Analysis Overview
SHA256
956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4
Threat Level: Known bad
The file uni.zip was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 15:28
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:42
Platform
win10v2004-20240426-en
Max time kernel
477s
Max time network
581s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 196.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4188-0-0x000000007540E000-0x000000007540F000-memory.dmp
memory/4188-1-0x0000000000160000-0x00000000001CC000-memory.dmp
memory/4188-2-0x00000000051C0000-0x0000000005764000-memory.dmp
memory/4188-3-0x0000000004C10000-0x0000000004CA2000-memory.dmp
memory/4188-4-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/4188-5-0x0000000004CB0000-0x0000000004D16000-memory.dmp
memory/4188-6-0x00000000058E0000-0x00000000058F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3740-12-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/3740-13-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/4188-15-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/3740-16-0x0000000006470000-0x00000000064AC000-memory.dmp
memory/3740-18-0x0000000006940000-0x000000000694A000-memory.dmp
memory/3740-19-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/3740-20-0x0000000075400000-0x0000000075BB0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:49
Platform
win10v2004-20240426-en
Max time kernel
464s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3828-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/3828-1-0x0000000000670000-0x00000000006DC000-memory.dmp
memory/3828-2-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/3828-3-0x0000000005120000-0x00000000051B2000-memory.dmp
memory/3828-4-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3828-5-0x0000000005210000-0x0000000005276000-memory.dmp
memory/3828-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp
memory/3828-7-0x00000000062F0000-0x000000000632C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4012-13-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4012-14-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3828-16-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4012-18-0x0000000006620000-0x000000000662A000-memory.dmp
memory/4012-19-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4012-20-0x0000000074BC0000-0x0000000075370000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:52
Platform
win7-20240508-en
Max time kernel
596s
Max time network
600s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9bmGvbiv57rv.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\o5eTUMYJzbEp.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2oI6PYfl6LMp.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcocY5VRXje9.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EhCbLjcJZfyL.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CJMtU5gsLBZF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oELlPSZQ7nOf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7TxwtZRGRK6U.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/1640-0-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/1640-1-0x00000000008B0000-0x000000000091C000-memory.dmp
memory/1640-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/1640-3-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/1640-4-0x00000000745D0000-0x0000000074CBE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2988-12-0x0000000000E90000-0x0000000000EFC000-memory.dmp
memory/2988-13-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2988-14-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/1640-15-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2988-16-0x00000000745D0000-0x0000000074CBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9bmGvbiv57rv.bat
| MD5 | d2c32e674528be7209781e371753a434 |
| SHA1 | dec5ba87ca936d395f47d0e94a15ab7aeca12c16 |
| SHA256 | c9d057a09fb570e5337379588c781807231a46d95d82af49633f0806964a63a8 |
| SHA512 | 44211be5685dac539974c8bc13b6d7f73a7e087f48b6601fd4ba3007eb961ccb03a08edfd194f40fab0c5b403e2a8a2da7a65cc39bc8febf3852bce3604bf7d2 |
memory/2988-25-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/784-29-0x0000000000090000-0x00000000000FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o5eTUMYJzbEp.bat
| MD5 | e454be5118e9797e73c01f4b86599cf8 |
| SHA1 | 4384e96df681aee2e96385dba511657bc3796482 |
| SHA256 | bc2d1beca9fec4c4daf043782a18143490ba7afdbc428407e69cb55dc3cb595b |
| SHA512 | cf0456d4aaa881f019d411f91b03627c75358613ff303e23155814383f6dee3754bb016ec7eccebe3ef4361e09e4d13cad749ba7f0806bd2111b135d64d70d1c |
memory/2324-41-0x0000000000810000-0x000000000087C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2oI6PYfl6LMp.bat
| MD5 | 10b5a30b8ee854b200860e065c86c11c |
| SHA1 | 3afeebd557ecc71d52e77375f2355a7c8499f284 |
| SHA256 | 77701521ef6ae9bfb392063d4d75e63596e3d10f1a572ba20d5eda90c55f2f3b |
| SHA512 | 11bc1386534844fc4d9a191a35f62457546a2a11774a0a13f46271bd4503624bc7674a61d2b00181c8562b288dc821eb1d6c41a344b0740e36f8cf36eb0f3429 |
memory/808-53-0x0000000000160000-0x00000000001CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OcocY5VRXje9.bat
| MD5 | 6579066628fcede0ca87ccaf0f6d3c37 |
| SHA1 | 483cc5a5970005466dd3d6dff250fdc0ee0807ea |
| SHA256 | a27b6d81477bd9f5930f0e869b4df25c0f3b6c04d4c16eb1831b214f2a663b61 |
| SHA512 | 3e98c85158c16ea09f0c94f94b4f8707741787fb5a91ebcde7bd0a766c0013aa7f469105a1b588c6526f1f8431faa87424ea7822574004967059fee5ac217020 |
memory/1448-65-0x0000000000990000-0x00000000009FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EhCbLjcJZfyL.bat
| MD5 | 3f8bc7fd1c38b214c3691cb6947dc5b1 |
| SHA1 | 4d2c3634dc1dd5e107e35e319760b6def783370e |
| SHA256 | bff539898562579f73e482ee9291cab60a867d1716c9239de5e8a5cf8d92e359 |
| SHA512 | e02c2deea032123710b81ba8cc858f54ab0190abe4af74ff63c6bb5f14417d609997ea2d61dfe84b387c704fbfae0567dc4061b72194b18d7e72ec4f7dda4dd5 |
memory/1412-77-0x0000000000FC0000-0x000000000102C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CJMtU5gsLBZF.bat
| MD5 | 4bbf21633cc5679d57cf9c6379fc0061 |
| SHA1 | 903a9da103cea8b9bbd56c46223a38bba8fe37f5 |
| SHA256 | 2d44178924b4322ea521f99a10cb91b365a3f354e75d555c74e67ad896a4216c |
| SHA512 | 1d4d56618a456b31772498e79efaf953984c68170d26471baaa248a0a8a68c5facc123fa4f98dd72db2ac762b7401a53432079a4a0039ea0d00c87c73d789547 |
memory/1668-89-0x0000000000380000-0x00000000003EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oELlPSZQ7nOf.bat
| MD5 | 1e0ea9a2d4c0159b37e4728126f734a3 |
| SHA1 | 61c790a6cf96360c0e13c48bbdd644fcb0857fe3 |
| SHA256 | 2b0d9493abfa9ac8abc06e95a0e998d361451161179643b1da9785e8fe1e37a2 |
| SHA512 | e7f320969acb98d3b958e23e122470fd37e0daf71ed64c7294d2782bc8f928dc52dde92b7102722c30fa0ef922237869ddadcfe9dd3776ce24f901d35f162ae1 |
memory/2712-101-0x00000000002B0000-0x000000000031C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7TxwtZRGRK6U.bat
| MD5 | 0c2c12071a39228e6501f98d0a493876 |
| SHA1 | 77ea5a770bd31f18494bae9c7363bb7a2653c294 |
| SHA256 | 4266d649958633aec6d9c9ef0680adfccef6d0d975ca1625031977ca206512ae |
| SHA512 | 834450371880f8aa34495a22a01f90bab4d9c626077e6b65a179a644d9e6d67e0fb76d5e0d151474bdaecc07d874a0ea6ec362867cd20d62caa511d54e05b6a1 |
memory/1292-113-0x0000000000E90000-0x0000000000EFC000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:42
Platform
win7-20240220-en
Max time kernel
476s
Max time network
580s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3036-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp
memory/3036-1-0x00000000002E0000-0x000000000034C000-memory.dmp
memory/3036-2-0x0000000074AA0000-0x000000007518E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2780-10-0x00000000008E0000-0x000000000094C000-memory.dmp
memory/2780-12-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/2780-11-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/3036-14-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/2780-15-0x0000000074AA0000-0x000000007518E000-memory.dmp
memory/2780-16-0x0000000074AA0000-0x000000007518E000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:49
Platform
win10v2004-20240508-en
Max time kernel
600s
Max time network
602s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuSRnSuTxKYj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3768 -ip 3768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1916
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fz3S3QunkMQu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 8 -ip 8
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIiYDCOK9Zq1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3656 -ip 3656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoXbAuoGjTdR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iw3XzmN2AuFD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3584 -ip 3584
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1088
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5lcNQOlNxNq6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 908 -ip 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1N2G44CJYB4f.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 656 -ip 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3404 -ip 3404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q5C6MtXvwwio.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3516 -ip 3516
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5NzfRozY1p1x.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5096 -ip 5096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JfmEXjRC5jL7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1732
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NM3zOlcM09iz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1032 -ip 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mglfbZcmUaCl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D4EqgaxyOuL7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTUkYKSTo2CO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3552 -ip 3552
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAlWQMddkSZF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSY5VH5HoMsP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qq0GaIQSig2l.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z2FZ0GN1qszR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2976 -ip 2976
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JZzqfrvOcFNo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5016 -ip 5016
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1680
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPTnDMrWpF9J.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4236 -ip 4236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnvyINCijZIf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uH3lNTQSTKIE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amzIFKpWitzh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1824 -ip 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ARTKKAhdD83.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4rCyHHHjJsE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4072 -ip 4072
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSJN3IcTed2a.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gW9FZYyN03HX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2992 -ip 2992
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1660
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/4032-0-0x000000007523E000-0x000000007523F000-memory.dmp
memory/4032-1-0x0000000000420000-0x000000000048C000-memory.dmp
memory/4032-2-0x00000000053D0000-0x0000000005974000-memory.dmp
memory/4032-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp
memory/4032-4-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/4032-5-0x0000000004F60000-0x0000000004FC6000-memory.dmp
memory/4032-6-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
memory/4032-7-0x000000007523E000-0x000000007523F000-memory.dmp
memory/4032-8-0x0000000075230000-0x00000000759E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3768-14-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/4032-16-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/3768-17-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/3768-19-0x0000000005FE0000-0x0000000005FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WuSRnSuTxKYj.bat
| MD5 | b951a4ba3f9c1e30d70733f482ae5b1c |
| SHA1 | 9e35dc8180b301e1fabd6f38e7e1106ef5b1c7ac |
| SHA256 | 3a502fddcaf07d247bb95aa7bdef9949ffa693485ca9e670e04f4b88564d9fa5 |
| SHA512 | 3154a37225542e45cff38965c90d402975e1f2d8bcc48c101c5f964ce62eb82a750c3cc682157f59d02497fde549966408e4dfa79b883bd7644704a8b017c799 |
memory/3768-24-0x0000000075230000-0x00000000759E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d4006d2826da7fb831487f03208424c9 |
| SHA1 | 5519d6fd9bd02c036327ccd4dcc7b4cca9814cb2 |
| SHA256 | efe446434efd2f634afc5576ecfb362781037e1e3caf6bd1c17dc7495e4d6710 |
| SHA512 | 46786e494be31c704b551754340b087a966d4a22495ba5c241b4112542a3332244aa0fb9ad67f381e22374f26d454b8346ca07c1d15a5b7ecf6c254d6b53ac15 |
C:\Users\Admin\AppData\Local\Temp\Fz3S3QunkMQu.bat
| MD5 | 385f5b1049597314e39a0f826fc94f0e |
| SHA1 | 1d9effc1b9861d65cf3013442c23eb76eb8751d9 |
| SHA256 | 0aef9e32bbeb5f4b49934338b930fd2996cde3306c249422771f42a584839c52 |
| SHA512 | a9c4215ac6be503854c850d5286dc33b8dd92ae09fe99f5465918266512927ed1a0181546bd90a6f93eedc306237de95cef4e1cd997743b8ae2aef4ecd3236fa |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 9b106fccf50fca872e1a931a8983e29c |
| SHA1 | 62be1f2f5751b8ac6c563f720299a1713ebd20a2 |
| SHA256 | 1c6ab68b58c3cc7c41d7ea4cedfb9a784daf319167188f556804a61f00aad346 |
| SHA512 | 3719ea1740d8a78396f396c863db72e79fce7ff4674fc8649189d8228327bd156d16c85d609da529f69591c9d13c8ed066e479f0f25acfaf3d101c8a210604d4 |
C:\Users\Admin\AppData\Local\Temp\bIiYDCOK9Zq1.bat
| MD5 | 989019984fea1e78233d9f0ae0f12e3f |
| SHA1 | 7043f8b9fbb891ba5f0f744ebf55dc72416be0f4 |
| SHA256 | c5d1734166a90a8b8d3ac160480f8a7b0db8d665da0bf0304d9ddd2e862af85d |
| SHA512 | 4706e123990915569632b97f5f046033a8289aff4fd4b6e0527e2e918befead36f5c814cdd15ae78f622a059ab6dc0abafa2a4e80fd5e171ef6b1c21e2621d39 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 0decbcd8eea1401b39a85a9e59bb9618 |
| SHA1 | d813851106070c7b9f425729e4c40c527723c0af |
| SHA256 | 63fc2bd95f89fa7b6f8e52c561a6cc3461ec78ed78e1207e755040a9df18be9a |
| SHA512 | cf155fd9a34c3d8d281f2dc9b09968fc220496775933164df380e259f90420e75f131b50f48eb5b03810dcd0135a781e62f202fa9be968bef9b00c5a75146430 |
C:\Users\Admin\AppData\Local\Temp\PoXbAuoGjTdR.bat
| MD5 | 86952a486e47eb8d33d5d82f37ac5a17 |
| SHA1 | 6037f8d7dac81204d4ab2c97964e4b9161740132 |
| SHA256 | 9d6974750a04c8a3e4f89d0baa9f11c16b3dde53bcae09015d797b8564771d77 |
| SHA512 | 05b572f3f1a317edee0d7c85a20deec048408c8764b5e813d90ccaa78a55f6973ec8d87eb62ad4c77c005ddefe1ce44a9d0fb79268fa58f0d8d2d6dfa34267be |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 15adfd1ae4f53764de5a40e1ac660ba0 |
| SHA1 | 87aa7815906d0d45cdb746e52b88f3e54c2141c2 |
| SHA256 | 2495dafb9b8360b5498f9f75dac5f01affcf63c277f509252df7230b60c2f90e |
| SHA512 | 0778231b881abe1302e3e403d0aea7affaea32b893bc955c8aaa72771a80fcc30d946880c09fba55b5fe8bcc1334250e90320f72416228d62fa8b4720e187112 |
C:\Users\Admin\AppData\Local\Temp\iw3XzmN2AuFD.bat
| MD5 | 4db9df7915b6fa8f7b8c37e11ff62a37 |
| SHA1 | c12b6b4e88e0dc8731237ad6b4c213b1c66919be |
| SHA256 | 289b85c745d5355c0af5d515366f299b5f307efdd52b852d92b0629c5d21e216 |
| SHA512 | ea23d0ecd62e81d01b77095f8d38556fd327dffdf4ff26f26e5dde1f1c307ec08ebdd5e73f9a963c4478f203e7bcaa892581a751ffc8becac3c77902435be161 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\5lcNQOlNxNq6.bat
| MD5 | deccdbebed176188afbe8a4cc97455e1 |
| SHA1 | 3c5ebedd0c214023f6386f46b15d130d0fcf76d0 |
| SHA256 | adc395d0d2ca45eb4186c0e934a13bda7184eec70d62b0264d8bf849790ed5ed |
| SHA512 | abdf45f2d2a4a31a954728e42df4bc8b648c8565028d7e641649d467b7dc288d896090089ec223c4065c2ab8399c9d719e082aa37926209dec0bcad4512cc31c |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e5b03f5826dd38bf941e2dd745440713 |
