Analysis Overview
SHA256
82dfd095c6d9f8e5e206e74d9717c0e5311d88906b7305052b3d9e5566ed1f83
Threat Level: Known bad
The file 2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Drops startup file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-05 05:44
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-05 05:44
Reported
2024-01-05 06:21
Platform
win7-20231215-en
Max time kernel
9s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Windows\system32\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\G5xDaK01VacC.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcxQUHTrc1lV.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7wRJtfMHMjVB.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EE38TOP2cvrk.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uoytDN2PKOHK.bat" "
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wacB6pz03e7v.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kkhqbk4sXzDH.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5VBqXgniAgEF.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAskdJAjDVOu.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVvw3I3WnfkH.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgBNsMvsAJGt.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
| MD5 | 913cf67dc23283ceea07aa3dfaf8a8af |
| SHA1 | 7e9f646668412c74a6be095afd91c5e2bbf393d2 |
| SHA256 | 31e6de48d81462319e0703cd85a867c4a39d87628af7c9edcde09b89414e05a4 |
| SHA512 | 7a90945c91d876e4dfc67a70b92e0eeb91bd95001da5138a40bd590837af2ca8fa79551f864b91be6a0813e384803903e16577df63b1f85d587732ba3ac63c5e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
| MD5 | 504be95061cb76664be226fc2dfb69dd |
| SHA1 | b119e65e1cf0b7969552e35ca55c1fd619b7ccc8 |
| SHA256 | 73d3b333f39628362572450d2f95490ea0970ebf1fabdcea05ec19d40d407b70 |
| SHA512 | 9c236d64be44dc69811c555fea2d1c55bd0e2f41db95386ae77e9bc0c7010770fd6ce5b10451fc37b86d6a453f5ee4b728fc90306af559630c9b94f125abb146 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
| MD5 | 9a67af8554d9852da4f1bce882602bb8 |
| SHA1 | 9eef00944dc2ac438ef61370ddc2613a2bbc7f72 |
| SHA256 | efeb62f1d379a126fea9ad523971daa271a3bb8fce362bfe3556f454f3be123f |
| SHA512 | f816b25e8fd7443bca423f74e1c5a496855e824f0578e6aa267321577b2d4806b0a1ed2f33b7f975c90e3b8decb47bb4ae0b2273c0a25e4f3fed75bdbc2b4da9 |
memory/1976-5-0x0000000000A70000-0x0000000000D94000-memory.dmp
memory/1976-6-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/1976-7-0x000000001B340000-0x000000001B3C0000-memory.dmp
C:\Windows\system32\SubDir\Client.exe
| MD5 | 634916b408ebdc096b27f8693afc0dd3 |
| SHA1 | c8ba0e14e0f98cfedd451b9b86617caa9a6023e5 |
| SHA256 | 8d08753cf4a52cbf23982bbc6112fe8ff51881ef32b6cdeb0727c3047bef0512 |
| SHA512 | a341ef14f9dfef8b651ec0b76ea9471a1478f090d69824fa850f9c67c7f6a7e17188fd9fd5dd1b53fa2bbdc98c00833feb58fcbfbaeaa080f09de2683f15213f |
memory/2736-14-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2736-13-0x0000000000360000-0x0000000000684000-memory.dmp
memory/2736-15-0x000000001B240000-0x000000001B2C0000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | ef9fa1b0a1cc9084326277b08d6fc481 |
| SHA1 | 804db86772bd903ef1db26eb4afcbfa03779d003 |
| SHA256 | 13802dc940cfa597965bca20af55d6e185cadacd5b8b66c8748973463ff1721b |
| SHA512 | 161221e6b8299a005b8887b7ca95b77af9a0c770c873e197f9d2e44dc39c1cf3022423d9d94fe9fe1301b0c1d97bee9ebe5aca56418c45a85132eb5bc5470ee2 |
memory/1976-16-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 2e213336b7719edcf453d93de6f3f7ca |
| SHA1 | f502e7d340648f6a6d6006fea554e9897cfc0000 |
| SHA256 | dc51313e7d6d84adaf0102a7e241006d409c61ceea4ca12448aa37cd87c06da6 |
| SHA512 | d6574c39a28458ab3621b69131b4894883feb6f5673b3d5b1c41e0bfcbc5f23ec258bd066556f4f20ab3a955a2ce719fb5297ebd364d975c01b817424f5ab482 |
memory/2736-26-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\G5xDaK01VacC.bat
