514bb512016e2f6f062fb9a21e9af4f833c96371f4d1d7c9a100e61d3148c6d30fb14b155a8ed40d19ea4f3102d5b53438cf13c

memory/1312-32-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xIrdQCj5ZmHr.bat

MD5 454b354ef2a2a6a89746a40e9f901f40
SHA1 80e0c0c86535866a6496ec40e66c84dda3afe05a
SHA256 94595c1f8678e3972c7b21f5f8bf6b32cc2441504c4721a34effed498b4fd976
SHA512 0699c560ce3d99d78fd345ec269a85262d4c5c2194593121fb607f47785a7077d75d76f22b94748ee4b0d98227203847c30d2304f66d249ed26df696fa2383de

C:\Windows\System32\SubDir\Client.exe

MD5 a3e1deda29b341dd78e79338c173a843
SHA1 a600ab0e42b853f2bedfefd6d7ac3a0a5264e43b
SHA256 6dae5ce577288e430d33e12035e5e9a50ebae01d2b283ff6c8ed6ffc043c13cb
SHA512 92a6e61821b7de779fa8f94804eb880d249bced4ee22f4135123dfced369d3fd85d4b961d081741146fd9739d1cf4a4acaa0fe71c4f18470b710098fb106421b

memory/4932-35-0x000000001AF60000-0x000000001AF70000-memory.dmp

memory/4932-34-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp

memory/4932-40-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAKvcgVE5o0r.bat

MD5 3cd5972c3864913d41050c33a9fdbf03
SHA1 7e531e54ceccdab2b9aad4f2fb2ec763ca047e26
SHA256 c1b9ebc7cbf403591dbc22d460f76d5f78086a9364cc4aa80e1d85129cf18762
SHA512 e36a8b5838c182a07edd59ab6f308cb92a2759809d778ab3b91aa986e76a0debe42303e2ab75a89891fd124a405f05d79eaa449eb913228be9e2e4cecc879653

C:\Windows\System32\SubDir\Client.exe

MD5 e849b8dc7420de025c784ee4a3607ff4
SHA1 8163e9989e6d3e41da3520d9fb37641dcbd039c5
SHA256 6d6168dd05091daf3fd9940029ad26ec31fb156b42910d6c95e338433b8ec650
SHA512 50c450e6c702352c3eef7b6ca88971919ee6e65a1f5d6522c47db6bd18aeb0a5ee24da6a838d1813f4543d8879cf1983cd084c96d02e65bb75883a670919eb1b

memory/2604-43-0x000000001AF30000-0x000000001AF40000-memory.dmp

memory/2604-42-0x00007FFB20630000-0x00007FFB210F1000-memory.dmp

memory/2604-48-0x00007FFB20630000-0x00007FFB210F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GmuzBbM7Iby6.bat

MD5 3fd1bc398be6b50f9f8aac86922c1a09
SHA1 c7534fabbde9f33bf93401aaeeebaa2884063c43
SHA256 041058228d450d16afecfacbd9f99f5e6a657abc1e8ca435f51b1ec78f8cf3d9
SHA512 a871872d02a01b865a6c2a9aaa8bf775e7b15628a1f89863780859ef9b77786921c5003aa313ca5a4268f0e38738600f0f3be2b3cf96e5d97cd95445ac445e09

C:\Windows\System32\SubDir\Client.exe

MD5 415ca19c08e92d33688c0d2f406f2b28
SHA1 702d6350d5e0f74ffad3d33d09a360dcf79c8639
SHA256 2ad95023fd1acf4e8838c1852b922f0ef4ffaf2624aee012b2e6130010839839
SHA512 a1396848ddfb41a68acad2d265c9a72f47c465fe68de63209f82890db08791cb27c560bd5d7ee61c8c455a423ccf786e389ddae2374cefe6c42bd104ef968cf7

memory/1668-50-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp

memory/1668-51-0x0000000002710000-0x0000000002720000-memory.dmp

memory/1668-56-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wEHBkXzICv8B.bat

MD5 6f3561c461a8047d06a41d0409ea6c76
SHA1 6b6c459d092f5965c1673dbad645c76aecb79c36
SHA256 b0d9b7171ac4b4553a6ee9dca8e964d97d84d5dd28675d35ce65f03a53b50196
SHA512 97cc2b20499de57ea01d278fd7ba11dd75fd124fd386b78838cee740290d74188268312669269cd95f0cb546b6d04a7cbaf898403585a8ef600b5a2450aef06b

C:\Windows\System32\SubDir\Client.exe

MD5 6406954f8064c510b07b0f77821909d8
SHA1 3fba0962e0a881460924341c19f512b95b968862
SHA256 1afdfe40395ff26e8dbb83b8a7022a37612b6a93b95574ac878bc45e779bdb09
SHA512 c6a0d830c838cfaef7df0bd05e1e2ed8119dd7785c3913fda1cd1c22435e2667a2b4ff7a6a71466918f4d4ed213a3db0aa413d4f7578868ea8a8bfaaaa71f507

memory/3456-59-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/3456-58-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

memory/3456-64-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z7UbQQQvTjey.bat