| SHA1 | 745bbe489724e8d81c66c8f5b3bd90ab79a9d0ca |
| SHA256 | 952b1450142c0b3abf6a287bb81bf08859d013eea4f70bebcb727eaffaf46bef |
| SHA512 | 0d679033a08d7e16997e3f7ab2093a383b8f33e2fa0c98f129b8c004967d0135ff26488b9eefc66eea51fb7008e71e98b56d2087615b6825489a46b7177e5231 |
C:\Users\Admin\AppData\Local\Temp\1N2G44CJYB4f.bat
| MD5 | 976cea1769c22a9167363f08e5e26018 |
| SHA1 | 5c75ef7411ea85df83f107410a830d03fb3b6acb |
| SHA256 | dbd52e2cd9ff0d0e41173cfe08abb2e1ca12d44f72670d370e04ba29c3f6db76 |
| SHA512 | 3a78f63e2c8f73d34bf718cab41e040b53944ee051ce5e6c768d26aea2502e51e9ac66fbd7fa5969e78122587d9aa04a0a5904ca62c55a83da8da660018b2b99 |
C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat
| MD5 | b915e6912fca767229577885cedb224c |
| SHA1 | 6853470450174ca2754b18015f72dc426a10db37 |
| SHA256 | 7d4a4ff56f732b4630a04866e12431984e8a2e0c922112b72479ce7c77f63b2a |
| SHA512 | dcf6837f5b4ee221b365df553df890ccfb62564f35cae9ace1366ffc3d25d464920db2393cb8991575ae44006354659d2016ee3d268ea7490ceb33fefc0fdddc |
C:\Users\Admin\AppData\Local\Temp\q5C6MtXvwwio.bat
| MD5 | 6025cef59408fb0f5c722f894939f861 |
| SHA1 | 9c904ee45897cb989ced2ca766422264c9ace8dc |
| SHA256 | 0a697bb3fadd1ee37da2e35e0f4a2a286c0860764c421542e0fa886ee39d9456 |
| SHA512 | 6015e66ce6c95c182c1151fb273200e3613fc063030caf39d0fc6ff7acbf14be7cfbbfb2ab59118864bfa75f300a29a0b8b777fc8a4983c63475dbbd01182619 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | dcd1d14d8f9db9d993aaadf319067e10 |
| SHA1 | 285687cf658bde4cf318eb0672dbdd23e5e8f1dd |
| SHA256 | f327fc44c959354a75952c931f897ded7e25c6b82094bb2c922a01423587539e |
| SHA512 | 2c317635456f7f22fbd1af8cda50a5ee523a91d7692548b366ffb28f3c51ec71294acd4bd12b5c9142b5f55c018d6d13f3ab1c9a090a78758689951ded67c71c |
C:\Users\Admin\AppData\Local\Temp\5NzfRozY1p1x.bat
| MD5 | c92ac013eac2f9e5866d75664a93f985 |
| SHA1 | 5caafed24097046676690dac3e28090da82b6f03 |
| SHA256 | c861dbde1370094975163b75789e84c595bdf15c00730997525c4192c4412fa0 |
| SHA512 | be7c76b900e6b5808f497e80297ff905662b19b323e4f6ac2285306b058d3577bbf305fa8d99bfad97bf6c9e0d7190bc4b5766a0546f291b5f50eae922356f96 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 67637df074828b6d7a4e3698a5bd9768 |
| SHA1 | 61bd39ffa993d1ed6f3d4c42031fef7e839374eb |
| SHA256 | dce44de9e01be74eea92b3eac2dde5f23fc8ee8456f362fde549c37e686cdb10 |
| SHA512 | 70e4cf4ce7b3696d4d84d234864158147a68f447b1919816830204ac7474006b932ccf1215e90d5265ea72a6d9e24ed2e7e63255d42fef97cb6d8f710cc1668f |
C:\Users\Admin\AppData\Local\Temp\JfmEXjRC5jL7.bat
| MD5 | 57583d8311c2141a930bd92d7ef6723c |
| SHA1 | 1820c8b4ed20a79ec35d558d1db30a8f7aa5ae02 |
| SHA256 | 2c158b9d1c0c1c43ebf090c540ffdb5382b36bd87c564061e38d5074b1114a13 |
| SHA512 | 8ff6c0bdff65568b5087bda531450bc7b798afcd5f9be08b9f47a4555f98c0723a1424b4fcbb9f68c3b2f1cfe9c1996151a06de2f43dfe6f47f32e5cfe6aa224 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | c8d885b29bbcf27f1cbae1fda763eda7 |
| SHA1 | eb3b80f3d76a356771ba3aed04ec41023b12ae75 |
| SHA256 | 19c2abf746ee177a1bae382ca555b24edf9ea9faabbf23037937df0002ba165a |
| SHA512 | 103455bc6e89766e1f481212b9c4c3f103e7ad43cac54968abf8930aa225602a400f7287732763a59b268a1e47801300cf6df6577283b4f2f708007d884d5da8 |
C:\Users\Admin\AppData\Local\Temp\NM3zOlcM09iz.bat
| MD5 | 6e8650a199ba9e53e568193d6e2ada84 |
| SHA1 | d17b61287144bdcd594b88084189e502723ee84a |
| SHA256 | 0c2440c286823403e9586206a8e3427eabb5480bb42eeb2bf909c97e049c09bf |
| SHA512 | 382ec11f74b44cdbe5cfc41ede267a10a2ad16c98ce1bdeb604e9c07710ba233451500079f1800acba14ac5b80a0138a35a63b81648bb1b4b81a70340b0a57d6 |
C:\Users\Admin\AppData\Local\Temp\mglfbZcmUaCl.bat
| MD5 | c905300e860872f4a7136ad338932226 |
| SHA1 | 0e8ed47c006bee345148327ded7cc0736a472622 |
| SHA256 | c3bde2aea093f004156ea4c4fbc685fec860b0182dce701ab75540329615b99e |
| SHA512 | c7f680690f0df651f460cde3cccac602845f3231bc98c5a31ea09ad82728e5c1fbc0b206dc339ab47a5fee38eefdfbef07710fc2709b89ff1ad95c923b688257 |
C:\Users\Admin\AppData\Local\Temp\D4EqgaxyOuL7.bat
| MD5 | f7ad7e35518cf3b838fb7e3ab6419119 |
| SHA1 | 1e4587744863210c556a4b6516815c9b81e11f78 |
| SHA256 | bedbdbc23bdc18c9ce480809b3ab9aa2cf88119f9bb0083327098a46e9bfcf23 |
| SHA512 | 865d1afade0102b0fe34a6e47efe3ba4bd5cd2d81e4a1848b9faaf9cf43cfb3fa1c3296d1e42d7bd130b6d8f1e0d4bfd1af5da0b11916dcd04bb1a6aace103a7 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 938de5a697e11c67fdd655ef311548b0 |
| SHA1 | d4bf26042927f07533ce67f4fa39353f2b83714e |
| SHA256 | b3250da1ef0eda4a3b5f7d3b27db3b2da645fe93941e6b227132946178a5c4ea |
| SHA512 | f95174defc7d355416b4ac004af73e6d2706a71bf5de7c38cc4f61f4fce359ea75d4beb47750a5aa72f78a1322f50880d5b3aa7d652138a0e4382e1eeacab7c3 |
C:\Users\Admin\AppData\Local\Temp\hTUkYKSTo2CO.bat
| MD5 | 77253dbc21f19349afa4ca3f58414b66 |
| SHA1 | 605ae42e97478e696a8b4749525a8905ed723565 |
| SHA256 | 280c03925ea416145189334ff71b2f9478792c7cab5b659addc7f5b94fcb5b2f |
| SHA512 | 883b98c34b217134ce5489458284faa0cea8d5385ad2aab026d7327964d70c78d064482a3e31d4b698d4ee6f32dc245ed64a14b0543adf8e4768c820956dd632 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ed80ab401320492668ec1be3a3906324 |
| SHA1 | 9f5e35086adcdd71deb04b85f90b4083a4ccb5ab |
| SHA256 | 1e110855b30818912d26ea82e9eb8346a02bbe2e23e077c373cafb1e0f90d4e4 |
| SHA512 | 98b1d143dd7b681d473384eb59e2e9d4bb63fb7c92a0a72ee95b90c44cb50e1129de4afffcb05ae092f75b8550166df3448039eddc3d034779ce874c74fb95d0 |
C:\Users\Admin\AppData\Local\Temp\lAlWQMddkSZF.bat
| MD5 | bce30bfda236ab3833d5cba05df2b6fb |
| SHA1 | cbeb3c1db2389fc65b47a8cca09ae277935fb0ce |
| SHA256 | a8ec9655c62f62b47b7184aa7e8f9133c1a2220762ffdac7bd14422ffa635ff5 |
| SHA512 | 20093f23f1132f8bc0a102e4314847da9feca2b19b2ca53934ea6323f50ea3123e0b1ec6559fb708aecf1cb3af0897a83f5f2ec2fbc85f83568ea51a3ca50558 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 3770533c9e32286cbfa5fd5f00fc84f9 |
| SHA1 | 9e65cb9aeadfdba226a7447b8d52393ae7e8b405 |
| SHA256 | e886ed865bcc5820f2a25652422db0e08ea6270c0cc444c813ccd67675e0baf8 |
| SHA512 | 1c6bbf32b7fca4fd6f4bb3993bf6b193aafd1ee06610d1d2b3945a7995eda9d8014735f107def848cd290552a0e59fe3e513a96defa4d18a2ad2271a8480b8ce |
C:\Users\Admin\AppData\Local\Temp\zSY5VH5HoMsP.bat
| MD5 | 617f7d858be1d597b25e21dce07642ab |
| SHA1 | 065ca6b353312fd84c7c007f2d48c7ff06ef56d8 |
| SHA256 | 5a9935676e7a085502efba21ece755f39025d70cb3dcd37c06b1875b4507f5dd |
| SHA512 | 8a265650556f5e25c823f0a7f06e774634fb606d2673ccd2a78dff4044a59d358d58ac0d8642eb9809e8ab620931818069845f6047c751b09f63a32e16029144 |
C:\Users\Admin\AppData\Local\Temp\Qq0GaIQSig2l.bat
| MD5 | 6c09815feccf1d421857272775205ac8 |
| SHA1 | 5c3a255b3910e434c2af5530915279fa3c3be65e |
| SHA256 | 138a621649e189562601eef41fa6560fc7231241a3baf428f270dc7195ea32ed |
| SHA512 | 39f01fccec75a27640b2ba20d83c39afbfa13e43957e2e446019be562dd64c0b9b7b9afe1dd00bf9555f6f25273d9a8468c526a6aeb93d264cdb1ef4f90f98c5 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 915e0abebfa00a8285a6ed124e37282a |
| SHA1 | 17a676e5da78c51302e3b35db2226dbe32225c40 |
| SHA256 | 93145b406e6ee28fea5b86aed36f251c057fba39482cd4a2e54cf2e148cadadd |
| SHA512 | 8bb7f0ca86337c712e9ecf82eae1db386208962952e8453173c15835d53d25e82ff00148e9e7c48ea0e672c091acf02ee3d583118a161030a0c913fe46098eed |
C:\Users\Admin\AppData\Local\Temp\Z2FZ0GN1qszR.bat
| MD5 | 6d3be12e3219fae6aac4c501a0564326 |
| SHA1 | 2147cfa9326f45e819375beee28ea878911dd7d0 |
| SHA256 | 91f803c31df2e0d272b4622572ed4567ebcaf8c7a9e46de83c007b951099cc40 |
| SHA512 | aeaec096a93595b897b4426afab7af1e403890c221675f606a1afd66e8af1dda33ffed1f4856a8eb91959e486bf573931040254092dcb64980e6476a0687f19c |
C:\Users\Admin\AppData\Local\Temp\JZzqfrvOcFNo.bat
| MD5 | 531be0303164b8b3dd8bc34190ae395d |
| SHA1 | 9d957799c85559cfd9a023a8e7a55b422fcba06b |
| SHA256 | 2effbd5fcc75bf6466b46a23bbc27f9e8d81c06f78195a5b6bc2b7d952acca3a |
| SHA512 | 5cc9418e98d486184fce9390130a061f5bb90b36283534c4839dd5e685fd18fa40fa4b09dd5bd64532453fdb8920f3649e1c195f17c2f4e594e51c91c562be57 |
C:\Users\Admin\AppData\Local\Temp\rPTnDMrWpF9J.bat
| MD5 | 31eb5f2940d8331d7699492cc04b82c3 |
| SHA1 | af675870336584b87bf6fccb8164799bc1e90a34 |
| SHA256 | 179fc2651a0d59a8489f8ab1c0bef0e6bfc1a46c7931f347f800655fd80332d8 |
| SHA512 | a96c0e6895284a38fbbd05681a30bb58e5852105224ad1e2cfa5c50dfe138d99f665fbaac7b443b7c48298970bb4bf6240e30bc5a46933fd6c04f6dbe16c4996 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:45
Platform
win7-20240221-en
Max time kernel
465s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2868-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/2868-1-0x0000000000090000-0x00000000000FC000-memory.dmp
memory/2868-2-0x0000000074A20000-0x000000007510E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2584-10-0x0000000000CA0000-0x0000000000D0C000-memory.dmp
memory/2584-11-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2584-12-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2868-14-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2584-15-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2584-16-0x0000000074A20000-0x000000007510E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:48
Platform
win7-20240508-en
Max time kernel
596s
Max time network
603s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tlodm8oD4WFF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\t8CTZ4bjcl52.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bdtPvacR129q.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsVaPiUHLZsf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIKdYslkRDnA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lW85FGUGEvp6.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuKfpwR6IyMn.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5wntW8NWRpiK.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/2176-0-0x00000000742AE000-0x00000000742AF000-memory.dmp
memory/2176-1-0x0000000000B80000-0x0000000000BEC000-memory.dmp
memory/2176-2-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2176-3-0x00000000742AE000-0x00000000742AF000-memory.dmp
memory/2176-4-0x00000000742A0000-0x000000007498E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1924-12-0x0000000000CD0000-0x0000000000D3C000-memory.dmp
memory/1924-14-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/1924-13-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2176-15-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/1924-16-0x00000000742A0000-0x000000007498E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tlodm8oD4WFF.bat
| MD5 | d9080f5c918352614624326aab2b1926 |
| SHA1 | c9cb3e8228ade3639ac7c68aeb67c6ba31177add |
| SHA256 | eefc8c17d5ae85031d0185f3d62b5a7444871add0e581a56fa3ac37906711213 |
| SHA512 | aa4936bb99841be813d35a398c71e45643df8ce5ce1f9e8fca726334346ed1ac39e44b3d7f3c605cb53a760f3f643b24153e1948dd55ae23c92c03298b741118 |
memory/1924-25-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/772-29-0x0000000000CD0000-0x0000000000D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t8CTZ4bjcl52.bat
| MD5 | 8684f15775bf60c2f7b50a6c1c8884e0 |
| SHA1 | 290a2b23edacb492d9e4aeb41b7deefa4a176d4e |
| SHA256 | 81e79aebfbd7120088f9d071471ef47176655f14b82aafda1700b41da5179230 |
| SHA512 | 6b8ba1d21019e63676f61c3a28a99ff0ee52814d6ebe64d5cc08b0a1dd585520c42ef240b797bd10e0667daf71a4118a7d2aaf65bd2147f89c5ba0d62e98dc3a |
memory/572-41-0x0000000000E50000-0x0000000000EBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bdtPvacR129q.bat
| MD5 | 4747c8197d918eb4920d51fadbfd19cd |
| SHA1 | c855443bed2148b095dfb0a920ff333c781bfb79 |
| SHA256 | 0bcdd1ea050f4114fb9e52d4e158476d796c055fc9ab28b97e85a604e0674da3 |
| SHA512 | 29587217c613b6c3e4b8868331b7d35c557af0e69be121e3c0919b9f4e756729860a97b4ae7f621c1aec383482d51ae3e6886363d75eeb92fa571179de1b9c16 |
memory/1916-53-0x0000000000390000-0x00000000003FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vsVaPiUHLZsf.bat
| MD5 | ba35e57a6b594eaf7f9037d0849842ac |
| SHA1 | 4fbacbbc48ecc96ce000b97e99e9584b46ff2070 |
| SHA256 | fcea27e18a346a3ed645a54b8e09471667a2ba9797c18e60bea54933f8d29d7d |
| SHA512 | e402646e88ce42ee8c6a8104af768cb89525a929ffed08137db3cc29c7bd0851995cc9d04b04ec733c2338bb4d166a342b19851ed9c603f84d2bd073082d880e |
memory/2448-65-0x0000000000AF0000-0x0000000000B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VIKdYslkRDnA.bat
| MD5 | 38a32403c9bf99b08db2102cc74ebf5b |
| SHA1 | c1e63010becb0fa867da21bfbbf172fcce8f4be0 |
| SHA256 | 929272bf902500e6c57bbbc2492f868005336a9b43de323ebdcdc8829598e8d8 |
| SHA512 | 82c8a495f122c3c0724245feb20a1fb969e3613d423b420a5626269d500694fe75f33f9358a0f24319ce6fbf53c09abde5ee4d3079534c5a1147e98cebee7263 |
memory/1048-77-0x00000000003A0000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lW85FGUGEvp6.bat
| MD5 | ee8957cd92595862f6baf04ce4e8f1d8 |
| SHA1 | 840447c1a23af0ce7d6f9dc6da52a3dbc258ecb5 |
| SHA256 | 87f3c4ce288c394a59c3ed0b512cf457ca45a3a456d734cd17e213b59e1a1202 |
| SHA512 | aaee8681b020c654bb330e25c7dfe9506fb1b199e552205eb0fb1259b28e3189ae8fcc4c286ef62ff544b9747ebc10b9fdf61ea63b6e941314db35a28eebdb0b |
memory/2988-89-0x00000000011A0000-0x000000000120C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EuKfpwR6IyMn.bat
| MD5 | 1aa4fa8f7c6cb9021918adec612c1d9d |
| SHA1 | 0ca7522dccc64dde19dab0690f38ccb943b518e7 |
| SHA256 | 883e1d3ecb3e0415153b073f165e8cfa388d5f52d947f58269ee07478ee5eba3 |
| SHA512 | 2bfab48f3c0af188ce62a3974a6cddab32cf00717ea3f54b409ce31c6f46bb0a842b62a3d66a007eee9d00457c49fed5bd06dad67f85600181b8a7c8d7a150a9 |
memory/2492-101-0x0000000000360000-0x00000000003CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5wntW8NWRpiK.bat
| MD5 | a18cbd45cfceb1a9e89ce77de8dcb85a |
| SHA1 | 6d24160e78b9f16e3faf24f0d9146cca3778ee01 |
| SHA256 | cf867794d4905ca3ba20b0335e664cd9392cbc7ad59a919555bfe2650ea174a6 |
| SHA512 | c605a8c894c030d324de791549fb4d3b281fb59fbbb19886f9d330381005e4aba052f9803965e2fb8711229216e814e7a4abd4ae31e166c41faa4240bcfa2c53 |
memory/1312-113-0x00000000009B0000-0x0000000000A1C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:55
Platform
win7-20240508-en
Max time kernel
596s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TJtDdnbjfa6p.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rv3Vm9fJQ5hj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CvtFurH6WKfS.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AX4X3CLfIqGM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqPEQXZG2Gel.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufjULoZGzSdy.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgNyFGLMbUIa.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCsdOWVOWa3I.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/2220-0-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2220-1-0x0000000000FD0000-0x000000000103C000-memory.dmp
memory/2220-2-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2220-3-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2220-4-0x0000000074560000-0x0000000074C4E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1532-12-0x00000000009E0000-0x0000000000A4C000-memory.dmp
memory/1532-13-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/1532-14-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2220-15-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/1532-16-0x0000000074560000-0x0000000074C4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TJtDdnbjfa6p.bat
| MD5 | ef9e820d1bc931139e884fc3e9bb99eb |
| SHA1 | a4d8acd318bf2ec50e142676fc26375b91b6cc6f |
| SHA256 | 079c168288b92524db99a431cd98b77a30decb0ecdf30302f4d6242dc5e0f4ec |
| SHA512 | 2d5e958f25b7386f5cbd8497a45ab0f0898d30f62ae4dbdfdd675940b24c5b97b123c6f0987ecf1ff0a2eda945ed7d035ee8000810d32e4681a20ecf03ca258d |
memory/1532-25-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2936-29-0x00000000000D0000-0x000000000013C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rv3Vm9fJQ5hj.bat
| MD5 | c5b8212478157f8b6e7a6abb96342240 |