| MD5 | e0d7b04d2d51c32ab114032a30b3839d |
| SHA1 | 4f2583e88cded6e03deef1fe94224836069bcece |
| SHA256 | ba4e85f4cc00e404ed564ff0c2eec5c471675f12d89070a21a466a1ccde32fd8 |
| SHA512 | fdb4d243461df9e0eac2a6ccd01f6ec999bcb13b6774db099948627c1493569c9f55fc0ae560b0d5ce6219870c97743f120c1ae7e6d532310816f96e9c93daaa |
C:\Windows\System32\SubDir\Client.exe
| MD5 | bf43490a43ca760b1ee9ff07c12d31af |
| SHA1 | 5ad27eb5aebba2119a5750a1bf7c673e51ca1cad |
| SHA256 | 40e2e5c284483d0eb7269734aac77a76f935e37981a0bf0e09f15163a2d94161 |
| SHA512 | 5d66cbfb6b95ad2b75597d43adb4e3c715ee0c35e75ceb3f66df002ac6b965498336cae5bf17db7b36f04a5dc26251e87400f93654528cc0db98c48ab270c246 |
memory/2632-29-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/2632-30-0x000000001B130000-0x000000001B1B0000-memory.dmp
memory/2632-28-0x0000000000040000-0x0000000000364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KcxQUHTrc1lV.bat
| MD5 | 269ddadf66d32d2656fbdc9f3b10115c |
| SHA1 | d83591c86f645a35ea76651ceba145760bb88ff0 |
| SHA256 | c96baa3d92ab8bf0e9248607de59258823dfbed8715cb0a04e3c3c2018d41b44 |
| SHA512 | a3dd9bef6360112fae3c7b1d991ebee6d7236773d9c30afb218a8139d31bf73d1768037f443a49ba06834f4ffcd502aaeb3af4a7a43bb8f6af2d0de7df4f6e84 |
memory/2632-40-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/2988-42-0x0000000000990000-0x0000000000CB4000-memory.dmp
memory/2988-43-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2988-44-0x000000001B0B0000-0x000000001B130000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | ecb916ab757a8410adacd89a27fce5bb |
| SHA1 | a2a6fb0d2aaa60aeb33b8d12ae3d6aa8087172ca |
| SHA256 | 8aa9888cf7c1380ff0a127c9e44140e2aa13a4432dca7559623ed5c3838468c0 |
| SHA512 | 6b8d86f3062184203bc58b8fcb7316bd3f8dcce476711a7fb1972b8b54e18b32baec797203485037ec6e7155959a85b16238f6d811308140972740c07cbfd7aa |
C:\Users\Admin\AppData\Local\Temp\7wRJtfMHMjVB.bat
| MD5 | 5d48580c4a25e032a34fe13d0e82a0f3 |
| SHA1 | 87e59edb5f501f0faafe1d7214474a22c367e13a |
| SHA256 | 380d8f23091564b2614f707b6afaddbab70c74f90aadcbb75051ddb73d2e27d8 |
| SHA512 | 6a8f8fa7974391450bfebdcd3932ca3f449e623d0e1e12721182bfe23692de3d86d47425ce67be0de783e8555436a728b4ced97b72e343fa714cef7cc13e379b |
memory/2988-54-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 15106a4342f35122137fbe2704151668 |
| SHA1 | e38a4c9536733b91ccea38ac6e30852cd8e96ba6 |
| SHA256 | c41711e790a63606e0a0b91df294182a33bb202214de5d07cd2b39b9f2c591e4 |
| SHA512 | ba4253d3ae369f43134eea5af20ceffffc31a0c25e481c9ceebc631f72baa64f293d9ad2c3f46994a11a7594730fcda444f9ca3fe9a5a7aac4d0ec02c3112dbd |
memory/2828-57-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/2828-56-0x00000000010E0000-0x0000000001404000-memory.dmp
memory/2828-67-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\2PuDL9Yd6UH9.bat
| MD5 | 5286e1816829b4649e2658b14b31fc12 |
| SHA1 | c9e850e04f526716d2a429ea3fe251c48c9ab87d |
| SHA256 | 3fadb43753aae963bba07349fbee3ff3a21ca947650fa54df87c51cbfbc7a7b1 |
| SHA512 | 822da521bf030e64dadb7269913203e41c3afce1f4fd8b7081ada1db4ee7f2c0f725177aec0c4d4ef640cab2f90e634cda84feaf2bbb0946d222dbc28fc41b9f |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 58dd36d021ddb2cc0026d6fa5a023a32 |
| SHA1 | 7d622d79d4f885b899693e5f859f6843e1d27aaa |
| SHA256 | ccec5adb88dd1fe0031542b55b992e87cb289275238326268f5001fee825b3e6 |
| SHA512 | a393aaefcf9500f4b6074682089e432f4df172b589730557358e5dcad3ec427eb3014f39a3225e57c6c90f1217b0e6258d3837de83b52aa1e2630f19e10b7e5c |
memory/2448-70-0x000000001B1C0000-0x000000001B240000-memory.dmp
memory/2448-69-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2448-80-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EE38TOP2cvrk.bat
| MD5 | e971cc8b166f7850bbed0a5249ffa37f |
| SHA1 | 06d28f52cf06c9d2f900300435c6ab8f280b7b03 |