MD5 00a256c6892b1172fa0c3bce418e684b
SHA1 e33c1df80cf704f5259cb5bca4e0f7e845cec13c
SHA256 1d861e24e3e93774980f898848df403ed69d5e5efe3e49f068f2b59f2142b306
SHA512 8e2682cea668a46c6a37da2cb9c944bd5714b1f3253c46ed68968bb0471effb7b72a3e34996915dc8d289e475f1d068ea86e6a92673109d93c01e89dda7c41a4

C:\Windows\System32\SubDir\Client.exe

MD5 f784d6065ffc15c42d3af6e89bd45d4e
SHA1 3bed49e7dabb87a8ca51be56db4de6a0d65cb31b
SHA256 99835cd0edeb744626616286955c627455dea23fec9951f5301dbff9ffe82f14
SHA512 929a4cfd8fc90cd4f861f385d149e462b0da320c92cf61b8b1aa13fc785d58667e29221109cef82ecc933af83914e37cbb6baa0f88faa011b54baa3b29ab9b32

memory/4936-66-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

memory/4936-67-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

memory/4936-72-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bmWmpYoog9K4.bat

MD5 f1983c0fd65eb0221ef4dce3ebcfe9ec
SHA1 97ba2a22c5f7149464d6677735a57b0a57793e43
SHA256 a452ff4ca6916a8bba2b45a5cd5cad7e0e9ee4b2347a5c9f5900cbbdf34fd2a4
SHA512 e6a70a4e84717f310489144fa41e803d0bf1390f50f44fc668a744684264def730aa09496323813231bd28e69286e88bd96da866c5bcb39da7ba60eff77e3a1f

C:\Windows\System32\SubDir\Client.exe

MD5 eb98ba430808ff597812954a68b6920b
SHA1 a8da1b7f2f971fca24c59adad040b473c8613925
SHA256 681b5f3ee5a4bb12a68033b43af1650934bc68234a458eb494ca8073cd3ad657
SHA512 ffc87ba38df9c1c258b961489b4e1732f8fbbfc9a6fb7aa6c3789aa6ecfdf0c915eb10f7e51341b7c938bc6ca911eb60e75b258ec291fa8eb36feff8db33656c

memory/3188-74-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

memory/3188-75-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/3188-80-0x00007FFB20890000-0x00007FFB21351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6EUQLovqokVd.bat

MD5 2b883f3dc09548b2846233de113c3d32
SHA1 570077a83fbc685a078978fe019a1284234270a7
SHA256 ee5ff29eb3c4e99ab0134d497cc7189c0f2e7c014c6b0734552cc80f2c21be0c
SHA512 5a317d651e5375efcc8fb0a9227dcebfadcb45bdc04c2bf718ebd95e6474c61dbd5e27390a1ace0332b0ea2480b231949b4252191fd12aa0292abc3125caa66f

C:\Windows\System32\SubDir\Client.exe

MD5 e582961b354f2314424e28acca605658
SHA1 e33f2674e7a4cd95a8db85157ac61406db1f2c9a
SHA256 61c70ca6605ff403d98cd66f4a7c32232870f1b15563767ce5cd231788665b97
SHA512 6696c6b6d6fe65f8ce276fc6eb8a14794f18a4167bd3e736d1ae471a4306682a2d4731bf06170d0ed64b97c078b503c8584601c2a3bd840051d151341ed0283c

memory/3348-82-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp

memory/3348-83-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3348-88-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jdf6mKqHukzz.bat

MD5 67bc7669467a50b7a56b64836d6a3ab1
SHA1 3e985581ab71b254585b0b8ff61dafc3bbfda8f6
SHA256 fca3a0aea28f4e0b2a8c72aec0faf88ca25424897829e7e1e3bd26f7452feac3
SHA512 b78733d3f674db003372b5530bfecdd79ae9f74ac5bb872839863df8e60a1346807f405d5f9c3cddb006fee495a4b8a1f03bf8c64f1505385373bd7edbc87b60

C:\Windows\System32\SubDir\Client.exe

MD5 2b9acdfecb754f1597ea02fa57214a82
SHA1 00c8d2571e3218bb97a5f6eed9789ced6f4bba0d
SHA256 b5924c2681f7233a0f2b46065c2e013e367cdee4e0ebaabf9de80081558b665f
SHA512 184e113cdf09508591df9dc1580a8b2c10e295a40b347e6b2fc6ddb355ac9eb6538a30474ed2bff052f57429627140a0767b951dcdde3f54d2c09a6cb576f4e4

memory/1548-90-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp

memory/1548-91-0x000000001B7F0000-0x000000001B800000-memory.dmp

memory/1548-96-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7RKsgGDCY9AU.bat