| SHA1 | 9dce1c635b8da437046386463cdfff1b9cb3a4b9 |
| SHA256 | d2ac9ab0dea321ab1de373163bc0befca4b00398cc0be46324735febcdc10e7b |
| SHA512 | 4f3926e207cc78d7dac65c5fe8e0c963516a1820f290fad5acb38aa2c8c894c0a3006ff8751597ccc4f42f09e25f1d8ade67e04ce95b63d307c0a30623ed1b59 |
memory/2128-41-0x0000000001030000-0x000000000109C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CvtFurH6WKfS.bat
| MD5 | 4dd5e64d09c6e76e4067db83f56ca86c |
| SHA1 | 7ddfd15f52564a4a7bff62e8a07f700a0cf79649 |
| SHA256 | 051d704b172e438277eba4fb3568b61d6e2ec0a1224bc28e0a1ed95ad30a5775 |
| SHA512 | 16ed73e1d8c1382733f1ec83c5314817f8e972ca669820545d2b3e1b0a4f85a057670e055fc10f8afff7fcaae1eb30e65d67ebed860ad9bda85bba2c667dd14d |
memory/3048-53-0x0000000000110000-0x000000000017C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AX4X3CLfIqGM.bat
| MD5 | 76b8f74f4d673ff1a6fff17d1953b8a4 |
| SHA1 | 04d978eefa78b71ea8949b25c3da6ca5d4dc6bfb |
| SHA256 | 349fb1075c822e9b5f3ffe58602245ecdd518a30e96e76ba6e0765a8dc40a57a |
| SHA512 | 52bd3b680beaa33c15a84bdd8d365029fead4f41729253819ca3f63a63f7b91a3ae0f1abbbbef03afbd9998b2d38b0e7227e5cd6979ec2737c6eb8a1ba7ef177 |
memory/2872-65-0x0000000000370000-0x00000000003DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqPEQXZG2Gel.bat
| MD5 | 38937764122e6edf78304a231448e6eb |
| SHA1 | e8250db8994990fb9371c391007302b982b35b14 |
| SHA256 | b2dd94bd8592f4d991198dae3cc1653a79a34c294e1b216e1875a98c703f77b2 |
| SHA512 | 4ef16220fc8e2d75aa54680b145d4acc07c466596f7acecc94ea74334766fa2d22b9659ffcd609ed493c10e8ff7a29e5e55909d1ca444cc0c7b5a476b5ff5360 |
memory/1540-77-0x0000000000E20000-0x0000000000E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ufjULoZGzSdy.bat
| MD5 | d05aababc7c13a0459415c3745e2bb63 |
| SHA1 | 1b64a937383160825dc3f87b1a6e981913fcb4f9 |
| SHA256 | 121f17422d4251ef4cb6259a8648bac591645a5570b6c4380a415530a6f87b1f |
| SHA512 | e8b7187d3c07a510e64a2cbca98cb1f81991f5768fbfc4514240a766180df097d64886bcfa9a069f5a6e6479abe5d85e8778847696afe969ca22784f6c88eccc |
memory/2248-89-0x0000000000200000-0x000000000026C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jgNyFGLMbUIa.bat
| MD5 | baa2c18f8c919e93a3e701f264f071ea |
| SHA1 | 51410f8f2d52c59c613c17c506da516165f270d9 |
| SHA256 | 5f37aab55e19dd5f734b42b73cd354ab3e81ed73dab96315eb608483722cb5e1 |
| SHA512 | 1d09c17bfdda20396e4a19ae913fdd565e14fe7b02d608e7800ae1f3658ab1bf10943dadb1cf29c62c0b9f19bb9ad2f8ab200fb741a1fe7a22ab6c5d564c66bf |
memory/2836-101-0x0000000000A80000-0x0000000000AEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VCsdOWVOWa3I.bat
| MD5 | 6e0d73c9f529fad93e1df12dfc5360d8 |
| SHA1 | c0acc18ff5ce0c0d3c14bed6ad18a03d387bb772 |
| SHA256 | d3b4d40e56674f21a03b37d2e780007fdf232e4ad5d5e82fb0546c724d71b038 |
| SHA512 | 7b6859e936bdc1f7c2385cc452b2d965c1f5198335f34250ce208b642fd0b2eeee82ca40830d6b5ce5dea7cd49560e833dda831e6bd4e4bc5c8f5f1645731e32 |
memory/2228-113-0x0000000000FE0000-0x000000000104C000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:55
Platform
win7-20231129-en
Max time kernel
466s
Max time network
596s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2344-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
memory/2344-1-0x0000000000860000-0x00000000008CC000-memory.dmp
memory/2344-2-0x0000000074B70000-0x000000007525E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2624-11-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2624-10-0x0000000000950000-0x00000000009BC000-memory.dmp
memory/2624-12-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2344-14-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2624-15-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2624-16-0x0000000074B70000-0x000000007525E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:40
Platform
win10v2004-20240426-en
Max time kernel
464s
Max time network
595s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3756-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/3756-1-0x00000000002D0000-0x000000000033C000-memory.dmp
memory/3756-2-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/3756-3-0x0000000004D80000-0x0000000004E12000-memory.dmp
memory/3756-4-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/3756-5-0x0000000004E80000-0x0000000004EE6000-memory.dmp
memory/3756-6-0x00000000053A0000-0x00000000053B2000-memory.dmp
memory/3756-7-0x0000000005FA0000-0x0000000005FDC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4068-13-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/4068-14-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/3756-16-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/4068-18-0x00000000069E0000-0x00000000069EA000-memory.dmp
memory/4068-19-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/4068-20-0x0000000074AD0000-0x0000000075280000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:42
Platform
win7-20240221-en
Max time kernel
486s
Max time network
590s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2320-0-0x00000000743FE000-0x00000000743FF000-memory.dmp
memory/2320-1-0x0000000001020000-0x000000000108C000-memory.dmp
memory/2320-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2568-11-0x00000000743F0000-0x0000000074ADE000-memory.dmp
memory/2568-10-0x00000000002D0000-0x000000000033C000-memory.dmp
memory/2568-12-0x00000000743F0000-0x0000000074ADE000-memory.dmp
memory/2320-13-0x00000000743F0000-0x0000000074ADE000-memory.dmp
memory/2568-15-0x00000000743F0000-0x0000000074ADE000-memory.dmp
memory/2568-16-0x00000000743F0000-0x0000000074ADE000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:42
Platform
win10v2004-20240508-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1152 -ip 1152
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 2184
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZXV6C9yitwb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 2172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptCaGzdV77Mi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3812 -ip 3812
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xbH5vlxzYMQU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3132 -ip 3132
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1716
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQqwLMLKLp1M.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4048 -ip 4048
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1716
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4420 -ip 4420
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAkQ7dMuF2o.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1592 -ip 1592
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CK8jj1F2y28S.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1tv8oDNKXEyD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1436 -ip 1436
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dN3wtJb4Hzxm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3048 -ip 3048
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3TOvZ50bOZ4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1580 -ip 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2RvZ0ZRCViiQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2056 -ip 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWY9JZwQOwfH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDpvAb7aKN18.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4472 -ip 4472
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loR42XOBPMYo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z6Dd8SqpUGsx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a4SfwjAkplgl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1668 -ip 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1600
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P6AT9GVWnuew.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1864 -ip 1864
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUceEHqhiEoI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4264 -ip 4264
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uBtQ5J1rdeBA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1036 -ip 1036
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGX0PIW5Ws71.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3928 -ip 3928
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9b3POrgpW7Ih.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2584 -ip 2584
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HJ8u2d1IxLMT.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b7t1gUFKE0GR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1492 -ip 1492
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3SPQg3P4EFS8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1828 -ip 1828
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBJf7ZtrBHDn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2540 -ip 2540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0CCkXM4JecU5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2056 -ip 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ylgq6aKnLKky.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4700 -ip 4700
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1700
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/2516-0-0x000000007480E000-0x000000007480F000-memory.dmp
memory/2516-1-0x0000000000650000-0x00000000006BC000-memory.dmp
memory/2516-2-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/2516-3-0x0000000005110000-0x00000000051A2000-memory.dmp
memory/2516-4-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/2516-5-0x0000000005080000-0x00000000050E6000-memory.dmp
memory/2516-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp
memory/2516-7-0x000000007480E000-0x000000007480F000-memory.dmp
memory/2516-8-0x0000000074800000-0x0000000074FB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1152-15-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/2516-16-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/1152-17-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/1152-19-0x0000000006820000-0x000000000682A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat
| MD5 | 601d15851805267dfe3e316fd45e886f |
| SHA1 | d8be1e5e29b50bfe7a3d0a7b3899c184e999cdd3 |
| SHA256 | 7f5983efb062bbc9892b79c82b53b299d90b79165ce43757721b8d0212ab144c |
| SHA512 | 47e357bd6a0a36f51ce2ffa31e6ba7ba147368b8f356387751c9bdb005af1672dd4db91fbe1af3f67c4bf3b36bdf4c562eb025b3edb85db5f9f8e9adb1869c74 |
memory/1152-24-0x0000000074800000-0x0000000074FB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 235796324fe7aba9507b44abe2c53aae |
| SHA1 | 0d039659a5f0a0f286a234ce189b17d57f30e98c |
| SHA256 | 5cf97a8116a2db0bd7c404793966d4a8966cd076f107f293b56d8154da83e668 |
| SHA512 | 7154fd0c60ea5ccb9521bf4678b224c8e914a70a18925da33accd56669a7d0fc245790260abe68312d5853d96f7aa640a986c3eeda5ee065805dd80a370bb145 |
C:\Users\Admin\AppData\Local\Temp\TZXV6C9yitwb.bat
| MD5 | 88925355c7d0214eeb07660593574911 |
| SHA1 | 3d337d375373b1d78a458760a24e7030d1715c71 |
| SHA256 | 25a61323d88f14a7f25725238c80d497db7130f78cfab3b27040d99be6890e98 |
| SHA512 | 8fa412e3b719ad41ec90674f57b41971480b358ef54d2e5979ccbb8f84add07a0eb422b73a360f44246d1b4959eafa7eb5612804fc638337d23681fae82ec1cb |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 4d48269df3c748e4592b1657ac228ff2 |
| SHA1 | 2188f69b2208249232811dbdfd36da824bf73260 |
| SHA256 | 1b003592021a9c56b96d6393ecb434eda8103757c0927c8c78de3b07d0571f06 |
| SHA512 | 52db7f13a6879dab0e009126b2ba5a08cc219e4cb9e013d375b9a5126fa42836c5490b5f3fb3c8723988d3bea1522ed82cea23f8b2b4a35ce6f74dcd43def1c0 |
C:\Users\Admin\AppData\Local\Temp\ptCaGzdV77Mi.bat
| MD5 | c20de08cd3ef585500d7406f451eb470 |
| SHA1 | 6982438ea783c79481a753aef322d48a7c5f1236 |
| SHA256 | 83fd00c8d1f4153c7ae9214211edc59e78faff78bfff6509b07e73de67ad5b7f |
| SHA512 | b17dc68d47a8009387f52423ea3dc6a7252cc8d366966b0adf081a0c7d2b469146bf691fcb4f00fbea644be7655cdcf2c3952cc79d5d331a7f728c4e09bfbfbd |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\xbH5vlxzYMQU.bat
| MD5 | 73141d34be2d0d54e21a208b4d15fcbe |
| SHA1 | 4c50b7b12f909792c996371425cbd68badab0c07 |
| SHA256 | 33e0f29ba774db40b2a1c57333ef6f5daca1c937994a109a206ddc19525dbbf8 |
| SHA512 | 2bea8cee26d2575b7f16ee575fc8c926ac9b8dc24259d22ecb1f7ec7d6bc6ffc754f6c2d8c42494fe969229dea42450e43e402204d631f6d026e17fc9d32c113 |
C:\Users\Admin\AppData\Local\Temp\KQqwLMLKLp1M.bat
| MD5 | c973e4d64532c5055055a8e9e934d317 |
| SHA1 | 84614ce98661d8cfc468c2f3bd8969056f773d86 |
| SHA256 | 5be1bfa88ab081d054a8fcb4056fa48f5b8011b8231b5cf8ddb0dfa6489350ea |
| SHA512 | 3d4c45e05ff0ed670ed635580a4d567b1814d7e622d1de5fa87f363aa659297ab96e3709928453d020e08c0ceebd6dac3ce3089e9d6729534aa72952eb545d6b |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 9e8e98c10e54c894d1ae6d2ebeb60c7e |
| SHA1 | e4066fff0c4bb4e3b1cb7346373662f6a024cf49 |
| SHA256 | 806ad9eec8e8fdbdb52a6a83922e09b50adf6a8a74e4fd1e26e320359d8b51c0 |
| SHA512 | deceafd6b455fbe297ac097115b1189e316ede382249709786eceda5b11ca2755ac09faa71a6dfe924f254845dab53bce94bf4597032e3e2a1f883400a61fbc3 |
C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat
| MD5 | f1d6cd9d0118f2893cc0aeaf38bdf2d2 |
| SHA1 | 0c83674b5b24ffcdbf1a9ff8c4faac359022986f |
| SHA256 | cf71d60f654dcccfbaa9b9f0e886eef28a3bbb7499ad8104f3d274b6cc668b67 |
| SHA512 | b4c745633dcdd20655b45796fd573405c2626db0519760a6a9611ae831c027ac0c785a0f953c4a87b36c6828de025bfe221ababf0a3a688cf74242ac22ad9e4c |
C:\Users\Admin\AppData\Local\Temp\cKAkQ7dMuF2o.bat
| MD5 | e619addbe730adf36f2fb92aa3eb1452 |
| SHA1 | 46b1b85e21a4034323ce7c6497baf5a349bcd73b |
| SHA256 | faab1cbc68380ee3d6f2113a164280f3d00c28921d74b96ecc6d654793b23bea |
| SHA512 | 510ed2b293c03032580965abed9f70a348bd21d173bbc0f7b55fa02b339b7f741294da2b04330c7d24c547f9ffbf348e3375a8dead59c67f98d7fb3214daa12c |
C:\Users\Admin\AppData\Local\Temp\CK8jj1F2y28S.bat
| MD5 | f0210c565ab114792b49f7049838ad31 |
| SHA1 | 9edb2ecb60803293921a83fe0bf25caa0d27b63d |
| SHA256 | db59b7bb2e463634ff7461e33e0d6321896d362756760decfe7a4047684e31f4 |
| SHA512 | f8efeaba030992a8c427dc39a122fcb2966cb4b546cc279d851cb1fa3365e7db1600fc424174755eb45133e06e605d8538b86d3fd56cab5abfae9150ccffcd94 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 0ff5b51280c19a66501f35c8e08b7d99 |
| SHA1 | 6ec0e425f7c409f28ef36bd4c1d24745e217c252 |
| SHA256 | 25d307b59ae7e9b08b3e88f06ca2fd6b54bd576b7afd718d521a6deb8fc511dc |
| SHA512 | 2861b10b63305aebbbf453c99a9ef7b55edc772e3232d3bc7766092c17183027989550a7b07aeefa4d7234688c5cdc0e665888f33d51a0d030593f74b5a76cda |
C:\Users\Admin\AppData\Local\Temp\1tv8oDNKXEyD.bat
| MD5 | 395ab8b3660e322ac5b7b03b6aa19b75 |
| SHA1 | dd1166165ea5767fdce61b9d0096410ec3d53326 |
| SHA256 | a5fa60617dbcf78dfe4298513e51cc83ae6d2acdd7d850e1cc50a33da6762a67 |
| SHA512 | 0134561914ca3350c8e985eb46823b2e70f6b67b974a9dd06bea4335de37f71df41042cbcba32b4ef0dc52f6206a206f3eece54c4c8183f62ecbacc551880267 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 37177bc9fa11c8fe06c06d4977addf31 |
| SHA1 | 5fbd4d981c10009b7805392939fb9d551a6e80ee |
| SHA256 | 123f9f6e1f102757e782f5cce1586dc6206750f2c8cfff462dd8e7855ac3b05d |
| SHA512 | 9356e2f2d25a186da1ea4d93016b75036b9c988bd5a3c17abef7e5b7f511936cd2e731c33ce5275b52f8f1cb07d2d85481b2fc6686b440dd28748db05433ba80 |
C:\Users\Admin\AppData\Local\Temp\dN3wtJb4Hzxm.bat
| MD5 | 5f42676366615c3843357586a10e98e2 |
| SHA1 | eccf88a7e1f40588f191db50d7e85d190ef24175 |
| SHA256 | 74a294c26278e34a3f12f82ae0cc87ffd5fe4a485dec644a57fbded777c6e44c |
| SHA512 | b14da892542a0ae044ec073b3c79022aa5e628f5b6087b9982a245caaba3aca5f4fa1abc749113feab2975177e27452aa43e4b67505f0d882c9543fec4e25f94 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | f580d9c43ff6df8c22ec05f2f7f8f35a |
| SHA1 | 370b00f413f37c3533c816535ff7346077d01546 |
| SHA256 | 3028a600640ef1a888c0eeb9767fff5d9363b7f25683faf533adb7fcaa97bad0 |
| SHA512 | 023d5964375cfd3ccd873a7808ad06ed8ee0b1ec0f4d22c3cf908cacb4165447f560ea976ff395145b1a0ab0dff24d972a4515081e38a77352078b29ca932763 |