| SHA256 | c0f9f2c40537e500b2ca586130f1f298b0c496496a9f4ec3a860bd62b1c17017 |
| SHA512 | 855e2ec56f860a25a12ecc0cd94718027e76eebb4097fa584bba957cda76d8fa4efbb2c8ff397ea8b60817cff486898025b597610f4965df33df473cfa526ca6 |
memory/1792-82-0x00000000012B0000-0x00000000015D4000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | aebf1f88d1b7781d98c2422d27db1e27 |
| SHA1 | ae607c5835d74c90b3809c25a78e5a7a26a9a049 |
| SHA256 | 8464b798269472425a4aae58e52f6bd43e98e652008be8db4e98450be3dde544 |
| SHA512 | 5b97db7fb1b2b24806fd0e48cc454479ac6cd1a091cb425c5d8b4aec3ab86f2017c74a7fbba36bafdfd4fa364599d7e638e205821940dcf7425054724614d9c7 |
memory/1792-84-0x000000001B490000-0x000000001B510000-memory.dmp
memory/1792-83-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uoytDN2PKOHK.bat
| MD5 | b95a34f8cf25ca63bda941392c89d72b |
| SHA1 | 46ad16ebb5e718b5e524e2185a7c3532189c00ed |
| SHA256 | 10fa80cd0f856b7f14a7b0e6cbf20afbfc020667de4e92f6ceccceba5eafbb80 |
| SHA512 | 5cb6b6ac07c3705686d1349ff9b7ca609071a1e24e262d5e82b252db23e9dcd49bec736ce6aeddbe037394df4c5c3222c400fa2d2c60454135a304cfbdaa122f |
memory/1792-94-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/2504-96-0x0000000000290000-0x00000000005B4000-memory.dmp
memory/2504-97-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2504-98-0x00000000022A0000-0x0000000002320000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | db8ef07966ce5ddf7fd6616c70456d4f |
| SHA1 | a2ae47eecbabe4bd753c92935728bbf17b4c56a5 |
| SHA256 | 2bbaf6e943afd6eb9d929bd4cc8df1aa642e5baa0505be4565a08ec75379bd8d |
| SHA512 | 8a8351509301cbc796f210b49d3ddb6ade4f2512ddddfb5c8d0667b3e770afc106e763d075c0d5dc9f63a2afdbdef2488508b6af24a9d1dbf19e1fd130ece91e |
memory/2504-108-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wacB6pz03e7v.bat
| MD5 | 8651716b4aa31d08b81e1cd39706ab77 |
| SHA1 | 14f0f3c63bf7bce2bee952011bfa942ee32ba8ab |
| SHA256 | 83fe094060b4cbb1f22efb6f6599102547864e2601a8f31f29e14636c06c4779 |
| SHA512 | 6237e570338e2680bef83ebc632b2612d34d4caefe76f29223f6460c1fd75349c51cff479a78270c9ec8a66fbd394e1b1c3122303afad7eb4a3029b4f13a82f6 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | c05d8fa3ef604f6673b0c1e8761dbad3 |
| SHA1 | 262c0f2c8b34c331fae8157f81012dff2f4bd7dc |
| SHA256 | bfd0c2b20177feda723f9837c3fbcdf378c4c9258d92a30a6afdc576f77e2198 |
| SHA512 | a00b0daab5d885485a8824298b96719d360d3a0f55843f19bb13c58febfb87a1df5520424ea2af82ac151982d4e0ebff4bedd7f28080684d00f6fda23960e377 |
memory/2292-111-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/2292-110-0x0000000000910000-0x0000000000C34000-memory.dmp
memory/2292-121-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kkhqbk4sXzDH.bat
| MD5 | 94c1509e4ede0b7f644da36f69717e3b |
| SHA1 | 7c51d761ab38c018f58afa95791cef1808976e4c |
| SHA256 | 7957d00dcede1305097b9a8cf3ad752833c588ccae9941dbf799ae0fb4e4dd76 |
| SHA512 | 43756e15677bc5c73a43b607223b15b933e8bb95fdebb1e137ec3fd93bc06105cc07ef5b638b3410b182ec746164b281b26bd873152aa4d5f581a3158b73e34c |
C:\Windows\System32\SubDir\Client.exe
| MD5 | c3503e940b29ca52c6ebc96166a0fdfb |
| SHA1 | e2d3b2388edeb77a7787297b535cd0b4cdfe4e06 |
| SHA256 | 5eb303fc91049204ece966e17dffc3ac1f9af325a6438320ca001e37bfc85adc |
| SHA512 | 74bd168fa0eb21f44e9971c934597c3e1991887ad47419285ae6f1ece9636d60bb7cd0dd2cb98a53dfc4f13bf996a3f5a1699640ac293effd42208f328221401 |
memory/2576-123-0x0000000000950000-0x0000000000C74000-memory.dmp
memory/2576-124-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2576-125-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5VBqXgniAgEF.bat
| MD5 | f89bf0e3de10453d4548520ab10cd36e |
| SHA1 | 478d69b9810d5c25bdff9a4c1bc1957a874e17db |
| SHA256 | 07378a97cc670ec23acb5bf4e38f7cd971b459b8c0b1f47ca5cafaa031633f8a |
| SHA512 | 4dd74ea8e67d86a3008d2b58d5555d912e9c916993e00f6294c27890d324becde42ac78dc67a423bb0446402bf410fdd6ca90867323a52ae5fe41c1e97ff6110 |