MD5 98d1b50e9711594fefa9f5b380cbcbef
SHA1 0188ab0e594eb566ecf37476a92cb8d48d225975
SHA256 df1207322b5e8bb67900765c6b627ceda814b52edda6b8c382483624bd9df95e
SHA512 095b15a65d31e9991d3cf5a0df3eb9f2ffc49b4d897fecb19f04cab5bafe180e561774b6cf64194554d02777095e87c2a2f03350367b3c32748912af5d517bab

C:\Windows\System32\SubDir\Client.exe

MD5 91337d2f31811fb204085992bb08b71a
SHA1 8f1945947a10f130f5fe869655312ab3745714b7
SHA256 fc891f279231fb70f0bac4fcd5c6cee74548a6d103af2269c0a6ecca10113e72
SHA512 c49d9cbac8d1efa9005b1b6ce4a7eb3f361ad13c5811418de1f51859e327ab00e7270eec4c6d8188dbae44b34da2dc228eb2832b80fbf213e3282d33e9b7db08

memory/2896-98-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp

memory/2896-99-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/2896-104-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LFB3sVAY7WVp.bat

MD5 05d8aaaa99aa38fec414bd85c9c39ce2
SHA1 bdaaf83bf7f7fc79b8868277ebeb277338f7ac34
SHA256 4683a0ab02d1dedc9f2ff915a79f7fb2850291cc1a3044618bf2847126fa5f5c
SHA512 46cc884c75f601db412878cfb37470832bcda69b5c93565ea7206a8f93f749216bd26266a2145677e1ed5b12799d7fabe5ebd9a4e04f1370a90b82d1c06cf1dc

C:\Windows\System32\SubDir\Client.exe

MD5 b06211c7e7d02d68efd015bdc720c72f
SHA1 43884f73d5c4350d7f87fad7bdfacebf3621ac6c
SHA256 071b548e13a7b5ba94b0dc1029f57ca363ef5b2cf2179f020a61ef0b397abb3c
SHA512 a07cf684292674b092a3386270f56f98789ea41cbd8145415ad4a9eccf659a971a3e2c346e9d345c2a701f341c2cdee6a2968beeb5704f1a20794774dab720ef

memory/4324-106-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp

memory/4324-107-0x000000001B500000-0x000000001B510000-memory.dmp

memory/4324-112-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z1xIW5KbKyIq.bat

MD5 8b6e44cf3cd9b7e22f4df6053b85e2b8
SHA1 34771805bf7e596f277e7db49e35ebd42f9686c8
SHA256 004277b947eb4a5e061f435a6c292da0e845c971a5abd9e77e8dbe24e2c9eb47
SHA512 d647c33e0fc09af4963221cb3f1c29ad05b23224e9d97518c8484663ed428dd1a0978cb7ce46f69337713cfc667aaac2153c388ac855c6822388429ed733555b

C:\Windows\System32\SubDir\Client.exe

MD5 dbf8e6fd52743e47c27c5456814b2b89
SHA1 ee9f80096eb7adcd2bf5e270f5548c242f3fe140
SHA256 eba8e1c9b0b9b9db7f55c7160bd6c55fde494b3132680b557d1a55a9a0d3884d
SHA512 a264b263fdebceae6af188cd157fb7a9e349d6268c14cbdbdb4c17f350dd4660eced14bc7f106c689ab4f3499d728757312a97fc116cda50aab6913345563dd5

memory/332-115-0x000000001B660000-0x000000001B670000-memory.dmp

memory/332-114-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp

memory/332-120-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KmShIJt0siQA.bat

MD5 ec2dbfed483463a82a1758aae6db6665
SHA1 a32f3dcfcab65e8194bd3ec8caf9ce95e4a5deac
SHA256 c3f1646a838472ca64e73d0aa97809b923ae2a1c0f87b7befb33817270c05fec
SHA512 26413af68ee905e945136060b11903180c68d43016529a77f0be2a402dcb4b7a6c25b88b26c696efc2ef3e59c77b8f4b1b005572c5890237612d21781aff3549

C:\Windows\System32\SubDir\Client.exe

MD5 154c282605791ba01e98e2fe677adb75
SHA1 91548be00a32af499a70c896513ce24a05e7a499
SHA256 7f1da441850f843b5629c9fcbf8da34253e39dfb9658a71cb24b386a408d6f51
SHA512 bc067c5246fde82e6f90ac5b81a76cbaa58a0249b153199d82b04ab96bc16a14e386d6fe2f66d88cd29c74a33fad1e837d609de9b899c93f73a0fe057ac09862

memory/1040-122-0x00007FFB202A0000-0x00007FFB20D61000-memory.dmp

memory/1040-123-0x000000001B470000-0x000000001B480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgiBzfDUCGQR.bat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1040-128-0x00007FFB202A0000-0x00007FFB20D61000-memory.dmp