C:\Users\Admin\AppData\Local\Temp\b3TOvZ50bOZ4.bat
| MD5 | 70b6bb9e7110bc5b83e7cd76ee211ee6 |
| SHA1 | ec5d59fb5ca06a9468d2918a7c967a4dfd724d3c |
| SHA256 | 79fb9293a8fafb38bae78ad8749f02ccedbda3161a88bd9f1b5fceba25931c0c |
| SHA512 | e99134c0e592c2aee127f430bd373afb7143a172d217ec9998253eb5aa4ac8b584e66b002cde958afbad402d473ba454413a999f0c22c8ecfcba0002ab7c4dc6 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 02956c9eec9795cc2a8e6fb75e07652b |
| SHA1 | ebd3bf67eb95dd3c70cdd216eda1eb77adedbfc3 |
| SHA256 | 9ef0154f49eb0d89b562d99991be4630bae92982adf5eb1f41e826e4de9acf3e |
| SHA512 | 227511f0416497d59c92bc810c1d712126ea3aedda0072a853a33a904d7a487493cf88cc74fd97764d2de821e2b47c456ec153bcf879bd91cf299b3765b606e7 |
C:\Users\Admin\AppData\Local\Temp\2RvZ0ZRCViiQ.bat
| MD5 | c25941aaca715535c052c9f4ef3c5b67 |
| SHA1 | d01c905b389b3380ec5204c06b1bf8aae77c97ed |
| SHA256 | 3caf89c9296b332da0ba649c30e1855938d65d699221c6a4ac8cf147d05f4a59 |
| SHA512 | d2e477a4afa1d48c6c73f4b18bf21e58e268af0904ccadba7cace66ae68144078a2eb88fd1e377ef5fe522cfbfe65047a605946751e3dd0129ef05999a8b8dbc |
C:\Users\Admin\AppData\Local\Temp\oWY9JZwQOwfH.bat
| MD5 | 5b2534be8730fe5921265f3465e13cee |
| SHA1 | 7eafc6b9ca3c37beb092e196e3ff7cbaada9a4d5 |
| SHA256 | 363118a5412b65e82161e8d262346fafd6be1f9d5bbf0f9acd1b3413d43756ba |
| SHA512 | 9a3624c0084909e68ee26d317979194a4b8cdd572510592567abcddbac8f01107326935a0145e493f87ca2961e28583812aa84aedb9a91a5b5206eeba339eb45 |
C:\Users\Admin\AppData\Local\Temp\sDpvAb7aKN18.bat
| MD5 | ea0d848dad4f5a128cdea47a0251ada5 |
| SHA1 | 821f28d69c69f33beba45b3529675c92646e3656 |
| SHA256 | 88ccb46dcc7fe02a58a78493379858bba225e51bf78c67946e7db5cbe135a3a5 |
| SHA512 | f16bd780fef6669ac8611a0eda37f55dd2d243904f3d265e13e8502eaa94d5feb43242cd23e1f24130cf0f78f928d12e7185590f5adf0b28ce220138a2e9e5df |
C:\Users\Admin\AppData\Local\Temp\loR42XOBPMYo.bat
| MD5 | 4d114dc8343897f49af632e84e6dbc8b |
| SHA1 | 88cad694a2e4ad2187ad8a4952a4053af8608b2e |
| SHA256 | 26ff7f92d385f307eb1e10424bde2ee4423cdeef29cd07d2439bfcbe9730c7f0 |
| SHA512 | f735b30fb4d69fa65d8363f2e0012881f67c39c45f09c82ba22eee9b3e43d227f2ba62d5982045cb809b0aa3e2930d9ee4fbc1130cdfddbad770fe35754e569e |
C:\Users\Admin\AppData\Local\Temp\z6Dd8SqpUGsx.bat
| MD5 | b86ca15b8199fcef44d6e7b79906240c |
| SHA1 | 70bf62f9fa93699424000d197e5c2ad245047f6b |
| SHA256 | 45bc17cf770124829ae0ae092baf50c914942a61929434bd75af32716bff7516 |
| SHA512 | 62d25f0faca0fb93320c30581e64fff47772edac6ccd937d0da9e694674c5e902d1ebe6ff81172809e0448e546aef714f2a6346b68bfef5d06da23ca40ca531b |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | bde6e7d68ea39646c693cf28ce1747f6 |
| SHA1 | bd589d851444c1846dda3a65876e8d1d28b91ea5 |
| SHA256 | c0ce602a3356d446d1174b0b0df5a8f682359488bf460a4ad5c9281514db0a21 |
| SHA512 | 2dbd0adaddec812ea2c363f27973419e9c0f40b4a47d922ad8d3e405e088a901eb50b6c225c34b7ca7637e1896923db0b85491da2ca996d21ef67cc12ff82b05 |
C:\Users\Admin\AppData\Local\Temp\a4SfwjAkplgl.bat
| MD5 | 709b5e80548f5678efbb6b407c22c62a |
| SHA1 | da4880b867d91e3b8a6e76a6c64a20bd04d98682 |
| SHA256 | 161d20e4683fd3aabdea82330f7df57f3c3d6ec87800489a9d3eeb57f9b263df |
| SHA512 | 39e73cddddc545ba6802132680021aff957de59b3011837f26810e754b9a1a64e87b14f37178201d20494234998c8760be0cfe8cf1e827ee6b0b6cb688958102 |
C:\Users\Admin\AppData\Local\Temp\P6AT9GVWnuew.bat
| MD5 | 3b02be991315df87cf3a224f1a4b39b1 |
| SHA1 | ce47ce55622c7485bfef09c5f72d8ee219ebeb94 |
| SHA256 | 5b16f356e8e4427245e7ded3bdc16e00dcb4830d2fd0ab89f549ac2697a8abb0 |
| SHA512 | d9f64f3a16c5a000b9ccbc2cd63a39621138e50e0cd06a5034f56cb149d938d5b3a9a3cfe234e84d47d41d489547f8ec38c0cd22aa33f0215c129cd4d8d1ec69 |
C:\Users\Admin\AppData\Local\Temp\qUceEHqhiEoI.bat
| MD5 | dc8b2704c2002e1d9db120d0bc406f13 |
| SHA1 | 5d3025e2cf0d770e5432458422edeb4f6d2b5f48 |
| SHA256 | db2a5e9d2dd6986739da8ea7ceceb715363e977d63e47086c80d5e88f71c6503 |
| SHA512 | 72de84b4b506d9a96e497ed47d5ca1f057a36ee002d9405b4cfd2e97e77722a9a1c4e8a9c214011e7dbb16ba808a6531ba27b45bd8bee2008f60e941352c21d1 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 8b61194256050cb791df7c81b47ec121 |
| SHA1 | ecdd0adef74810f2becd70d34ae41d2eb0c10387 |
| SHA256 | 4a2d716398ec9ad3b371e13c4cb0a250e55625a594ff0a414023f66d7e952d04 |
| SHA512 | 13a2194789f54c8bfa7e68fffbb82664320d66463146706bb458eeacd563d742b258a05d44334266c1bd14526460e36c6ec0dddfa8acba1a728361fbdefdae0b |
C:\Users\Admin\AppData\Local\Temp\hGX0PIW5Ws71.bat
| MD5 | 85f85d655901f01c056c41e6910bc9f0 |
| SHA1 | b49f0fdaaa48ec1ade87b4d0c97478f581d93b8a |
| SHA256 | 7c57d99c19f111254e536befd12305700d6e3e01c8b60f41c427eceabfea0621 |
| SHA512 | 28f571939ad9c7e971183fe8e8e5d3fdb44f60950aecd340263bc3f36c29217349c25452246d619e62dfc6c02e0031b3c32da9608c7049bec886a22dd9e30534 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:55
Platform
win10v2004-20240508-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0Mtcvifgmhb.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1656
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ruj2ErJLhfN6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3788 -ip 3788
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 2188
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Ocz3gBVs1zt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3228 -ip 3228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EccSDMmUQoZo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3252 -ip 3252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LdTm38Sh2pLN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 264 -ip 264
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 2192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1716 -ip 1716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1728
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NRJFK3grF0oj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4536 -ip 4536
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1516
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGs5lf4C2TPb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4516 -ip 4516
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1716
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mk0tqlIwmEP9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1488 -ip 1488
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ltyGYSOFZgR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBycv38DBVEb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3248 -ip 3248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WipFun44qb5g.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2432 -ip 2432
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0co0iWhuUPq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gc2heOxdWIdP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X9tKd8tTBOUV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4564 -ip 4564
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfebIiSqxlsr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4480 -ip 4480
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1680
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h36mNjn2r52E.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1120 -ip 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rqt1b148kwC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2760 -ip 2760
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyQaRT44RV3g.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMslWUPGLpC2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3340 -ip 3340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkKwcVlRFAMO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4224 -ip 4224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSPRGH5vgOQA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 384 -ip 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1676
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WNdugyMpJIrE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4068 -ip 4068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d5iPLkhIkWv0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uca2JUd9Qcm6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3100 -ip 3100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5bY1dOGoTPtk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 944 -ip 944
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1728
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNUOUVKWEG6o.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3992 -ip 3992
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgHxZQmAIAPy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3280 -ip 3280
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1680
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/3956-0-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/3956-1-0x0000000000510000-0x000000000057C000-memory.dmp
memory/3956-2-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/3956-3-0x0000000004FD0000-0x0000000005062000-memory.dmp
memory/3956-4-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/3956-5-0x0000000004F30000-0x0000000004F96000-memory.dmp
memory/3956-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp
memory/3956-7-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/3956-8-0x00000000747D0000-0x0000000074F80000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2744-15-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/3956-16-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/2744-17-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/2744-19-0x0000000006E40000-0x0000000006E4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\y0Mtcvifgmhb.bat
| MD5 | 5b0b26c139a36ec8f732e171d0b3cd3f |
| SHA1 | 0a58e7826fb645436343070ebe0a6c1da851ea72 |
| SHA256 | 0f467bd64ea7a0daa7de66ed4223f6c8d46284acce64d76518f80252db6857e3 |
| SHA512 | 07bc42c00d4e372bd6251f8c247a486cb39458ba1a9435baacfacabec5bbb6125e698cbfaa0905f28111971e8b3f3dc7fa10cc39d05ce6d4b5a165c5f04ae2ef |
memory/2744-24-0x00000000747D0000-0x0000000074F80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ca71f167a9a1fa8dd4da4bf90028c907 |
| SHA1 | 6c5350f1b60d466e6056d7e60fde38b4d5a5826d |
| SHA256 | 0bdbcced25e4015a42eb003e3b96e4a1ac2774713919037c8e768f200aa26d14 |
| SHA512 | 58d8f52e112bdfa3342587ed331968abafe4616d4cecaacad2f7d074d3dc7b861c8847f1a4738f06d78af8296a8c401ed49fa04f24733cd0e51954e58606875d |
C:\Users\Admin\AppData\Local\Temp\Ruj2ErJLhfN6.bat
| MD5 | 58c829af8110b67d15f1df6d77820d4f |
| SHA1 | 0e7136e29146feb3b51eefbdafa5a0c69d86689b |
| SHA256 | 4ce18cf12963b7d489f48d1f0c11a9fe7564009537e7c088ec497db36398b3da |
| SHA512 | 52f8390bd38d92f379fcf33ec0198d580fb02649c9617f29a55ea1da26f3268b9ac182ce6b34c6e641e0bf60da8f436c98b46016d74151affb55c701ddcc7213 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | b844dcb36c9360d599d9d137e26e51c3 |
| SHA1 | fa4b47287e909325d0d1b9b64695b14429fbaefb |
| SHA256 | adf2a0f99a874fd0dcfd8b8220d91232fab37190d9f07c407f128fde0fee7eb3 |
| SHA512 | 2982ab49d8519ed58d90d6a84c446234eba8ea5f1777559947b0743d5fa6518677142003f90994c563609273a6ed2503874cb0d31fe9180b8056660101c17c85 |
C:\Users\Admin\AppData\Local\Temp\4Ocz3gBVs1zt.bat
| MD5 | 029681251647984e95d18c706783b4cf |
| SHA1 | 8b9fd56840b5766ac7b8badebe86adb3ff12c2ee |
| SHA256 | fb06af12a46449e52ed034350a25c4a23958264c64965e5a7999a42fbf82ed53 |
| SHA512 | fc41fc1d1c898fec4f866f31bcc42a447a34d8f85fd8a547244545fb4ebf952a8856db13980d993a43ba702cda28fcd68a87db7611a5aad0fe9bc95f792fd2ec |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 4af2600a79826ac9350830df50385242 |
| SHA1 | 17fa5045f546c999a67700cb849a4869295e6e9b |
| SHA256 | 7d23c26b0bab665a6e68b5d5a258ecb1a6e2c648614f706fcb17b6a64975213e |
| SHA512 | 450a47fb22e0025261fe04d47d0fc53044530e59a61d3986560d97faad082f38cbf2958c5d7680441dfd0f342cca8e4f946a6ce6b6b6d6b9847f32a963bb78b9 |
C:\Users\Admin\AppData\Local\Temp\EccSDMmUQoZo.bat
| MD5 | bb2fe00fdb7306a30f465e1b6c73e8ad |
| SHA1 | 0a2f318ff3d34a13668717a9db2d338c58b686f0 |
| SHA256 | a4daf957253a17ec3b5f25dff9c7e253e95af17808d8b98689267f51f3e2ae53 |
| SHA512 | c71c473a00131064ce02fdb612c8d672c8b0a3ad254e817b20b1b8c7c378308ce014a0159e119a658d31e15515742b4bb827dd03474cb14b9b4caeec73178433 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ce69cb1382d61c4b6ab0d2b4997f13af |
| SHA1 | f4cc0d8874eb273766c37948ebee671859232487 |
| SHA256 | 2744abf7c8d632ef6029d54e9a771b727531fc95eada79da1bc366578157d6b8 |
| SHA512 | d2b8d8d6c9abfaab096f14f0a723732a89002605a25f46a809e338996e05e16c336e2f98bd3973b85f848c7caceb6effc697b0180d6eae52632f209cbb4e9cf1 |
C:\Users\Admin\AppData\Local\Temp\LdTm38Sh2pLN.bat
| MD5 | 0035c354b5d2177372022049ec65051b |
| SHA1 | 071315096f135fdb4ac31323554d3c7fe21a926e |
| SHA256 | a9be2662be8496eafcbfd8e5c0e7c3e4ec65d20b31bc72d3a1ee6e742f11dca5 |
| SHA512 | 1222326ce4905af431e459f414ef5c49df62833ac4aef329b2873ec65f76ea88f731ea4b368bba69ba4b33e26b383f01d32a085f71275361f97e83a3b5ebf53b |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat
| MD5 | b3dbb6b1cae1e7dbce2e87b3a8a51e18 |
| SHA1 | f8dd91894c6cfc9fa555829f74f7ca5562ae6893 |
| SHA256 | c580bfbae6ce455262537607aa879887939225d8d3212a7ffed67e7846fe3cbb |
| SHA512 | a70eceb99ddbc6d060fcefa3d42396cba54254ac18300b30b08f1c6b9752b171902df6d19080c6480655e554509c7cb355a58cdb75e98592b97e6b6c820fdc75 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 22cbbe535fec35e5af210486fd2b749b |
| SHA1 | 7775e507b7f2339b343549895fa0dc88265c02a0 |
| SHA256 | 8f1fcb0c6295bbbb528ed07882518e5a1dfff7905e6d657f5bf991e04622ad1e |
| SHA512 | 6bf853b92962de3c8bd6489bedaf96d4a27128d8896ad3fc658c5099a570f489236a4c3ba5e5ac0516899b654dfc5b9eada6bbe6ab5944eea3fa6feaadda1643 |
C:\Users\Admin\AppData\Local\Temp\NRJFK3grF0oj.bat
| MD5 | 6a4a3e78a147c0db808dc04551d574ce |
| SHA1 | c191d7326e5e2d149e883760029cdeafea379c10 |
| SHA256 | 004d838b359e7f54e8675e36c531d084309f7ee0dea1586ff35561b5b66b4bee |
| SHA512 | caf04c7425b0ed28ae471644732d9166682362a6b47da02d846cabc6f817158492c5149873e812919067b5e3bc380948303596c5809a98643f66a2a86d6d10cf |
C:\Users\Admin\AppData\Local\Temp\kGs5lf4C2TPb.bat
| MD5 | 278e9e2a0d5169ceaf53873866bdedfb |
| SHA1 | 0d33eab95e52c555b6514b9887c9705427080cef |
| SHA256 | d3875e66445c2a58ae6d2965c526620b220149cd29d7417d444e3c29fa56bb87 |
| SHA512 | 4f140d2e2d0bef715688a840759c04604e43cbb2b61e737ef1989f8d6a7bb5924b6fa7c9f5689269d64900fdfe962c50d30dfaef6c27f12ced9f430d6374bafe |
C:\Users\Admin\AppData\Local\Temp\Mk0tqlIwmEP9.bat
| MD5 | c4180a137067560fd8014948cc05fda3 |
| SHA1 | e7441c3029813fed4535d2b68045ee771b1a3984 |
| SHA256 | f3f9ce0e7bb74f8aca9e548aa266060951852c810c25786544d66d45f14f2480 |
| SHA512 | 610269cfbc3175a99ef12b0ef5490b4a11394aa729bfd442565db88d8836147cb8b7ccb1e2e13fbf2e164330d5d846cd6c9e663b4315dc4c7678134338519eb6 |
C:\Users\Admin\AppData\Local\Temp\8ltyGYSOFZgR.bat
| MD5 | 93e865c2d17021f8e6f5b5609c6fb652 |
| SHA1 | 45b8f17bd9a75dae12258b6b98ff0543c1ec08a3 |
| SHA256 | 822a289448d0479f1aae20b1a90d2860b59244f78c137135103ca0aff97e372f |
| SHA512 | 7c77fdeae10bdd35826f6ea7cba37624237fd73ca0b897dfdc813c14d8804db291ee1016fc589305a9bdf343b8eab24f87fb6a713dd893f7e920ea89e5c13d18 |
C:\Users\Admin\AppData\Local\Temp\fBycv38DBVEb.bat
| MD5 | 48be710bef8d26a31ef5c5beb9429b68 |
| SHA1 | dd20f3508ca7d8c116328d71645c4a3d3167850c |
| SHA256 | 8851d7bfb6bb76094cd1bd35888ce8ab22fc1f435c6b46057fe47dc1722bcb50 |
| SHA512 | c97294c8ad78833bbff073a855c41e092ce5e0510b847bbc2c764323bc3936c4f92fcea15e9a8c2c34e4976dac369816396dc8d70a965308c90173ce07bb032f |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 5f3a3f74254b2ff33f25c42e7b33b7e1 |
| SHA1 | 5da155905405c5d2dfd0642b59a4d610229bcae3 |
| SHA256 | 542344d72166445c583ff41190efa85d9f70042ca13acaca885c791bdfb0e1ab |
| SHA512 | 4d2770fb283305ee3621fddea8cd8416e39e1c5c26c9683a725146ec990e7fe08f43c9f8c06f5cea767bd60e9bb8446d8eb3c9d81d1fda836b5a5bf0639e7fb3 |
C:\Users\Admin\AppData\Local\Temp\WipFun44qb5g.bat
| MD5 | 176041f7052ff9c63f42e28189464068 |