memory/2576-135-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 097bbf5d5748290c58295373009deb0e |
| SHA1 | 734db617bbbb8d84d4e4b2ab3265763b83f2c076 |
| SHA256 | 72bc48b0b4f1d32d081deb68bb95a8c6613fba33d72c22eba02a1b0f490f6182 |
| SHA512 | 6b023c372c38fea7c190c4eda08c1b4061802b2f20d28846148a9ffee6480286ba38ce9dba11ce3a7890be5b29d9e7da14ea2657854256bbc37f66d40f910061 |
memory/576-138-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/576-139-0x00000000002B0000-0x0000000000330000-memory.dmp
memory/576-137-0x0000000000330000-0x0000000000654000-memory.dmp
memory/576-149-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oAskdJAjDVOu.bat
| MD5 | dd5c706d4cd1bc93fcfdb98897b7b2ea |
| SHA1 | 4f095fcfbaff8e4a1ecdadfa0ff4f1f43688e086 |
| SHA256 | 538c434e0c79cdc9427756073420843d3870b0c3262ab063a36f7784854ccfcc |
| SHA512 | f6e2b3022db1c163fb91d640cf8adf9220c03b796de014102db3c65c390f1090608500274674e26ad5e1e16f7f8619f4373928766ac32fd83790aff80f94aefd |
memory/2808-152-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2808-153-0x00000000007F0000-0x0000000000870000-memory.dmp
memory/2808-151-0x00000000003B0000-0x00000000006D4000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 07adbc03ac19b736cb03c2d4d2041bf5 |
| SHA1 | 2679be8c50e1fecb89a88c7c20db3f09f2585b41 |
| SHA256 | 729c746ace11f233ef3b350f5331a9113325343a5cf34cfa210b133de4d08ba9 |
| SHA512 | bf0704dd15074d70420cac1fbe006e1ca08e0f0ca59e349361ed0b6458dc827e07c59a37dae3cd22e37dbe257c5d05ca9e71225b94421c1479838bd2d6b028e6 |
memory/2808-163-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BVvw3I3WnfkH.bat
| MD5 | dc0dd486cbc59ef258d9933ff1f84b71 |
| SHA1 | b50875674a1db01b5402aa8254cc8f066b19b5c8 |
| SHA256 | da965f2d8fc7c277df921dec9842b7b70b85547aa1e638e5ccb168b04e30650a |
| SHA512 | 256e8c6cdfcbd490c467a49fac4ce7979fccf49d71ebf9e44d77dd86867331c9a145103bbd16113e734f42290962a81e1247f5606fefa3110c64e22cfcdc0519 |
memory/1064-165-0x00000000012A0000-0x00000000015C4000-memory.dmp
memory/1064-166-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
memory/1064-167-0x000000001B450000-0x000000001B4D0000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | bbfa4cfa5954fba18192870cda200841 |
| SHA1 | fbd8d56c312ae4dfa8b24e6503271e63c110a847 |
| SHA256 | 2bd86058d97cb08e40610ef49482c92c2c74cd4d7d35d7a040d7262afebe8dae |
| SHA512 | cc15ebd3127d9ed361c4a1080abc13f1a0efd5b7869faf5b549f195761e34dabc67c244928938187d641e74ac52b2467fcc53d9f3117a1f04ef47158ecf53bfb |
memory/1064-177-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xgBNsMvsAJGt.bat
| MD5 | 35029052f8d6d7c68dd1bd4f81b25c70 |
| SHA1 | f1dd7709a7b51443ebbb610dbc39ecf9d5bb3f2d |
| SHA256 | 84d8d9b53b7709a08aaa65ea38bd6f47a30800253952e501cab684d8b181ad0d |
| SHA512 | d16a18c64423b5010bbaf98eb55cde59bec25a4f03b3a1da924ebd52e648b34491a65ee38ab68f87b3361be1299c1e67ad56c8186b0f610f6f4e91d4f9ba46b1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-05 05:44
Reported
2024-01-05 06:21
Platform
win10v2004-20231215-en
Max time kernel
6s
Max time network
116s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Windows\system32\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe |
| PID 2792 wrote to memory of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe |
| PID 628 wrote to memory of 1684 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | C:\Windows\system32\SubDir\Client.exe |
| PID 628 wrote to memory of 1684 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe | C:\Windows\system32\SubDir\Client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_6d9ae7bd96ad3fe1f1d4ca0085229db8_icedid_xrat.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\/Client_built.exe"