| SHA1 | bfaac04ace0b528d113e6b05b27896ba49b65c1e |
| SHA256 | 0a1d4aeed0dec392703522a08bc78b8b2a4bf480f09d0d1ed1f89b516f444ad2 |
| SHA512 | 322e9f64e088460398ad5a59ef83eeeefd2436cfd9cb7459c18f3820d0df90c083f41837775a9cf3a847dda870a48cb31eb93a479c7f79532866c6ff60c47cff |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ba630c5251eecbf5302e6456f01393af |
| SHA1 | 5b0ccb3d2a33339cf9f7fac555352bb4c3c0a57b |
| SHA256 | da571cf6b2d9f6f258f0a717126d9b65596993595ee7199e7deacbc4cbd36367 |
| SHA512 | e2aad17e5f22a63e62c724ff6dad295eda9e6e0463b4526ad31ef893ab72f74e02aef57c45c4c90e36fb2e3b4cdb16c7ccd97754c143e1e70be3c3b7b2b7572e |
C:\Users\Admin\AppData\Local\Temp\k0co0iWhuUPq.bat
| MD5 | 5f820e301ac15330dfeb318a647faef4 |
| SHA1 | 23e4858ea54e2fe6152f67fefa537b6421334278 |
| SHA256 | 8e6b037259a46eecb519edf8e5cd345dc85f179362f2c5577e238fba5b2c32df |
| SHA512 | 199eee4f07fcf5b7461afecf470c85bb056f795a2608b80e5f6bab8a9d0a9862361b0ebe7c0556f428ec61a787583ec42ac7e8df8703cfab619817b4c2779e16 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e6a678a7d5c6555caeb2c9eb60ab7af2 |
| SHA1 | 1950f6439bfc99efc71ae70307fc2b06f121480b |
| SHA256 | cf9be85aa9ddebacfb3e7a10f40ac7c1ab59dd1734b1b02fae25cfa80180ba11 |
| SHA512 | 40e16b825eabf5085a8a249b57ee0ac13915975f7396d7e14fd09911f2a2c39cd0a37b523dd20316122267efff42016e4418ea3ceddd6944be3718f6ced34c34 |
C:\Users\Admin\AppData\Local\Temp\gc2heOxdWIdP.bat
| MD5 | 80d8dd56690f7e03f9e5c040bcbe0f44 |
| SHA1 | dd42b9fbd4cf3f10aa926e307e6a5e525a6d5a6c |
| SHA256 | 60e056ab82ee35faaae491f448664433f0a55d57a2d6cbd229942282aab15c3c |
| SHA512 | 4a3c8dd8c55a8af3c8178a5c344428983b2e797cd4daa9bc5e8a573e44ee8f8036ddf5ca8e6536636941574f5fd734af3ea0da9f0bed8d3fbff0d94ca517439e |
C:\Users\Admin\AppData\Local\Temp\X9tKd8tTBOUV.bat
| MD5 | d352161f9c65d27cf6e3d136ce802e28 |
| SHA1 | 48717892bbaf72e3ad2352c164362c99cdd47af7 |
| SHA256 | 485848e6c1107de52e418191bad12b8c449037048cb6cf69f4f917a4d6e588a1 |
| SHA512 | 0a2f246ff43663dca8dc2986c62b0dd98d8732a794b256706f05fa4f3a1a0e4353e296f60843d8f8bb3a9b28a02860aed498378147cd17d934fe03a1fd23dffa |
C:\Users\Admin\AppData\Local\Temp\GfebIiSqxlsr.bat
| MD5 | 50a95395a64afd9592503bbd43262426 |
| SHA1 | 5b6233c37f5bd955db35b3546e7547d7477160b3 |
| SHA256 | e8b0df869d09954daeb7f5e51175e3acc3a9a3a5cf3cf8354ba7c53b6db7e803 |
| SHA512 | be64d0acce2f4ba52b66deba2b1c600606e4a2d643b76841ee6f33255a5cec65e8c674a2b1038bb2dd95ff7d509a71b907d02c51108de8be3ffbab19c9a9150b |
C:\Users\Admin\AppData\Local\Temp\h36mNjn2r52E.bat
| MD5 | 061290fd256cafa51a4b69956c0e9809 |
| SHA1 | d54260ba173f1f485ffe817f76f68ff99aeb3319 |
| SHA256 | 7de4caef5924146ad0874884aec37f98960a58a4ca0895856b71bf8a8467a4db |
| SHA512 | 392dd390ca96b3ed7abfc81a21941d7fb2bc9b397b48969f071129adbc0881773c75b4e51bd1c6f72616ebea59d6969ad91a142720411023edc08cff7c05cab1 |
C:\Users\Admin\AppData\Local\Temp\0rqt1b148kwC.bat
| MD5 | e08d2e08d4e173db26c076f3a5d9c2cb |
| SHA1 | 0732a693e283737707a7997aa1dee7fd35a5c0bc |
| SHA256 | 962de02d2ea7c814675cf1bf4e504a17bedf6e9bd1cf2af934b4cb7dbe916758 |
| SHA512 | a42f657e6ad5a5bf43cb4fb594e0aba60f5a716e5b8d3368004aad1fcb5a713e741b8252f7ca051cb272502197a7f4e33f71dedfe100fec0bbfe6177648b9629 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 48700a740547b61216af313ea8ad7c8c |
| SHA1 | f00fbaf02442321907f7db46b4bc2bfe4d62cbcc |
| SHA256 | b3dc81c137d1a76027dac18ff816fac27c3281f9d19877efec1761b6ae411ab1 |
| SHA512 | c7b5fbc72839e6e03a91a6fb94c8a4bb66107a2f7b30773d3bb9f12425ab868cd3cc89f811f42314d6885d36f455220dc5c603d2b09ab212c0371124759cc111 |
C:\Users\Admin\AppData\Local\Temp\yyQaRT44RV3g.bat
| MD5 | 7ab3f8d0ad69d3d26cbfcbcf4d106c30 |
| SHA1 | 114162f3e3519691af0c2c581fc8dff74ae23f5b |
| SHA256 | ab04b76e7595b875f23d92d5603e158eaad730ddd2e9c0a2be59fc214edf7535 |
| SHA512 | dc61f8790ed6c10f6f525eb6e1ff47ee6df103467ad49a3916d06cc513b21a5e7b439aab2d0db115dcd6ea156150c24ad05df3b11c444e4c525d8f45799fbd4d |
C:\Users\Admin\AppData\Local\Temp\OMslWUPGLpC2.bat
| MD5 | 990508e5a915ea82314aec4f1fc6e302 |
| SHA1 | 5035d131b97cf3e8f9d944d76467875f259bee45 |
| SHA256 | a8e50a4df78f52eb9a0878dc32b40b415dc3c50b3c6964d6e57d132d283f849e |
| SHA512 | 8dacd4f20f6e280efe84f809be9ea4ebb50626b421401fb39dbadab4e50036534cc3e10dbe7efacde9ff93834db91e80ad0fe0a0e9f6da51a471d176187e1ec8 |
C:\Users\Admin\AppData\Local\Temp\pkKwcVlRFAMO.bat
| MD5 | 90a301703a953bead3f22468ee0a8e89 |
| SHA1 | 728705e00473114ff5d40a43d199863f2cfe9194 |
| SHA256 | e3aef3b7a1033523cea113229ed7f8e4b5a08c6ad7afd3cceb7951d5e46e2b43 |
| SHA512 | 6022c21e6a75d50c3b93ef53043fd6f20416dc0eb6c8020c0c7ed121a09c42add2f146524cdb00bdf867e298f040803bd51c3183764befc4b610b9cebdb4aeb3 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:44
Platform
win10v2004-20240508-en
Max time kernel
598s
Max time network
604s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nG0j0f3YARsq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4388 -ip 4388
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2200
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4348 -ip 4348
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1656
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3gCwYI4BmDLl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4552 -ip 4552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 2184
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUuT98mKyfA4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1640
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcF8lkVPvvTk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4284 -ip 4284
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9xlXlIf9uAeR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3468 -ip 3468
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ttt5bn6U0OMm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4544 -ip 4544
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8ksbGNgACiG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 760 -ip 760
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJ35uLmSsrUK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4996 -ip 4996
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1084
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUMIDQBDbVHN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOn1rNInib1Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3884 -ip 3884
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hn3wj8nJ8jro.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scsVdgWZiTys.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwbBqUW0CuSf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4024 -ip 4024
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukQMeyLjtrP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4468 -ip 4468
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1716
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROsDRkD5Tery.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 804 -ip 804
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyfdWwKN3phj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33JDpwqbw3dZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqFbg3uJhuqe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 556 -ip 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8sxQtbE4f3op.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4576 -ip 4576
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1732
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cHEKmMja5Bf5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4788 -ip 4788
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jzJpQ843XPjr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2044 -ip 2044
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCX9q60cfbgX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pox1UmSXGPu6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zZ25W8q2QFLb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4176 -ip 4176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsdOOnSz0xMe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2tXTpacRTHdv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2904 -ip 2904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKjUoEfkJxep.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 752 -ip 752
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/336-0-0x000000007487E000-0x000000007487F000-memory.dmp
memory/336-1-0x0000000000960000-0x00000000009CC000-memory.dmp
memory/336-2-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/336-3-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/336-4-0x0000000074870000-0x0000000075020000-memory.dmp
memory/336-5-0x00000000054D0000-0x0000000005536000-memory.dmp
memory/336-6-0x00000000060E0000-0x00000000060F2000-memory.dmp
memory/336-7-0x000000007487E000-0x000000007487F000-memory.dmp
memory/336-8-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4388-15-0x0000000074870000-0x0000000075020000-memory.dmp
memory/336-16-0x0000000074870000-0x0000000075020000-memory.dmp
memory/4388-17-0x0000000074870000-0x0000000075020000-memory.dmp
memory/4388-19-0x00000000062E0000-0x00000000062EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nG0j0f3YARsq.bat
| MD5 | 1735e9d69feec044017cea3982187e2d |
| SHA1 | f1dc6cd98b5525a44b79df1f5c0208280fdd6593 |
| SHA256 | 0b75affed3433f7806b8b3c7a4e394fd1bbca5d832d91fd1dadee4d1a20dbe71 |
| SHA512 | e14847c56f7af002a7383039cad013acc1ead8801dc9e82e10806e80d721397abac06d2f57a0ce2612793dabe74ac25c1f3e2cf133f9faf90413507ccce2a940 |
memory/4388-24-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 05ebaab7e7c1b41ee19dcb4b5fc3e8c9 |
| SHA1 | 4a24d9238a256c76f427561fb4424fca1956b6ed |
| SHA256 | b0e7c2940dcb74b9bb001ab39104f12a1d4461d7b3b766cc9980e16e1889dfcc |
| SHA512 | 4a1ec9bd93ec7562bcfb3561003e3ab4a8d5494e3613277f0159779ab579065e090d7508c9c261f85e8ec423b9091ca3727165b544ea3b1b99e22b62224f63da |
C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat
| MD5 | 6ca4dfbaf26c5cfec8f05eecf7e2224b |
| SHA1 | cc03ab55c4fd0b9f4ccf98f6895372bd6161dca9 |
| SHA256 | 1018b1911f264a3a51930c9501b7ef062e38d2ef57a050418ff73c8f529bd26a |
| SHA512 | 60982d741ca116505a911b3d61c7f3c9e8778ddb3def15171a9ec536439d6cf088fffab766b8b8e5f18d5da9b208942f498ad07153df26ec95cd67efa465b3f5 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 89c72292b3e5370014c999b4a827157d |
| SHA1 | bdcea97e811d3d2ee6556ba5d589f825d8aff06c |
| SHA256 | a0d94e6e67cfbad5465fb41be978bc7b740c976073cda809d51702a51ab71d31 |
| SHA512 | fbeb713d82902fc2ace18017d1f6e045defc2647ef8aa048e82ef887f012043b2d37e9c9f9ebfd620cba283d1642170c914563bfa15497d49be4ed57992a4d52 |
C:\Users\Admin\AppData\Local\Temp\3gCwYI4BmDLl.bat
| MD5 | e8092b6c194c7c3c4cb212bc84611787 |
| SHA1 | c2fba16cf6c1ef08524c1a3c4355b7ed31706a0d |
| SHA256 | eb3394e91ce073e3eb41127fdc86bfd1612fc868114e09aebc03b27919ccc408 |
| SHA512 | 2d8f5b787d1f63caa1c9150215312d5cc9fc24383f9f2f607447d59126dfc3343215ce9f800e58c7b6f5f3b13af56bdad2d88debb45bdb67a03c0b6efefd8a33 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 79fdbd797117b5d8c8be198385814136 |
| SHA1 | cbcf9cf0ee16200e9580a91b3865ea3f2b4f8bd1 |
| SHA256 | 85c632b1659c90e03f0e0b2354d26f29e409349703e5d12d0081a8b28ac8c613 |
| SHA512 | 4aadf01e0fb38c8e4fcfb71ecc9b73304a7b42eb73c6e285aec3c244e09c3f99cd83de50b059b77158ee7a862f28155a1cfb7681e48f8366ae11e7eba0ac0c89 |
C:\Users\Admin\AppData\Local\Temp\KUuT98mKyfA4.bat
| MD5 | 8c114427e5b16c9afaaf2be3d97b7f3f |
| SHA1 | d4491765c8949385477afccb0cf92e7a35e182a7 |
| SHA256 | 25f6a53412cc3089729df5b6758594fc64e309d0091fcdebda58ab4446a6efdb |
| SHA512 | 682d8f69ad2705dacf8d8d1fd02137a89672046b6b58523fc6a8a07140e3fee73af23c7bbaafcc45f9c1e24014f19cb9cf16a35dbf71e8fb9bcb2cd01ecb5ea0 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | a15447b4c29e3ecc8551e6f58e4a19bc |
| SHA1 | 75dfe6fc8dd3b39a42669c57759788cb8d9c30a3 |
| SHA256 | 538d4a8b3f5689a1cf936739b3ef47c7a3216d30e5d3120bb05a71199c7f16c2 |
| SHA512 | 82436f90065093f24c457d827f29fc51a1d2e17623b95a4662e364bfa7a49c88e0ddf0075de3bb8144e1c76ab448b4c849665b95cb4902cfbd9119831eeb2628 |
C:\Users\Admin\AppData\Local\Temp\gcF8lkVPvvTk.bat
| MD5 | d6b3557261c1ce3d3e7b4425f3e8ec12 |
| SHA1 | 3f3a6164ce58309fe2e88b22132df9954943bcf0 |
| SHA256 | 11b9d9ea96b7645d2c775e8527c72ab14ba300becf0ea748a585396682214030 |
| SHA512 | 3fc6d88a4709fc0f310b9805acb575723048a98b660ecde75734b2767745aec662fca07d356a772470ceeacd552cd9d796abb60e3a5c3ec231d6782f49441df2 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\9xlXlIf9uAeR.bat
| MD5 | 718b5369bf5601fe70ce1ac6ab9a2405 |
| SHA1 | d7ad5b8874f0737a7849248e1377a8eb27bf5ab3 |
| SHA256 | cde74835d66388f8334b7d5a7765fd931a4747c38f790bea3918238b11388946 |
| SHA512 | b93f73c1989d1cd180d4849cf14f8391a9bad0e1e1960e8da4e2151ff7b129a9a541e6d8b9ddc0916c09fe5dc3ab77a99d6bc7d62bd58213a17b8f1b80fe1cd4 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | f6ae2693b187c2bc9702a985f1029239 |
| SHA1 | 52b1860cd25e3b07922398bb490d01a4af8feae5 |
| SHA256 | 6f0d0a3e78e412d40ae6e96c9e63441baf08a457ec3024ddf09e573f285fdd83 |
| SHA512 | e7c4a811c0e82d5c15535950d12bc92c6d11953dbef2360f3530907215b62f3cec18d42a3a4e404d7dec6719a55592313447f42ebf741c028253596f346b4e75 |
C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat
| MD5 | 44f4bc64094ecf5114f6fcd9d870af5f |
| SHA1 | b2e5be8ed75dddbd38c09ff42c1af6dff256f119 |
| SHA256 | 0f58f20f2bb865b92dcf1119f7a8ad108231d01d210fdfc921b81ec427debdb0 |
| SHA512 | 37c301ad48f809602c6ebcdd921a1a9f4763427e2c32081230be7c0fee7b6cbe3c53dd4ad4e198f5416e5ba1bd81c3e0e255a0feb95bcc613927a90876d70db9 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e480dceda255912073911d446f93c4e3 |
| SHA1 | bc5b640fe9998ce2163f770106590fbd7ed3de86 |
| SHA256 | b0b80d6de43192b9095a5f22beac384be9959e02d1f748dc06366d00c39227d3 |
| SHA512 | 4ec7f38bb92fa7ddade34975b8b1daf2806bdb87eeb7cac9b8838b16d95b9b6ec04edcbc9c91d47c46a2c5f6a4dad734199082baddcd308d2939f4ce7ccdab2f |
C:\Users\Admin\AppData\Local\Temp\Ttt5bn6U0OMm.bat
| MD5 | c073569e501956926edc2986b63e12a7 |
| SHA1 | b9d3b05c0583d868d26bf130a7d0b971b55cf608 |
| SHA256 | 79502ed020d1028bce8db03da429054922221edec524e15ff0b0ae5e616f69d5 |
| SHA512 | a52078f42843c225fdb6f757385737780f45029f2393d0e12ceda9e60ab68ed6f6923e537709dc12642783a3cb366704f299c53e65be98a941f0eb2eb2a4fb06 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 283f52d4ac5428415e438beb1108e497 |
| SHA1 | 22301d2213250d12a663a75dcbd9387d214550d8 |
| SHA256 | af075725c2df4b13abbc531f51617e158e7c5f83bb391e67a23229c0375c8b9e |
| SHA512 | f43f3b4a3799ba032d7d67a2df52bf573ae80e914ce7adfd5b97b85f18679f3d1d9aa556c195d4caf499fd458e11bd2156adcfa41a212ecca08ddf8c17b82119 |
C:\Users\Admin\AppData\Local\Temp\k8ksbGNgACiG.bat
| MD5 | 9331c73d1298fd8491447544a7ba3241 |
| SHA1 | 97c50e28f76f6de8908804e30cbb839e568f9389 |
| SHA256 | 3dcd0538ef56d55fe8963773006a13f3f9f499cdb037118c2a3bef2533736766 |
| SHA512 | 23c393c950a56e4f622ddc6cf8b0d0a5ee5d0267fd29227212b72d49e26af82553c6359a613dc09de40b0bde9b2a40789679501057034d90c799c5f3afa3710c |
C:\Users\Admin\AppData\Local\Temp\jJ35uLmSsrUK.bat
| MD5 | 98832cc185801d3ba7fbeaf98a89b972 |
| SHA1 | fb1ce59d3d2db15d474831306f7387ad4b42639b |
| SHA256 | eaf5eb73ea1990b790e86f8e6fb5fa653d8e4c5188aac25ab3431ea6a9f244f2 |
| SHA512 | 4ccb37b55f5fadb6c227a02d493293c155309659e8b2f296d52167fa05c5f8d654b02f2816645a19924c43801c820732de5d4802782e6a1df6cb1cb8d2249813 |
C:\Users\Admin\AppData\Local\Temp\iUMIDQBDbVHN.bat
| MD5 | e38bd10fef1b5243d2825b1f919ce44b |
| SHA1 | f63427c0edff83296658cf6eddf1f41fce782152 |
| SHA256 | 34f3ba8cf7c813931035bfc3ef170a1793f5301069944a72656aa8f5b2f3cfa4 |
| SHA512 | 774af49164b2e7134bc1d347deeb38fbb9a0d119144ca4f434713a8e6a6ce3e4cfea8db6c5496610f5fc41901994964488c95c09615d449668d2113325d181aa |
C:\Users\Admin\AppData\Local\Temp\DOn1rNInib1Y.bat
| MD5 | f825fe31d745a063c51303065e2804f6 |
| SHA1 | bab9ac29cb6089f59def57ca944d4595956e6298 |
| SHA256 | 0206f06ce2344c916ab6921effe9d365b9dc67e7c1b7528dec844101b8b3a6c2 |
| SHA512 | e0ba5fd93a61530b3d4e9995d449e9c298570bf9ffd36a251b71bea5d58f1029d006b700515ded96f70c097ea90f44ad26782135a0eb52476ecf545dd225cbea |
C:\Users\Admin\AppData\Local\Temp\hn3wj8nJ8jro.bat
| MD5 | d0b959b95b0787ec6711b30fe5b88376 |
| SHA1 | cd8c1be60731b34c88ed24144953d073ef79fea2 |
| SHA256 | a5d401d4e9666822b41b37ce2aa222d24b955aa1ca184f800c4b69734c40e3bb |
| SHA512 | cb68cb765e95cb3eb8bd669aa287782a782ae3f41bd5c31ee687bedea5d2b5b626cc8bd06aff8588e037df3123fe9826db3ea372f72c672b1f0166be41ad1af0 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | f6478a7a9a0944a45479b623970e5d87 |
| SHA1 | d53f154afe4ec5ce1810892bedb7efee6e20226b |
| SHA256 | 401f6205c12e4ec92ee58f2c10fa320e60fcd84fc2ddaec1fb8a7e8e3f2c528f |
| SHA512 | b1e49249dfebebde07f2359caf96a2c2d041f486b5c27f46c3af2f9057f004da32ea3e57e709a116e31346a97bdd868877b0d1240520ee0ff5af147ad1aedd64 |
C:\Users\Admin\AppData\Local\Temp\scsVdgWZiTys.bat
| MD5 | ed063f38502abfe72281d5034a461cfe |
| SHA1 | ef8faf86f186cd5de769b71f4d107bc7b90ddba9 |
| SHA256 | e1a86896a7e1e3c5e1ad46170e28dd540ae3365dd5084f5f00243831496620cd |
| SHA512 | bd2fd41f1d7fa9c06a8260506a5d7e30c429f110e20f40d12db96c887189f1169840d2ee3d7508bba0ce6f537df3515780e66da291ae019549769b64d76c03ae |
C:\Users\Admin\AppData\Local\Temp\IwbBqUW0CuSf.bat
| MD5 | 9b4add305190b62866ec55caa1e7d603 |
| SHA1 | 45cd1c67d81394449dd5d00c817eb0a75ce94202 |
| SHA256 | ab1851ce9f71cbca272880eb621e62a50c7ea34fb5e4c8c1f0e530584ece3c98 |
| SHA512 | 724b04d4131c0fb474463a50b0bd8c4228ed8bdd07a8ba6c8fa706589533fd7a99accfff7c0d3289511c3113431010cc00f8f96d314303286d013eb6b9fea5c4 |
C:\Users\Admin\AppData\Local\Temp\pukQMeyLjtrP.bat
| MD5 | 2a5e666e498fb26c08980d1bdbc30adb |
| SHA1 | 98160bd99e5de98d98d12dc010ffbb11723d8df5 |
| SHA256 | f7f231284737f5c74a5657ccbac33c6ff904b6146516698a7af6077d90de1e29 |
| SHA512 | a1f786ede89ae5849921384c3f43f6e77b622a8244075bddd9d05168476bdc2d69a289b4e46891655de520e39d70ed989a49e3aae50eb6ed605ebac1762bd95d |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 24445c1e0868943d7a0ed39d6c531b7d |
| SHA1 | 63e012bb341bb71a4133fb74133a4faff23115a1 |
| SHA256 | 44f3d8ffb683f327a92fe595c16ead64346e7b0c3c3f3ebb5e8eb4b6d0ec8a29 |
| SHA512 | d87f3626edbf2c4310e32f982d520659c3c8f175c4008a6e093e3e4ae3bf9eab9234be2028f945be3c5b25611f75448b18bf93189c098d725c029a72dbbb3cf8 |
C:\Users\Admin\AppData\Local\Temp\ROsDRkD5Tery.bat
| MD5 | 1732db9cba1a2a760f55bdd198948017 |
| SHA1 | 39ed80b883b5ee8207f971087678d238b5c8dfbd |
| SHA256 | 7ba74de328bc887b7d702f6063d256333b2b964ffd8c82204b01b0c855d6677f |
| SHA512 | e3670cf041baf7a6cac5e859cae453d8b1113bedb6071aeef514b6da26ce06af87b7c5589e29570eb6151b33dffe80b11a252b060fd37d25fd89e19003be90d7 |
C:\Users\Admin\AppData\Local\Temp\GyfdWwKN3phj.bat
| MD5 | 17237905064d3c745c10881c247ceb9e |
| SHA1 | 9424593a2fb81dea421d5a96d552949d2a4283a7 |
| SHA256 | c10e9942d7c94a82609a8d3ac7bedc82bceb4acc6cf86d9c8dc80c9c00b41086 |
| SHA512 | b0ea803fb3922316f054ee64285689061ec922f79e71c44efbef48bb6c60be9204cf6484d29f30d2be366549ebcbe5907806a335aaf49629e26c5a9de217e6fc |
C:\Users\Admin\AppData\Local\Temp\33JDpwqbw3dZ.bat
| MD5 | 0efe7d35f83f70876be8681826183eb6 |
| SHA1 | 178eefad4ec39a3e88b2bffcc5846c7f80291232 |
| SHA256 | d25f4bd36e98afb20d5aa51ba9d471becead496042e85bf85acbbfe7da4ca390 |
| SHA512 | 06bfd5b29e3219d9ba2cf3d5c44e87da500353b7001c4452faf0b64dbd9cf9a059c21bc2503da1447462b99d20575de74891f26e9e202490cf35734bd61dd39b |
C:\Users\Admin\AppData\Local\Temp\JqFbg3uJhuqe.bat
| MD5 | 7858e730cc66ae5fb089a7acc7fbbbf1 |
| SHA1 | 0b7c915b224db9b30a3fa3f6243186b620fa43c8 |
| SHA256 | b7750ed678d2bd7db26c94721568f548a4f39aa81d7e1a61c8c971fe98e483bc |
| SHA512 | aafb57725bdb9265428bba9ba4c4288a1c39d1313647e6dfd333a37ccd1d718ed870ee6ad4e0862af14149493779d16b0947e32a36bb4158fffdb0336b8b4392 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 4862545659bc2fa711ffb90978296cb4 |
| SHA1 | de358db7eb2bb77566f92721fed3838d573c0d2e |
| SHA256 | ea51272057e34f68a8bb01a0944ba30d819510312fca5cedc58cb77cf88509b0 |
| SHA512 | d0d5a2fc9ad2e95c4a30ec10f1ee178ccbc70c6304709fe29d1923f125f92486819c3f2cf25d1f100384330288dd4dcea3baa0323f491b5217561b1332ba64b6 |
C:\Users\Admin\AppData\Local\Temp\8sxQtbE4f3op.bat
| MD5 | 329065c92f871064da89efc378fee2b6 |
| SHA1 | 9ead04314d0b82d5ba1db6a6f29d2e5695839ef1 |
| SHA256 | 1af200a305183b9b023180d524589204fa6bd8a61a8d0f025d5b29e6f020c35d |
| SHA512 | a97701f6126a39f8335b5048bbf398dbe147dca9cd4c5591d168e3787a112f88b534b67a25669504e2d5febf8f07be63ec60fdc51f7737119c37121ab03fbffd |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:49
Platform
win7-20240221-en
Max time kernel
466s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2336-0-0x000000007406E000-0x000000007406F000-memory.dmp
memory/2336-1-0x0000000001150000-0x00000000011BC000-memory.dmp
memory/2336-2-0x0000000074060000-0x000000007474E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2780-11-0x0000000000920000-0x000000000098C000-memory.dmp
memory/2780-10-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2780-12-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2336-14-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2780-15-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2780-16-0x0000000074060000-0x000000007474E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:50
Platform
win10v2004-20240508-en
Max time kernel
600s
Max time network
602s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYQxeyF7jS5w.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4176 -ip 4176
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 2176
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22VBg2xxN01p.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2240 -ip 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1612
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ijMV2cEEDJ1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2988 -ip 2988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 2184
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGPjHWiOP7s1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3664 -ip 3664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vNyQhPlOhtzV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQUzhgGTCpea.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1732 -ip 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g158YdX5HpBF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3232 -ip 3232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zpqFCUl7YU5D.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2628 -ip 2628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKmm4L9Ao3mg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1076 -ip 1076
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYppH3G2S3QG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1620 -ip 1620
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQJRo7pqAbzo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2696 -ip 2696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zRDXEu0IcwG5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2788 -ip 2788
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\38UI6wASXMdw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p9NNWjLu0guE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2516 -ip 2516
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1668
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6SyfOPxraOvH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4056 -ip 4056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1688
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xXg3zVKeH8GB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ov9E4WfpCSQY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1020 -ip 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JXY7jC7lnGe7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3604 -ip 3604
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWn9XTRg9mSu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dLJEN4Kn4vY5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2188 -ip 2188
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1656
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l3Oj1qfGV9cr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3184 -ip 3184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 2164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4072,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZdZPev9eCsB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2484 -ip 2484
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jh10cH8SSlgZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3664 -ip 3664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i1jfo58twCBL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0KKxhlkqWtBP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4872 -ip 4872
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SfrMgJuaW8N5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4208 -ip 4208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5btZulLnfqV4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2484 -ip 2484
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 2256
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqkLtDczpdrY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2384 -ip 2384
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1704
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/4684-0-0x00000000752BE000-0x00000000752BF000-memory.dmp
memory/4684-1-0x0000000000F00000-0x0000000000F6C000-memory.dmp
memory/4684-2-0x00000000060C0000-0x0000000006664000-memory.dmp
memory/4684-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp
memory/4684-4-0x00000000752B0000-0x0000000075A60000-memory.dmp
memory/4684-5-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/4684-6-0x0000000005FF0000-0x0000000006002000-memory.dmp
memory/4684-7-0x00000000752BE000-0x00000000752BF000-memory.dmp
memory/4684-8-0x00000000752B0000-0x0000000075A60000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4176-15-0x00000000752B0000-0x0000000075A60000-memory.dmp
memory/4684-16-0x00000000752B0000-0x0000000075A60000-memory.dmp
memory/4176-17-0x00000000752B0000-0x0000000075A60000-memory.dmp
memory/4176-19-0x00000000068B0000-0x00000000068BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TYQxeyF7jS5w.bat
| MD5 | f1c8838cbeed9904b16f0758776dfce5 |
| SHA1 | 79695a0bfdea7f59ba91539ccb3b98287547aec3 |
| SHA256 | a2583a05de6eb39292e1334b5b4079cad56566b443e5f94c02015cf36a78c009 |
| SHA512 | 0de490ebd9b5097fc7ad4f92850b85ca7eb84fd4dbc984caa344cf2b5bfdeccf5c403a1a90dfe6fd1276eeb699aa1cd94e9c945c94b8fa31f3035dd00332d441 |
memory/4176-24-0x00000000752B0000-0x0000000075A60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | da7a75c097e718be502a9725c8ba8132 |
| SHA1 | 09016310a8fb09ffffada0d370a8d7f9d82e54cf |
| SHA256 | 1c6cad085c814d35b6788da6ec5d38a38ed92544aca79858920acef188cb3aff |
| SHA512 | 85a14f0c04555ca3a81a930354c3f9fe4c3ada595ed00d6507df6018dcc8181df47e175b274eccf3871c13e4180903c87abfda203f68646ba10046332fbc8f96 |
C:\Users\Admin\AppData\Local\Temp\22VBg2xxN01p.bat
| MD5 | 224174efff0537972edbd6866137469e |
| SHA1 | 0747136fd0f70f2182436d7ae1551ac74b6f0df7 |
| SHA256 | 6209ecf60f02abe6c51debd09cd0aa2ca842e099e7ab0d8e15b2268328ad30e2 |
| SHA512 | d74ceffe007c08bf8769f822dde02891b0ced857e87033346133464f0063eee307fe40f43b7b6f03a30f824ca714707e2acc628a6eb6c5c7dc3cc066b4ba11e2 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\3ijMV2cEEDJ1.bat
| MD5 | c6bb0b7fbac0a91d809679fa205ebbf1 |
| SHA1 | 90a8507329983424b738871453889284a6c3800f |
| SHA256 | 6715d6daeb5a2d4f61617d18c7daa049fa440e58b100d514c4f5556a1a61539a |
| SHA512 | 3421889b66688c863c750b6f17852da6b8d8fdea1c62f0208ad0c9377824f1a3048d684ce26b9c12938daabfa364e0efd2cc9303fe1b1df1330fd78c25cc8b29 |
C:\Users\Admin\AppData\Local\Temp\yGPjHWiOP7s1.bat
| MD5 | 054f42337ed8b1fe9f6d0cb5f390b0d8 |
| SHA1 | a0c103ee18d03eca73a7405588e38134b2321007 |
| SHA256 | c811d3aad3193829fa6e2ed336dc2daa0227fd5c974c3277c0bab6900151b817 |
| SHA512 | 2d6b91260f5e5b7fb226700cd23e5295a27eac2e5db75aec021f46442f2de6c8a49add7d98484dd983fc17876f0a7c5daccd189d4c3f473ca3ac764be1715ef6 |
C:\Users\Admin\AppData\Local\Temp\vNyQhPlOhtzV.bat
| MD5 | 3959a02374d6c6a85e2650bb001ee758 |
| SHA1 | e612f7cd796760ca1930839ea147e9d6a36b85a0 |
| SHA256 | 757464e831cc572e29ca45bb2fadd6e08c0d7857d988def42b962a16677989e5 |
| SHA512 | 561ad161b4a03a786ef6190f0d84899e6db8f770465ab5d35fd5dc492585f5098a292daf05167bd254e6d0fb1125e7677179c803c4d23713f2b1221532a94741 |
C:\Users\Admin\AppData\Local\Temp\oQUzhgGTCpea.bat
| MD5 | f8955060c67b7b48c0c5219b9ab13fa1 |
| SHA1 | 56a72594759aced82fa4d24a4d91265883f2ca98 |
| SHA256 | 101208fc71d9d992afe7f7d0dd2bd0cd8543149e18a175acdb0cb8608a74ccb4 |
| SHA512 | 445e7d9f70e3bd34db51db037ccad5f1347d954da77e2ba3f8525eb170946ba32601c5a6dad2a93d2e323d0e4a2a95764b20c114ee65ecc7272452fa43953f29 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 48d2b74b09b4f84193d95791bf1fed05 |
| SHA1 | d0169be3d848249e1ef3b66f46b3f50e9689d9e8 |
| SHA256 | a9a331907efa51f25c5363b1526635208b5a794b9bba1ef328eeb5cb36fb7e28 |
| SHA512 | 419d4edf320937e209332dcaf02c569296ce249e6665489fbf889f30c36f48f6dffadedeb68bc1e352eea4510ab716441c61c167b9118defab52651350407eb7 |
C:\Users\Admin\AppData\Local\Temp\g158YdX5HpBF.bat
| MD5 | 3cdfc00ca679e26c9ee586ae59a9888e |
| SHA1 | 40ba188f114917c2aa34691b1162397b7d6487bd |
| SHA256 | 7913867732ea9f2d84c0fd1b99389ec42e9b225e667b9483e6fd0d031d85fe78 |
| SHA512 | c5136f4918b216b189e7ff3fe40180704f99970b85d06cb733669ed3a71bb5e9c4784b5ca4cce760116c5cf3d7525494c30fc58b6bc57e40bec32acf53d213ae |
C:\Users\Admin\AppData\Local\Temp\zpqFCUl7YU5D.bat
| MD5 | 337d29eca03715b65ee3c41b706bb4f7 |
| SHA1 | ffe994ad417eece9b263215cb4940445c3765a2e |
| SHA256 | 2f3607b986e23a2d8227f404d27fe0c57e96908ef6361f0d1ea0bb773af452fc |
| SHA512 | 81ba7e59a145eb09daba2d43edc7fb6618c04ce8155638c068a7c9da3efaad2e40d7305e0299b0b9a22274dfb779b3785544510ff871dba3ff92ddcf24e88100 |
C:\Users\Admin\AppData\Local\Temp\fKmm4L9Ao3mg.bat
| MD5 | 89e9a18f1154340ceab3fbba6a5cbd34 |
| SHA1 | 5f9ab1ea162b8b9a0e88c89ba107d3739075aa1f |
| SHA256 | 517e9b67b5fd99b518a6766cea948821e55e8e77dd703b1edd90a4fb0538d5c1 |
| SHA512 | b4edb75eec5f623f53cbce7ab8b25a50d931ae4b67651ce139c9eaf76906dfe0db61943437035b913acf1b66e23860da977b5d8a9bbb511802f2c8a6d268815b |
C:\Users\Admin\AppData\Local\Temp\sYppH3G2S3QG.bat
| MD5 | 6216b258ec876d8eb75b865f07f726f4 |
| SHA1 | 99650aee73d192a2c684c3df8db6341be99c2749 |
| SHA256 | ac203b18c2fe95c258d213b91a54613af043f2b9a91486408306e7a90d20795d |
| SHA512 | c7adfc8afeb8636982e2dbaceee4c1ad50e95dc3c577698205eda534412ffece967d4fead806c20c8d986bcf1c5deafa28b57e32942bbfe1a96fbcf7484c4032 |
C:\Users\Admin\AppData\Local\Temp\DQJRo7pqAbzo.bat
| MD5 | 2e2429cefb8e7b4e187c732bb8a0e504 |
| SHA1 | bd9cc1ed48ed962103d9a9c7fdd50c2408647601 |
| SHA256 | 7f73a14231019e7542c01461ed229d6893aaf081069f77ac4be159e9ad27b315 |
| SHA512 | e034b01def916b5c8e555f2c483b88e334e380083ba1ada410080596518781c0429ded291c3a3a7bda07d3d1e6da8e5a8c99c490c33f64b629b7516f532da405 |
C:\Users\Admin\AppData\Local\Temp\zRDXEu0IcwG5.bat
| MD5 | bc8158fd1430468b0e1d60d9b2aa4d72 |
| SHA1 | d43abaa302c3a64eda527bb22cfe40a0bca1956b |
| SHA256 | e158d1c87a59637718a72f600c0efa9b2c68fdd6a0276bee2cb9580789953a0d |
| SHA512 | c613910af96de75fd26cce869dd51b492ddc4cb978df038a2d1e75e2c40c9623a22aa650a7783b26316eedd84a629dc60a973fb7c80b3e4a7787c5da8798aae4 |
C:\Users\Admin\AppData\Local\Temp\38UI6wASXMdw.bat
| MD5 | f8347a3057b0dfdba4f7a8e08fe50a9f |
| SHA1 | fb15599c54f0806a19142d67a968fe8949a6dea9 |
| SHA256 | 3e9e6e71f4925b6c262b49ca3c14c148888ecd7500592face72a87f7f0b6838f |
| SHA512 | 2d008e14f9d7392aae1e745fd38de45807cde9bd2a50ffcdb236b1eb35236bd7227151e8df84fee8f650c1fff18fa4e6cfa870097202740de43e47265cb8e6e4 |
C:\Users\Admin\AppData\Local\Temp\p9NNWjLu0guE.bat
| MD5 | e68f3085173a5f5b06c1deecb756dab1 |
| SHA1 | c41dead3b2ecfa23c5831e5547e25d810ed97ecb |