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Chgp1cuxHkVA.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIrdQCj5ZmHr.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAKvcgVE5o0r.bat" "
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmuzBbM7Iby6.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEHBkXzICv8B.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7UbQQQvTjey.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmWmpYoog9K4.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6EUQLovqokVd.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jdf6mKqHukzz.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7RKsgGDCY9AU.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFB3sVAY7WVp.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z1xIW5KbKyIq.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmShIJt0siQA.bat" "
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgiBzfDUCGQR.bat" "
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | frp.deitie.asia | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
| MD5 | d0df40c55cb3aa4237ef6a55d7b4d994 |
| SHA1 | 187a806154c8c2890a21b092f16ba419cf605ea1 |
| SHA256 | 1d4ea166c828182972c9757abd8fbb5045232932c7c58b744627ad9a7dabca92 |
| SHA512 | 7c6419a79c7ba9e17d538457830a8b30ac8c3c185cbcd7f949b79dcc158db789bef957bb6d18a06fd09a37c8c49ec36627be6075d73dbec869632a2bb5da2a14 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client_built.exe
| MD5 | d3672120ce42656a2ecb0b223569864e |
| SHA1 | e9e1861b713355658e698326bc3200c644728a3f |
| SHA256 | 0285eb337448b4554f7a4249ed597dda840e4203f3c4442b8929532918cd94b2 |
| SHA512 | 536db817d7fdf80c2e8577d0c0fecc6b0bb00726f8df885e380b243449318cba1e576301a2c6e34a55effd6ca78b17ce046f5758af6e7ad47ed5656fc02b6cc6 |
memory/628-4-0x0000000000930000-0x0000000000C54000-memory.dmp
memory/628-6-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/628-5-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp
C:\Windows\system32\SubDir\Client.exe
| MD5 | bd5a7685285ad86eab6a273d445e33c2 |
| SHA1 | b5ad5b3191ba2e433156fb87e0dab769bf88cc85 |
| SHA256 | 786c3d778f1b424388532477caea02c8a1bd2fe4b000738e32d845123d8d1f5b |
| SHA512 | a7855bb1a5eeb73921caa0ea23938eac7c4286660dde2291389f26e11baa21b1f5d7eb72849f1ac1f1bd52928ffd82e3f6bada52ed602c25bd0aa79fb341c7b2 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | e68b098936c3b553c9af56688058bbf0 |
| SHA1 | cf83753e73e91bac71df4a42418c142c25a4b566 |
| SHA256 | edd5c2078dec30d451835c5eb4c7c2bcb6ac8341d9847c03651324b46736b69d |
| SHA512 | 3f70d93600c524c6a763b8ccdc4c80247c409eb7c9acd188f81bfabf7d58765eee2846a6d22a5a2d6680300726309b5da39a6139e83fb7ac2069f915d8253f58 |
memory/1684-13-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp
memory/1684-15-0x000000001B770000-0x000000001B780000-memory.dmp
memory/628-14-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 768087968033c325aa278f04825d77dd |
| SHA1 | f6699787f9b29203c461f6f78bba973748ab97e6 |
| SHA256 | fc125c9856850ea6e87faf9fbd0295ac78538dae743d1f769057d8547353647a |
| SHA512 | d8de2726abc40bbad1d1a5b84fb7db403669fd6e7cb06d7912766ddc1f73c22e165adc2766de2c36fd780345bf107a1a92e998e2d67022bb79525a041bbdf228 |
memory/1684-16-0x000000001B980000-0x000000001B9D0000-memory.dmp
memory/1684-17-0x000000001BA90000-0x000000001BB42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Chgp1cuxHkVA.bat
| MD5 | 3341f1463f52a06b80b03fd476b73b12 |
| SHA1 | 4ea9144184797aefa4ee3071a43829861fd47810 |
| SHA256 | 8fabc81a4ae81adb8398e93e5beb7e9489f0887cfb8ac74247a8ed0f4eab5a75 |
| SHA512 | d22345bbe5223c9f6d6d468c8538e2925712c4f243fa0184c3dbfbfa705fd4ed70870c9b93d168dd829cb01036ae7ae62630f5dd28b7c51e7b679e72803e640d |
memory/1684-23-0x00007FFB21230000-0x00007FFB21CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/1312-26-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp
memory/1312-27-0x000000001B570000-0x000000001B580000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 92f7650293d68d045a82dec8e52d3014 |
| SHA1 | 6ce00d91c58ce6387f284574736ad5c4572188de |
| SHA256 | 82cb85f0b379c9451151f6dd49f2d6ee1067bd4e2a7389e4a2b756a0c7cbecd1 |
| SHA512 | ceda783de55decb6af8491525514bb512016e2f6f062fb9a21e9af4f833c96371f4d1d7c9a100e61d3148c6d30fb14b155a8ed40d19ea4f3102d5b53438cf13c |
memory/1312-32-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xIrdQCj5ZmHr.bat
| MD5 | 454b354ef2a2a6a89746a40e9f901f40 |
| SHA1 | 80e0c0c86535866a6496ec40e66c84dda3afe05a |
| SHA256 | 94595c1f8678e3972c7b21f5f8bf6b32cc2441504c4721a34effed498b4fd976 |
| SHA512 | 0699c560ce3d99d78fd345ec269a85262d4c5c2194593121fb607f47785a7077d75d76f22b94748ee4b0d98227203847c30d2304f66d249ed26df696fa2383de |
C:\Windows\System32\SubDir\Client.exe
| MD5 | a3e1deda29b341dd78e79338c173a843 |
| SHA1 | a600ab0e42b853f2bedfefd6d7ac3a0a5264e43b |
| SHA256 | 6dae5ce577288e430d33e12035e5e9a50ebae01d2b283ff6c8ed6ffc043c13cb |
| SHA512 | 92a6e61821b7de779fa8f94804eb880d249bced4ee22f4135123dfced369d3fd85d4b961d081741146fd9739d1cf4a4acaa0fe71c4f18470b710098fb106421b |
memory/4932-35-0x000000001AF60000-0x000000001AF70000-memory.dmp
memory/4932-34-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp
memory/4932-40-0x00007FFB209B0000-0x00007FFB21471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yAKvcgVE5o0r.bat
| MD5 | 3cd5972c3864913d41050c33a9fdbf03 |
| SHA1 | 7e531e54ceccdab2b9aad4f2fb2ec763ca047e26 |
| SHA256 | c1b9ebc7cbf403591dbc22d460f76d5f78086a9364cc4aa80e1d85129cf18762 |
| SHA512 | e36a8b5838c182a07edd59ab6f308cb92a2759809d778ab3b91aa986e76a0debe42303e2ab75a89891fd124a405f05d79eaa449eb913228be9e2e4cecc879653 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | e849b8dc7420de025c784ee4a3607ff4 |
| SHA1 | 8163e9989e6d3e41da3520d9fb37641dcbd039c5 |
| SHA256 | 6d6168dd05091daf3fd9940029ad26ec31fb156b42910d6c95e338433b8ec650 |
| SHA512 | 50c450e6c702352c3eef7b6ca88971919ee6e65a1f5d6522c47db6bd18aeb0a5ee24da6a838d1813f4543d8879cf1983cd084c96d02e65bb75883a670919eb1b |
memory/2604-43-0x000000001AF30000-0x000000001AF40000-memory.dmp
memory/2604-42-0x00007FFB20630000-0x00007FFB210F1000-memory.dmp
memory/2604-48-0x00007FFB20630000-0x00007FFB210F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GmuzBbM7Iby6.bat
| MD5 | 3fd1bc398be6b50f9f8aac86922c1a09 |
| SHA1 | c7534fabbde9f33bf93401aaeeebaa2884063c43 |
| SHA256 | 041058228d450d16afecfacbd9f99f5e6a657abc1e8ca435f51b1ec78f8cf3d9 |
| SHA512 | a871872d02a01b865a6c2a9aaa8bf775e7b15628a1f89863780859ef9b77786921c5003aa313ca5a4268f0e38738600f0f3be2b3cf96e5d97cd95445ac445e09 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 415ca19c08e92d33688c0d2f406f2b28 |
| SHA1 | 702d6350d5e0f74ffad3d33d09a360dcf79c8639 |
| SHA256 | 2ad95023fd1acf4e8838c1852b922f0ef4ffaf2624aee012b2e6130010839839 |
| SHA512 | a1396848ddfb41a68acad2d265c9a72f47c465fe68de63209f82890db08791cb27c560bd5d7ee61c8c455a423ccf786e389ddae2374cefe6c42bd104ef968cf7 |
memory/1668-50-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp
memory/1668-51-0x0000000002710000-0x0000000002720000-memory.dmp
memory/1668-56-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wEHBkXzICv8B.bat
| MD5 | 6f3561c461a8047d06a41d0409ea6c76 |
| SHA1 | 6b6c459d092f5965c1673dbad645c76aecb79c36 |
| SHA256 | b0d9b7171ac4b4553a6ee9dca8e964d97d84d5dd28675d35ce65f03a53b50196 |
| SHA512 | 97cc2b20499de57ea01d278fd7ba11dd75fd124fd386b78838cee740290d74188268312669269cd95f0cb546b6d04a7cbaf898403585a8ef600b5a2450aef06b |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 6406954f8064c510b07b0f77821909d8 |
| SHA1 | 3fba0962e0a881460924341c19f512b95b968862 |
| SHA256 | 1afdfe40395ff26e8dbb83b8a7022a37612b6a93b95574ac878bc45e779bdb09 |
| SHA512 | c6a0d830c838cfaef7df0bd05e1e2ed8119dd7785c3913fda1cd1c22435e2667a2b4ff7a6a71466918f4d4ed213a3db0aa413d4f7578868ea8a8bfaaaa71f507 |