| SHA256 | 6478fbb41b9960b903a6f3355484ba115d9795aa99b718e1c46373d93504cc79 |
| SHA512 | bcbe51e25d8d28b468b74cb6328cdc2ceb32c3addde41bdd8b35dff9f9097ed173cd85ded59a7070ab7dc23fa03c243c0873f4b6ab47404961fcd36be8693d63 |
C:\Users\Admin\AppData\Local\Temp\6SyfOPxraOvH.bat
| MD5 | 2d9c271352dc22bffdb84b21b2edbfeb |
| SHA1 | efaf45c006a4c2c443dc0e166a7fd10e812d0867 |
| SHA256 | 98335b16ec988ada7e4f1359af45e60f5a3aac784e2ff18936d64a7288ad569a |
| SHA512 | 51c1df127cb8b11c21324f76c854a20818f4488b4cfd700171ae79d3db93a9666a0936c81374cc150dbee61dffb70256f201de9787d04e79b6c6a9e44879f67d |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e2a0b8825641683b49f5a85deb138d1b |
| SHA1 | 256a90795aaa2ff51bc4c626a17b9b74f9134791 |
| SHA256 | 84e9daa6dceca5ae9234469aa958ff461fb466a669cc72ec6a93fb0014903a33 |
| SHA512 | 6e432e73536d1cbd822f3b8c54000f6cee4fb535ad8fb769d2793f04d5e5f4ba686584aca89f48cc29e24e82d6306c7213c8dc1ece4b3f43fbfde7f79796c62c |
C:\Users\Admin\AppData\Local\Temp\xXg3zVKeH8GB.bat
| MD5 | febfefe455b922c0d0ce63703e9f4cab |
| SHA1 | 9adfdc6b0c4ba7eb1ea7ceb22a7ac5ec83654d74 |
| SHA256 | d0c79a4d0837f8a0a10fd6108b7958531032bd8b00ba645fc3a7df01fa93ba37 |
| SHA512 | 6254bb110d8a8b4afa3bcf430018f8689108eea0f350dcd301d4a81adc0a20f5c8329798c2928fa38f620fa58ee172c8b8f0c84e9dcbed0096338f4d749f9c02 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | caeae6d87821d4f37aeeb1add140ce87 |
| SHA1 | d17cab1014ae79d7976c766913ec03ff960707b2 |
| SHA256 | bdc63b925f0b2dc48eeb73f03f94543e5794495516f238f7a29bb5cd355f1ba8 |
| SHA512 | 87ba338b9e73461046573cab7581a60a971ce6c844c95af9349b78e6a37f3d0a22157d48fe4c164bc2245e87121e5bd24300cb646915bf00b0a794cc369950d3 |
C:\Users\Admin\AppData\Local\Temp\Ov9E4WfpCSQY.bat
| MD5 | 90d2da382f7d8967b48645fe8099a316 |
| SHA1 | 12d53257fac15852cad9a170a43890570b2c60f1 |
| SHA256 | 204f3c90c2d819b99d005c93ddeccf19cb5ecb13aed90b6a7794f029bcdcc689 |
| SHA512 | d0c8f7432a8205fb39558f3b39df1e1f51594bec7074444952b8dd696e208a22cb14125e511b9adc59233a54a317a03f26b3fd1a9bf0433c15b99af3facc9b06 |
C:\Users\Admin\AppData\Local\Temp\JXY7jC7lnGe7.bat
| MD5 | 5b1bcf5a177d9fc499ff8415f0ad1f2c |
| SHA1 | b9857202c2b0969a7bde225e521f459803d43e98 |
| SHA256 | b755db04862e4a991c346b25c43025f9e3783df8d3480ff3e59e3b7cd31e58a2 |
| SHA512 | d78a164771ae55e03aa0f1e4549d27c31ed4903083e1b0c0dfe863c7d9c802d8ecf0d6072845b8fb9df5f86ee434eab36076f2fc51e2c02063adc9b2825bc8a5 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | db8cb88f68ed559e2414585f4aba1f56 |
| SHA1 | 8c80b63623dd60bd9455adb77eabd52d3072c377 |
| SHA256 | 91e08125a6e1e3b2606daf4d14bec455300bdbd7b4abeb6cba70dfcd062a0a39 |
| SHA512 | 72c9f8b9cad0960246114212fc845f13981570ee2792d603a7cef2a2a97fa50cb651532f0d0d6086971427e26d5e30aff56dace43d526c2d18d39680b8e42a10 |
C:\Users\Admin\AppData\Local\Temp\vWn9XTRg9mSu.bat
| MD5 | 24d5882a6a669123df1d70a6b39ee36c |
| SHA1 | 568767225eec20d621b848604ea0afaa0bba447e |
| SHA256 | 37fefa57f67ce160be01f48e92a6ca2892ddeab4d6d87b7262e5b2ee19f72526 |
| SHA512 | e79eecbf43afdabebe65a14fdca4dd2aa706d0719f21d62a953123f6f30653a4ca8a9e4ec1c46e8383a854e4a98ce44652f3818f88bfc92a0a7c5cb7975a593c |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 38cdc1595e78b0c3e46ef3405524af1b |
| SHA1 | 89657365b8ecb4ecd0c3809658ebf6c0be46a598 |
| SHA256 | 71dd1e55fb51fcd6266f7a3e1c5c81a655315aa9b70efd5fe8c61e946d9032a4 |
| SHA512 | 66aea15e6f7938f47b932150928939b1e2dee603171543318184ac9c78df64f84150a10e1bd29f0ea9e595e67f0c4aec784aea288a220d637f5f5f15c868379f |
C:\Users\Admin\AppData\Local\Temp\dLJEN4Kn4vY5.bat
| MD5 | ac871792910075228ec3c355d3654773 |
| SHA1 | b78c40038db63dc15afe3119647c4981c1bec4aa |
| SHA256 | 980edc163ab27a8eafa9a0d6c7116847d95302f45310408570967e1bd6d891c4 |
| SHA512 | 9b1216a0fc96c0c2e681bedfd37a58e52a7d457e725eefeb805262f73fdfb09ccb495e16f9dfa2ec68e2bef6cf7606e872fb54baf0b2033ffc8da29e0aa89139 |
C:\Users\Admin\AppData\Local\Temp\l3Oj1qfGV9cr.bat
| MD5 | 65e60091186d87d8034f4474ebe30dbb |
| SHA1 | 21ac94727b016715ace1f797593537ace9629faf |
| SHA256 | ed4c447b57cda72ecf82388b982b0bc71781fa6edfbd1498c2152f6519840d53 |
| SHA512 | 819545d68232cb62c7b64de343d3263a7e9aa989f7aee23a447d0fbe9fed1f0b06a6df85b2f2600f6fde0a695f7c8d050111ff5043374879055ef51a794ac9bc |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:52
Platform
win10v2004-20240426-en
Max time kernel
465s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1168-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/1168-1-0x00000000002F0000-0x000000000035C000-memory.dmp
memory/1168-2-0x00000000053B0000-0x0000000005954000-memory.dmp
memory/1168-3-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/1168-4-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/1168-5-0x0000000004EA0000-0x0000000004F06000-memory.dmp
memory/1168-6-0x0000000005A80000-0x0000000005A92000-memory.dmp
memory/1168-7-0x0000000005FC0000-0x0000000005FFC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/744-13-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/744-14-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/1168-16-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/744-18-0x0000000006790000-0x000000000679A000-memory.dmp
memory/744-19-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/744-20-0x0000000074AD0000-0x0000000075280000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:56
Platform
win7-20240508-en
Max time kernel
596s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgwb6Mhy1ZL1.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eHI9SxaEGHF1.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xWuKw5T4anyq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UvveJVaEAdCS.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SX6vRrdnv9nM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pLbRaNTTMX5f.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kOsO4KaD0C85.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuN4DakEvHtn.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/2108-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/2108-1-0x0000000000BA0000-0x0000000000C0C000-memory.dmp
memory/2108-2-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2108-3-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/2108-4-0x0000000074B10000-0x00000000751FE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2560-12-0x00000000010F0000-0x000000000115C000-memory.dmp
memory/2560-13-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2560-14-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2108-15-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2560-16-0x0000000074B10000-0x00000000751FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jgwb6Mhy1ZL1.bat
| MD5 | d94c5e30d10d16ef47de2644300e0254 |
| SHA1 | a476907b39f89902478dddef7c7f5f25f635aa39 |
| SHA256 | 378b917e8ef43818143d5a533a1c37fbe45d1f80c28ea97872def8f5ac3b73e2 |
| SHA512 | 46c8183a789b007b9d9dbc2bfb88c4e549c5dfc7b6374df20ea48ff985fe75213f21d5faf9a4d83d25ea06e1a2605e26b1cb33171ce3a665fe1f1c713a639b78 |
memory/2560-25-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2788-29-0x0000000001150000-0x00000000011BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eHI9SxaEGHF1.bat
| MD5 | bbeaccb93dcf3b396b7e00b9eba0933b |
| SHA1 | 95f427ffe7b6c41f8abeb9b1b29ba85f982a47bc |
| SHA256 | 535b06468318bb70571205f41c8981dade8827bf079d0ba77afe19086517aa0b |
| SHA512 | d3bcb8eb52c2f576c58f2964521783eaacd96cb2dbab237bf089091effeb9cfd894728f48674c676c8be8df6b9e4158c5c3e24df96524daaca41c0b1eba9cc0f |
memory/2996-41-0x0000000000090000-0x00000000000FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xWuKw5T4anyq.bat
| MD5 | 1dc8f4448bd3bdbb42017cb61f55978c |
| SHA1 | 9385d697cf4fe8fe92c8da53c452366831cfde7e |
| SHA256 | d3e066180fd59d9f24417fa5a9f7b6dfa010ed3ac78ce95d6f8705a853e5428f |
| SHA512 | e631c426d65d4977aadb00a3c3760008a3fcc9affdaf1d6a60a1f66affb057f813e5d58bd355a33ef19cb63239b3b33d8f9299423688aa3d2aedf28478fdfa1e |
memory/2948-53-0x0000000000D20000-0x0000000000D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UvveJVaEAdCS.bat
| MD5 | 25d67cfaef845abf2b26e7e5c5494e55 |
| SHA1 | ad9fe6cff6977f2e14fc173f24c84cf2c5bc9be9 |
| SHA256 | 842fa72dfff209814fbe57c1925b8dab100863e1f25087f90fb9eacb3514cf61 |
| SHA512 | 9e099393f0bb9bc97bdd16daeeaaeccb8299d3f50abd867aee34b0d6701479a686909c3ff294070cfbf94138a1d866a81b12adb71f6198d46eac986105051199 |
memory/1800-65-0x0000000000D80000-0x0000000000DEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SX6vRrdnv9nM.bat
| MD5 | d721790c36afc1e1f42006e9ba587d0e |
| SHA1 | 9bc7a6e081d475294ef3f6b8719d787304adc9f0 |
| SHA256 | 2f500e5dab9ab1ad149209611fb0654f6dcc209e41be05968338da9cc8cc8f6b |
| SHA512 | 222cf9d3bc700bb01f5bdbc18fbb3a73c94031ef677a228e5e716a027a835901f88b4d2c0ba65ac0e224c3e72691728a2ba62ca5f0221940c6200f0e3c6db654 |
memory/668-77-0x0000000000D80000-0x0000000000DEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pLbRaNTTMX5f.bat
| MD5 | d2af4b267e83ad4f4544710f2aeaf04c |
| SHA1 | 697bc18449a3963aeb251358cc9bb749092ad5bc |
| SHA256 | 95fcd61f5fa6a7db10f69a51cfc2e37fa60e1da7b561e3ce5e8dba34dd8af3e0 |
| SHA512 | 790d4e9be11b0a2d1ac847f4ec34c250a15da4efb0e11c744f65ee583a394a500eb991e1a28acbbb40a61d167c899746c422138d215a37db7249d1cff0f92a43 |
memory/1348-89-0x0000000001140000-0x00000000011AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kOsO4KaD0C85.bat
| MD5 | 075d6b6dbe9f0cd398c09aafd538b098 |
| SHA1 | 970d68ba1f24ae55d6fde8296221367d801a0250 |
| SHA256 | 66140c86db565256cbbb96f2c541479c7d6a561ef373d9379c7365a0edbe2a43 |
| SHA512 | ae12d64cab97d6c6a61028ce871127e642253f6031b39bd86b805c05bb7d7d2208dc3414696399fad21ca0b916f180e328dabbe7fb239c790aa3a2ea5aadf1c2 |
memory/2656-101-0x0000000001140000-0x00000000011AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WuN4DakEvHtn.bat
| MD5 | 6727cec2521cb7f089659be0c4fed113 |
| SHA1 | 0abd4dfec1ae70cb213bbb224e9a54be769eea62 |
| SHA256 | a64dc9875a7c7f50f02e03fce806b6ba4d7e3a01f70c6be14df7b3bf7cfbc1d9 |
| SHA512 | c2f0956a1d56641c1431e6155e98274616f1417a556154514cca88853c95306f043f2a7ac1fa595501a2cc625a53dad02013c72c8c7edbe67fe62de285ba8543 |
memory/2000-113-0x0000000001140000-0x00000000011AC000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:57
Platform
win10v2004-20240508-en
Max time kernel
590s
Max time network
604s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 904 -ip 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1888
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N5K4CQRftxIu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3056 -ip 3056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2180
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JFbhTUKXWP0I.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 644 -ip 644
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ma76S2UHWeCy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0sueYxwubXV8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1456 -ip 1456
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzTMyqzutIdc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 4576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnETchDwAxWa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3032 -ip 3032
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4sr4vhjA3BTR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4296 -ip 4296
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KfoRmonso2gV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 64 -ip 64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zNaRMdICbgiN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1812 -ip 1812
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pl2cRedNV0sj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyHwrcawdCpP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2224 -ip 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1572
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P4jGxMGT2ETA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4124 -ip 4124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZHxaNKC1AQQq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3960 -ip 3960
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsZjEGUdGQxV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1152 -ip 1152
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oh7afssz3tYN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 692 -ip 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pNLlUsWFt6qZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4056 -ip 4056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ex9BZ4eXSIgL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1592 -ip 1592
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KS4hRv2birMn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 900 -ip 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JdOuj0RMRW9r.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3172 -ip 3172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKegb2cWMwWi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1884 -ip 1884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvGpSyt8Sw2N.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1032 -ip 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1692
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJi0YyEKMGCk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3460 -ip 3460
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 2232
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEwTygWEzAdo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mC6iVqyZW92Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2332 -ip 2332
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQ9lhY5RA9g9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1804 -ip 1804
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37QWZaFb5Z30.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/3940-0-0x00000000744EE000-0x00000000744EF000-memory.dmp
memory/3940-1-0x0000000000B50000-0x0000000000BBC000-memory.dmp
memory/3940-2-0x0000000005B30000-0x00000000060D4000-memory.dmp
memory/3940-3-0x0000000005620000-0x00000000056B2000-memory.dmp
memory/3940-4-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/3940-5-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/3940-6-0x00000000062E0000-0x00000000062F2000-memory.dmp
memory/3940-7-0x00000000744EE000-0x00000000744EF000-memory.dmp
memory/3940-8-0x00000000744E0000-0x0000000074C90000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/904-14-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/904-16-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/3940-17-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/904-19-0x0000000006660000-0x000000000666A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat
| MD5 | 0ee75920959cff50993a88f2c96fcb42 |
| SHA1 | a26f4b2e29a6312855d272a710052d5095487b80 |
| SHA256 | f2b8767642d9b591f27f4ea6d79e806bdba638178cbd443ceeac1e7bee1f5cd2 |
| SHA512 | 862ec32b5a9a04825e8fc52da5c8348cecde513b06af2f2bb1e1d4a54cd2ea898046e41ec1d6f1beef6be8eb6a1e3e7377daf8d5dd336639de897af76c665915 |
memory/904-24-0x00000000744E0000-0x0000000074C90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 0266f8a6bc97960b087d43e1540ab1fc |
| SHA1 | 8fa56cc85d78f53576457ba9bca0946f27cb55e8 |
| SHA256 | c9d43ddcb4edd737adb5129b21edfac8ebefc1b24fe275f121eaea8a2b5f2a47 |
| SHA512 | 0eaad11a5e88ca122d5944b834f7522711f2523b6a3059955b17d6a559e720ad5bc3c00324376076a0e92f64fb21898be3842dea6196fed452dc52b0ca1c5d79 |
C:\Users\Admin\AppData\Local\Temp\N5K4CQRftxIu.bat
| MD5 | d1c2fb24fceab6b4416b3f06867b5e24 |
| SHA1 | b1b6dd292720a3759a46fded395fd9e841428bc6 |
| SHA256 | f0712dffa8ea962db1832a0d6503fcb5e992d7b7b888ba664c74796bc8567a5f |
| SHA512 | 11c1ad2765df8bd26b3237f155fb759e32e1bc03d71feac86a8e07baf58e836dedc13a2492881360d7562265314dec054c242998a8b59f01e6a01adba041ccfe |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | cd077d45632e8fda1855459d2be5cbb3 |
| SHA1 | 1ae037b956f0960e7bb201720fbf9005a4179f88 |