memory/3456-59-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
memory/3456-58-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
memory/3456-64-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z7UbQQQvTjey.bat
| MD5 | 00a256c6892b1172fa0c3bce418e684b |
| SHA1 | e33c1df80cf704f5259cb5bca4e0f7e845cec13c |
| SHA256 | 1d861e24e3e93774980f898848df403ed69d5e5efe3e49f068f2b59f2142b306 |
| SHA512 | 8e2682cea668a46c6a37da2cb9c944bd5714b1f3253c46ed68968bb0471effb7b72a3e34996915dc8d289e475f1d068ea86e6a92673109d93c01e89dda7c41a4 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | f784d6065ffc15c42d3af6e89bd45d4e |
| SHA1 | 3bed49e7dabb87a8ca51be56db4de6a0d65cb31b |
| SHA256 | 99835cd0edeb744626616286955c627455dea23fec9951f5301dbff9ffe82f14 |
| SHA512 | 929a4cfd8fc90cd4f861f385d149e462b0da320c92cf61b8b1aa13fc785d58667e29221109cef82ecc933af83914e37cbb6baa0f88faa011b54baa3b29ab9b32 |
memory/4936-66-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
memory/4936-67-0x000000001BEB0000-0x000000001BEC0000-memory.dmp
memory/4936-72-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bmWmpYoog9K4.bat
| MD5 | f1983c0fd65eb0221ef4dce3ebcfe9ec |
| SHA1 | 97ba2a22c5f7149464d6677735a57b0a57793e43 |
| SHA256 | a452ff4ca6916a8bba2b45a5cd5cad7e0e9ee4b2347a5c9f5900cbbdf34fd2a4 |
| SHA512 | e6a70a4e84717f310489144fa41e803d0bf1390f50f44fc668a744684264def730aa09496323813231bd28e69286e88bd96da866c5bcb39da7ba60eff77e3a1f |
C:\Windows\System32\SubDir\Client.exe
| MD5 | eb98ba430808ff597812954a68b6920b |
| SHA1 | a8da1b7f2f971fca24c59adad040b473c8613925 |
| SHA256 | 681b5f3ee5a4bb12a68033b43af1650934bc68234a458eb494ca8073cd3ad657 |
| SHA512 | ffc87ba38df9c1c258b961489b4e1732f8fbbfc9a6fb7aa6c3789aa6ecfdf0c915eb10f7e51341b7c938bc6ca911eb60e75b258ec291fa8eb36feff8db33656c |
memory/3188-74-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
memory/3188-75-0x00000000030C0000-0x00000000030D0000-memory.dmp
memory/3188-80-0x00007FFB20890000-0x00007FFB21351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6EUQLovqokVd.bat
| MD5 | 2b883f3dc09548b2846233de113c3d32 |
| SHA1 | 570077a83fbc685a078978fe019a1284234270a7 |
| SHA256 | ee5ff29eb3c4e99ab0134d497cc7189c0f2e7c014c6b0734552cc80f2c21be0c |
| SHA512 | 5a317d651e5375efcc8fb0a9227dcebfadcb45bdc04c2bf718ebd95e6474c61dbd5e27390a1ace0332b0ea2480b231949b4252191fd12aa0292abc3125caa66f |
C:\Windows\System32\SubDir\Client.exe
| MD5 | e582961b354f2314424e28acca605658 |
| SHA1 | e33f2674e7a4cd95a8db85157ac61406db1f2c9a |
| SHA256 | 61c70ca6605ff403d98cd66f4a7c32232870f1b15563767ce5cd231788665b97 |
| SHA512 | 6696c6b6d6fe65f8ce276fc6eb8a14794f18a4167bd3e736d1ae471a4306682a2d4731bf06170d0ed64b97c078b503c8584601c2a3bd840051d151341ed0283c |
memory/3348-82-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp
memory/3348-83-0x00000000029E0000-0x00000000029F0000-memory.dmp
memory/3348-88-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jdf6mKqHukzz.bat
| MD5 | 67bc7669467a50b7a56b64836d6a3ab1 |
| SHA1 | 3e985581ab71b254585b0b8ff61dafc3bbfda8f6 |
| SHA256 | fca3a0aea28f4e0b2a8c72aec0faf88ca25424897829e7e1e3bd26f7452feac3 |
| SHA512 | b78733d3f674db003372b5530bfecdd79ae9f74ac5bb872839863df8e60a1346807f405d5f9c3cddb006fee495a4b8a1f03bf8c64f1505385373bd7edbc87b60 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 2b9acdfecb754f1597ea02fa57214a82 |
| SHA1 | 00c8d2571e3218bb97a5f6eed9789ced6f4bba0d |
| SHA256 | b5924c2681f7233a0f2b46065c2e013e367cdee4e0ebaabf9de80081558b665f |
| SHA512 | 184e113cdf09508591df9dc1580a8b2c10e295a40b347e6b2fc6ddb355ac9eb6538a30474ed2bff052f57429627140a0767b951dcdde3f54d2c09a6cb576f4e4 |
memory/1548-90-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp
memory/1548-91-0x000000001B7F0000-0x000000001B800000-memory.dmp
memory/1548-96-0x00007FFB20330000-0x00007FFB20DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7RKsgGDCY9AU.bat
| MD5 | 98d1b50e9711594fefa9f5b380cbcbef |
| SHA1 | 0188ab0e594eb566ecf37476a92cb8d48d225975 |
| SHA256 | df1207322b5e8bb67900765c6b627ceda814b52edda6b8c382483624bd9df95e |
| SHA512 | 095b15a65d31e9991d3cf5a0df3eb9f2ffc49b4d897fecb19f04cab5bafe180e561774b6cf64194554d02777095e87c2a2f03350367b3c32748912af5d517bab |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 91337d2f31811fb204085992bb08b71a |
| SHA1 | 8f1945947a10f130f5fe869655312ab3745714b7 |
| SHA256 | fc891f279231fb70f0bac4fcd5c6cee74548a6d103af2269c0a6ecca10113e72 |
| SHA512 | c49d9cbac8d1efa9005b1b6ce4a7eb3f361ad13c5811418de1f51859e327ab00e7270eec4c6d8188dbae44b34da2dc228eb2832b80fbf213e3282d33e9b7db08 |
memory/2896-98-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp
memory/2896-99-0x0000000002EA0000-0x0000000002EB0000-memory.dmp
memory/2896-104-0x00007FFB20510000-0x00007FFB20FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LFB3sVAY7WVp.bat
| MD5 | 05d8aaaa99aa38fec414bd85c9c39ce2 |
| SHA1 | bdaaf83bf7f7fc79b8868277ebeb277338f7ac34 |
| SHA256 | 4683a0ab02d1dedc9f2ff915a79f7fb2850291cc1a3044618bf2847126fa5f5c |
| SHA512 | 46cc884c75f601db412878cfb37470832bcda69b5c93565ea7206a8f93f749216bd26266a2145677e1ed5b12799d7fabe5ebd9a4e04f1370a90b82d1c06cf1dc |
C:\Windows\System32\SubDir\Client.exe
| MD5 | b06211c7e7d02d68efd015bdc720c72f |
| SHA1 | 43884f73d5c4350d7f87fad7bdfacebf3621ac6c |
| SHA256 | 071b548e13a7b5ba94b0dc1029f57ca363ef5b2cf2179f020a61ef0b397abb3c |
| SHA512 | a07cf684292674b092a3386270f56f98789ea41cbd8145415ad4a9eccf659a971a3e2c346e9d345c2a701f341c2cdee6a2968beeb5704f1a20794774dab720ef |
memory/4324-106-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp
memory/4324-107-0x000000001B500000-0x000000001B510000-memory.dmp
memory/4324-112-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z1xIW5KbKyIq.bat
| MD5 | 8b6e44cf3cd9b7e22f4df6053b85e2b8 |
| SHA1 | 34771805bf7e596f277e7db49e35ebd42f9686c8 |
| SHA256 | 004277b947eb4a5e061f435a6c292da0e845c971a5abd9e77e8dbe24e2c9eb47 |
| SHA512 | d647c33e0fc09af4963221cb3f1c29ad05b23224e9d97518c8484663ed428dd1a0978cb7ce46f69337713cfc667aaac2153c388ac855c6822388429ed733555b |
C:\Windows\System32\SubDir\Client.exe
| MD5 | dbf8e6fd52743e47c27c5456814b2b89 |
| SHA1 | ee9f80096eb7adcd2bf5e270f5548c242f3fe140 |
| SHA256 | eba8e1c9b0b9b9db7f55c7160bd6c55fde494b3132680b557d1a55a9a0d3884d |
| SHA512 | a264b263fdebceae6af188cd157fb7a9e349d6268c14cbdbdb4c17f350dd4660eced14bc7f106c689ab4f3499d728757312a97fc116cda50aab6913345563dd5 |
memory/332-115-0x000000001B660000-0x000000001B670000-memory.dmp
memory/332-114-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp
memory/332-120-0x00007FFB207C0000-0x00007FFB21281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KmShIJt0siQA.bat
| MD5 | ec2dbfed483463a82a1758aae6db6665 |
| SHA1 | a32f3dcfcab65e8194bd3ec8caf9ce95e4a5deac |
| SHA256 | c3f1646a838472ca64e73d0aa97809b923ae2a1c0f87b7befb33817270c05fec |
| SHA512 | 26413af68ee905e945136060b11903180c68d43016529a77f0be2a402dcb4b7a6c25b88b26c696efc2ef3e59c77b8f4b1b005572c5890237612d21781aff3549 |
C:\Windows\System32\SubDir\Client.exe
| MD5 | 154c282605791ba01e98e2fe677adb75 |
| SHA1 | 91548be00a32af499a70c896513ce24a05e7a499 |
| SHA256 | 7f1da441850f843b5629c9fcbf8da34253e39dfb9658a71cb24b386a408d6f51 |
| SHA512 | bc067c5246fde82e6f90ac5b81a76cbaa58a0249b153199d82b04ab96bc16a14e386d6fe2f66d88cd29c74a33fad1e837d609de9b899c93f73a0fe057ac09862 |
memory/1040-122-0x00007FFB202A0000-0x00007FFB20D61000-memory.dmp
memory/1040-123-0x000000001B470000-0x000000001B480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cgiBzfDUCGQR.bat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1040-128-0x00007FFB202A0000-0x00007FFB20D61000-memory.dmp