| SHA256 | c62f317adf7f9a10be0795179d7d018c1c7659cdaf5ff3e8fe80ae3fa1ca2734 |
| SHA512 | 960c347bf1c25e1b833382c08e58707addae0d4f061a59062023a20c701e48e9e70889a906538688bb8dc86d2b74dc4c7dcfba5f1aa3bc1ddbe1e1c9689ead6e |
C:\Users\Admin\AppData\Local\Temp\JFbhTUKXWP0I.bat
| MD5 | b04885a7251ad4d6742f1c6c77595704 |
| SHA1 | 78dff1d0ea067054375a5d6f539e940d90e5ccfd |
| SHA256 | a6229d1ed085036e9a68b00e70a42173d89fc0b831a2a280713f15a3c61a1061 |
| SHA512 | 17d634835515f55baf03b8895f882418f1176d1704696284e77a46f0258ccda7896063050909dc45ed625f1da2bd218a8b3c83d0b2dcba4b654b0274397a1a33 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ec6fdbf78e5171cc9fe5f0cf66841996 |
| SHA1 | 81c866c901f4ebc3d4530325e855fc8612e305c0 |
| SHA256 | f5c9c70d577a8b01a21568feb1fd013c1c98cb9bd49e7fd4b8ae27ed4dd8af88 |
| SHA512 | d616f44d7a1920aaa9745de66f4083d31560f4e0d5a06443bdd757b5f02b78b057683b477eb4d0db866e56f6fa35e699ba3fe5a31c9a474bc93ffd5c1350a211 |
C:\Users\Admin\AppData\Local\Temp\ma76S2UHWeCy.bat
| MD5 | 60793885a0998facb858db9822ce13fd |
| SHA1 | 39ea5251f07e8fbc5aabc36aa58186fb6593e7c0 |
| SHA256 | 39652dbdf7e3ed8e9c58b78f836ed2c4459290cbe73e5413b35a66e5fc3f7c4e |
| SHA512 | a5d95c33ed48fe33c7681cee6067e21fc8573f74f8a742539770ad90b3ecef1fcc7ed5d5160cc639a3555be123da43f57d8f410b7c5fd0fc4efda4210b490de2 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\0sueYxwubXV8.bat
| MD5 | 02c1c940ba18f100989a500e4a179936 |
| SHA1 | 4eb39ab54c3b930fe35eaf682677895370451122 |
| SHA256 | 11022913e470e383d0fbe78b88538fcffada60a1833c7cf68af6df9e255f1c58 |
| SHA512 | fae27a4f276dbce8c545524376de8320785e8ca799af6ca96ee76f71d68e810b8a017e20e4c58d0af57ee1dae3b3e9d45d7f2d2666202a176193851b8199f850 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ff80959a314f97bdbf95266e711cbafa |
| SHA1 | f1f7db37d4881cb216250f1c687960bae7ebf6c3 |
| SHA256 | 03c8cf607ffd7becd7e3efa1bb4f4fc352c70f48d42e56b923ff5589aa220e34 |
| SHA512 | 381215486b79cead3c558e0e9c12f6cf5744267e28cc1b09cf21b99602cda7236d8291b61db6ad43e9b7a5df913286bbf1df140d70f0c19254b00bc63aadc8f1 |
C:\Users\Admin\AppData\Local\Temp\yzTMyqzutIdc.bat
| MD5 | c845d611c4ba82b8ece0cb6f0f5898e6 |
| SHA1 | e3f684ea24ff456a82336f96de00f87b46d60298 |
| SHA256 | 54c2057b04c1d0dd683d0b182ca24e1ce2cf9433c49b6fd5e1956688ff6a6f1d |
| SHA512 | b21f9588480c1ca9e4e10a16a1b35924edd0a3a1bd320847ef7274a51db777f37243f53d3e396bc90ac44fd814835b23a8a58700e80d96f5bcd21c9c414c870a |
C:\Users\Admin\AppData\Local\Temp\HnETchDwAxWa.bat
| MD5 | f083d44381fdaacee7e85e591031415a |
| SHA1 | bfaa3e67ffe50d5259564431b53587f8a54c6fb4 |
| SHA256 | e205473ec6c78eca51b327b612c1c2edcb6cacdd2c8cfaaca99c18e58d5fbefc |
| SHA512 | e5f1758c7d8f795830b5769c647d872b12d6b21002f16c8dec4118de307b8fd0092f3b5e747335f202af600730f779fc3042e8f3a704f88a544186b8d66df34d |
C:\Users\Admin\AppData\Local\Temp\4sr4vhjA3BTR.bat
| MD5 | 97d5e66fe38d080753210c4f372330b7 |
| SHA1 | bf3c60fd27e4830a1b6b1da8d5e533bf3f1aeb2f |
| SHA256 | 5630c48d7615bb9538c728af4331674e4248d794c08617b3363f9c734ac6b3b2 |
| SHA512 | ac5d1d3280cb16040002ecd1c9876e6000527e82acc453d77c3397998ca82bf1246e3fbd6a66d9a41e66eda8f2a6baafe34f17204787555cbffc243580718041 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 6ffce06571e69230afb630559567693d |
| SHA1 | d7a925ffd7dbfcb237e8efb11440b5f41237237a |
| SHA256 | 100ed0f0688a4a2a6f5a78cba98a1ac1397d1efee8f0a1193ff3f488c2a1450c |
| SHA512 | 898841a3805374611231542f121caec139d152447004e4538de6d1537b6e09243728bb8bbd3bd0de2b091697b633fa4157e064c9c2bed045955977f54fe20930 |
C:\Users\Admin\AppData\Local\Temp\KfoRmonso2gV.bat
| MD5 | 3592d10a699d469f0195e60bf70b5fc5 |
| SHA1 | 3bc38f5b9c01742050ac9e4caebc764a63455116 |
| SHA256 | 010cf4fcec0080be609262c36e6588740f58454147bc0290717cf04ac8cc3c05 |
| SHA512 | 33b345034f2c10935269d9e688d40026f3260c9385cd5a02b257b6e1b2f003a4e0fd8827c00ce48ac314ddc67513d146186b5d8cce08a0d9ddc0d82e665a1741 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 8be4c830662bebb0c82a083e6113c524 |
| SHA1 | 9d392f000076fe0d68b38857dd331b6405a3de19 |
| SHA256 | b36c781f06c3885c1240f83047a3b5b6d39ccd63f12ef72215fa2c8819eb1d63 |
| SHA512 | 967f580e9e3ebeeb1bdc3660491963c0ccd47b9e225f08072d9b3b5eaafa3869116160c4d52b9c1076a551dc5e20e5591d3584be5049f35a39a13503d38cc90b |
C:\Users\Admin\AppData\Local\Temp\zNaRMdICbgiN.bat
| MD5 | 363e776f5b1e64927698b152b65fffbc |
| SHA1 | f1e64b580b48b1702f751645102dfa7127c618fb |
| SHA256 | bbc63bd5de95f255ea51e62070695562675fb7e1f3af176004f15cb1fc4d2c32 |
| SHA512 | 8396ccd7262af39d9e6d2430ca9f01f4ab41d05c0923c6a92156199f9eab522e57cc00ce114da0b891f95cf6f9fa8e9ef18da7b530775dd1e756cd7faf13d16e |
C:\Users\Admin\AppData\Local\Temp\Pl2cRedNV0sj.bat
| MD5 | be385a7bd129b9113d74fc5747a0ef2c |
| SHA1 | 3dc4fe0a501f51e539afe67acba38d3f630ae483 |
| SHA256 | 1f7e9a4fb3d33247aadfdedfc5db48a3c215ac3138c04f130958a10249ced044 |
| SHA512 | 412ffe57d0dfc0a41b5307c7f8a6e4c7cebfc6ccb5ab731d9aba8edf5b06af898159c95fc1bf2607fb795555f7fe460c6e60c8e2b6e8fde60ffcf2f7b1e76a61 |
C:\Users\Admin\AppData\Local\Temp\ZyHwrcawdCpP.bat
| MD5 | 7a9a46c6d95431adfbaa1c1792149722 |
| SHA1 | 527518592334b78046f4503fe5ca2b3897650126 |
| SHA256 | e09ea91d76d7dff8672eb9144579840a9c4e37c489716bc1f923abe3745ae7f7 |
| SHA512 | beb4a1a458bb4b8e6dbcc46109a8e00c920a6f4082b54377e8647ce878476e58eb2091b6d0675fba96c4ad70d4cb1de975767f49e0d23eeb80fe282b2797dda6 |
C:\Users\Admin\AppData\Local\Temp\P4jGxMGT2ETA.bat
| MD5 | 0af224160da4ee329aa06099c4bea287 |
| SHA1 | 4e23173ade2cdc25fed716cf1c62d38493a4b47f |
| SHA256 | c56f3fef1cd37f6ab3909e8ef0293f55c3a9a365ea7e68d82b52cbdfe3881015 |
| SHA512 | 888df56fae448c6d021c32f6796d6859b7efb18b1b38c918ea36e9370a97e83444353a16f6facd2f1e8b621f94712aba0932a4d29143215b03fedb6777a87786 |
C:\Users\Admin\AppData\Local\Temp\ZHxaNKC1AQQq.bat
| MD5 | 4c54e4a1305c4f2d8dd897f43f360012 |
| SHA1 | 8b514863e091456726cccad2b3c5dba89e254d2c |
| SHA256 | 60c50f1e583d0ab8575dffda5df5c7258e91bacb69756c78b981bb8283b9583d |
| SHA512 | ab2fb7e0fda0aacc14950cb9cb893067c3296df345de3a7213e3bfb84419ddb0b93d6f72c647777b59476b21209865499f09ff6bd10ea926c223dc901db77c6d |
C:\Users\Admin\AppData\Local\Temp\RsZjEGUdGQxV.bat
| MD5 | 4bc9f6e20e3d01b81f45f99cdb84a36b |
| SHA1 | 0c48c05892647500f3cd84558040892a1b95cdb0 |
| SHA256 | 4b8a3d1447cbec75cba4394008d570f7faf2c5a9b882345a0d13f373f609ac8a |
| SHA512 | 20a79d7d66fe4a0dd314e061988a2cf323724be537d2bd0d13d4d285386152fc7f8f57ec4ee6c7cfde8db42280bf4cccdeb683d66d51dd40deb13b6f94dd25a6 |
C:\Users\Admin\AppData\Local\Temp\oh7afssz3tYN.bat
| MD5 | bb7501100b813b74707497215d44e64f |
| SHA1 | 3ee34019342ca509b2b132def93874342b0b470a |
| SHA256 | b1b71aa10c552c82a4960333645c4154c2f03d6dbc49218022f18e1a850e6301 |
| SHA512 | 9602bf098741457dfcc083c052ddabdb775d7bfaaca089e70c8dfa6e30b02b29c139d8392bbc9fe274337e81117e519d31d685e91d75ce262e0d7e728271b8ed |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 13ae35fc441cc1a48baf82d5a6c54bd7 |
| SHA1 | 2b6e57a7442221cb1f4c6c2d1347bbd54d6577ad |
| SHA256 | ad78117547e9804f11c8cacc7756525118cdeb285a01ee7c108ee6a679824d79 |
| SHA512 | a7a6b58c2e08b7d4862188c83ae8ab03731116eeea2fc80aea24821ca125a113fdbd64f48345d32e3fc238f265119249e97a6967d157214364697c2983415952 |
C:\Users\Admin\AppData\Local\Temp\pNLlUsWFt6qZ.bat
| MD5 | a195e280db4709083c7b9d2723e33d9f |
| SHA1 | 8e75d7209108658546dcd55793450c190ae638ab |
| SHA256 | b2038af0ca35dcd5a44692f6866e7156e61fa2503044df51793672091ac46d8d |
| SHA512 | bf8d76eec6141ffaf1e102f7da59da77835df0ae0c901fdce651255eb6257a5535a2f42c7bb2408dc1f1d8b12f39f69ef3c519aa6379bdef3428d50adbee5436 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 1be1808af12f2e0eccf0a423e04aa1c5 |
| SHA1 | f058f58d949c5f3c4994b5c68ea46fe1e7151ab0 |
| SHA256 | 85f896d30386c40a524a04a1754edf8f9e179d00313850843891cd6a9cdb4c12 |
| SHA512 | 6a65b365ceb78691efe8d37ea6d873853a403dc02ffd4e37593774c4b3d3cc7d179e4f6ce5b77497feb009deaffb0b6e0947e4fd09d2a53a4d7479048f30b762 |
C:\Users\Admin\AppData\Local\Temp\ex9BZ4eXSIgL.bat
| MD5 | 4c34a44dd75f853b50a88bfa2c127be9 |
| SHA1 | c6f85513b7e8ee1b723b683d331b50b2c7ec25d0 |
| SHA256 | 2a1308b9a8dcceef48b1493dbc346475b54b3e53d8494b770bb7288452576679 |
| SHA512 | d8fa7460368c1dfd7c1c5b65c1ca205b25a6f9f2c1b3126dcc8e1fba2b52e7069a91a7d0a3f24c425e964f7a3d3a5aedf01a02db140ec8afa343aa13fe3fc9b7 |
C:\Users\Admin\AppData\Local\Temp\KS4hRv2birMn.bat
| MD5 | 29b8e93c01aaec7697d9b38363e3efb1 |
| SHA1 | 80e18dfc82444c6e529226b7faf2dd4f4bec73f7 |
| SHA256 | 0cc937142a866e02ee357e5aa8fb9d014633f12d3ee27642c85e92a4cab92a03 |
| SHA512 | 6feac4a23aa450ac54f3fde56baa0281e7924896123726cccc418d3f5685cffb5ad6029e14b1582e1064675da20dfe6a1d3a18df1b3e43ce78e933ea720d5fa0 |
C:\Users\Admin\AppData\Local\Temp\JdOuj0RMRW9r.bat
| MD5 | 1852f0278be8ffb0b355398dc65bb079 |
| SHA1 | 6137f02b43ab1c2779ec0d688959acddbccd5372 |
| SHA256 | 53a92d1bdcfefdd139e4bf4bbf29129e199467c8f531b081238abc7f4786cbee |
| SHA512 | f98a4f11803f29314de97fed36df519f8a42396f1c740ba0e3e594c4b4e2f8c238d117285a97789f2994549f14d67953159a58653c94e2da97355196aca0f63c |
C:\Users\Admin\AppData\Local\Temp\NKegb2cWMwWi.bat
| MD5 | 939a0d5c945d5214e7ea95ce7a18556e |
| SHA1 | a276d7e87f5cf770772441db1098282a4abd2b64 |
| SHA256 | c15dce6fb6f73f6585de8aca544af7d5d082f42de10aef39558dada5a044333e |
| SHA512 | bf23019a36619ffe49ac760aad28bcefaac770679df3a798abe2eb7b412d2d2f2236b5d5bfd9ce7ed67caaed8af28df2fc3e9e9aa97e87071e718188c87e84ff |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:45
Platform
win7-20240508-en
Max time kernel
597s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9u16OUMBnmAj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E6tSyzXuBx11.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\m04a6cG9Sm9X.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\c5SZtGO0ViTj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q663ojA67l7M.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sj55koN0O5QA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqPBeM3eqYuz.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeuhmttKHwCI.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/2104-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/2104-1-0x0000000001180000-0x00000000011EC000-memory.dmp
memory/2104-2-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2104-3-0x000000007458E000-0x000000007458F000-memory.dmp
memory/2104-4-0x0000000074580000-0x0000000074C6E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2960-12-0x0000000001140000-0x00000000011AC000-memory.dmp
memory/2960-14-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2960-13-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2104-15-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2960-16-0x0000000074580000-0x0000000074C6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9u16OUMBnmAj.bat
| MD5 | 71be8ddf73bbfb7af38acf10608afefb |
| SHA1 | 55166d9562c3e0f51bc5a0b123703026fe9e49ba |
| SHA256 | 410b45a8b6b04e07093dfcef0828b0aa7977d037e6615dc94f869a84fd835987 |
| SHA512 | cedda561d38a5fb2e7bae61407658a9ee090d731bfe85cf707c99354ccef20e005f7b9346f3d73b2e5626a3cb4c06596ab0d48e8946c79bd0d7de02fff8ef934 |
memory/2960-25-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/936-29-0x0000000000140000-0x00000000001AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E6tSyzXuBx11.bat
| MD5 | 729407913ce9c7b4f685fd775c6d5ef6 |
| SHA1 | 8fce9713e2116a31a45a54d6c09afdc5ecb5ad52 |
| SHA256 | eafa07593cc1ab3e3d7bae1ac9f850457364f73ee384cb9b727f83d9841257fa |
| SHA512 | fe0834a7fd71000ad41eb0d57b85d3ffe17c8c2d06a46bea7c971c20d50501f70ed3dbc1f4881a228213acf0520eb9839efa758e033cf24f170ee526c1a91132 |
memory/860-41-0x0000000000D00000-0x0000000000D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m04a6cG9Sm9X.bat
| MD5 | b52e561f4d2d718797a7b3f91d641294 |
| SHA1 | 97916c478c8dcf38a76976c6f9aa9cdebdfb73c0 |
| SHA256 | 3655a1cacd12a42cb5686e3a6c72b49334829b8b87cbd50237a91f8c7c0b3fc1 |
| SHA512 | 7d82274f14a14a39d8f51f1d497079e70979c0fc67e2ed19aabde2bd9c53ae0627136017fe78510a3e773414658668128dd32316887fc8833b395be89ac881f2 |
memory/2560-53-0x0000000000D00000-0x0000000000D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c5SZtGO0ViTj.bat
| MD5 | 59d5846523a1a0046431e374094ab506 |
| SHA1 | aac09466c858b25442d97c33cb8d96f3869f26b9 |
| SHA256 | 7833972dc71e571dbab1ebf77c02d3f8c21cd3fd03ca49b83de76bf743377f5a |
| SHA512 | 35bac6267eebdeaa9b185badb42003684a7b71b8fcfa40b7edec645b6b4e1f58b09f3bf1eff17ff8eeba1cbbaab8a048d8024ec8ee9e4def73963c46e957796e |
memory/380-65-0x0000000001180000-0x00000000011EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Q663ojA67l7M.bat
| MD5 | b0769e6c1154ed2b9fccc9782396984d |
| SHA1 | be427faf8c752cb608783532999b2a97b1cc6657 |
| SHA256 | 770fb4b8ab7340cc13628120af808bcaf480ba3ddfb4e364eca8268b4c5d2dfd |
| SHA512 | 6da3dd89081abdca30298b9007d7d35927d4391bd8c5fa6707d739e06f8c9aeb4011857f5b3b4c2c8ccf841dd24f6b4d3a6b82e57242e5cd544c8cbef37fb2d4 |
memory/1968-77-0x0000000001320000-0x000000000138C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sj55koN0O5QA.bat
| MD5 | 3a389224d854c612ca28895767c11a95 |
| SHA1 | e5abbe755829a8d711df83b6c6e97afc4bcfea71 |
| SHA256 | 53d2f11b34c4d0de491f09e1ec2faf9635ed53ee8a81d76d82e53b741d062c2d |
| SHA512 | 41cab6d55526b7af95de54d1c10d300371d22f98618eac15da8e48450e99c0bcf9a84df2fab01bf3b64849fee5114f923ea5e5ac9f4b400eee867560fb24390f |
memory/1284-89-0x0000000001320000-0x000000000138C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SqPBeM3eqYuz.bat
| MD5 | a61b7c0c335328b0b1e531d902cbc38c |
| SHA1 | 5e7ea47c3f8e540c22e402f3384e43b697264b8e |
| SHA256 | c85432f096a71d62f3b37c7df18cde52b6fd3a1f1f0a1fb2cd18f4f0f9a7050a |
| SHA512 | 7dace64c2446f121dc7ab37148e5b899fc2682ea48d0c0a9de00ce9a48bf21f3a79411ec17ab11f0bf36a1bc4531c8b25135303f97c9226f4c2ac0067a55c522 |
C:\Users\Admin\AppData\Local\Temp\oeuhmttKHwCI.bat
| MD5 | 90ab15a3796fc175e48724be3934ffe2 |
| SHA1 | fbf504f2336eb4e00efc1f36a9e5f57e84e10985 |
| SHA256 | 30fe547fc97e1d03d086fe1c8dfbc1083ce57f7d565a24ef55b3b0e51d8a2c98 |
| SHA512 | 4519a6dcd97d140c170f8b23fcdc68ee3898d0ced28f29233d3f6f176ca9180f49be42e0b4263d64ac70b127eaa46851073613bc923fcfcd82a02f979594aa6c |
memory/792-112-0x0000000001390000-0x00000000013FC000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:47
Platform
win7-20240508-en
Max time kernel
597s
Max time network
606s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ABb84DOYnXso.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5mxgQoIo3Fmp.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSyqmV4c8OW2.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mtotvgM5D2RX.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ci79qxL5ADQk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKIQzIPfvj1f.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uJ8B701R2yzN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\51y4FSyZdvQU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/2984-0-0x000000007419E000-0x000000007419F000-memory.dmp
memory/2984-1-0x00000000009B0000-0x0000000000A1C000-memory.dmp
memory/2984-2-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2984-3-0x000000007419E000-0x000000007419F000-memory.dmp
memory/2984-4-0x0000000074190000-0x000000007487E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2532-13-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2532-12-0x0000000000930000-0x000000000099C000-memory.dmp
memory/2532-14-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2984-15-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2532-16-0x0000000074190000-0x000000007487E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABb84DOYnXso.bat
| MD5 | d0890a2f0428af375715a5686715e46c |
| SHA1 | cf5266dc2642040558daf1edea5a7e98aecfb5e1 |
| SHA256 | bc64e12863350ea14d30e848293b0c4aa3effd35783c57002e7525bed7404702 |
| SHA512 | 4b7c5f1ffb7cc43dc5397acc157e8cc31cc34d7be781da89f5163f132580ecacca689df77a1a2003858d80b8ee112455204913048111a1fa4f3ec3a93dc01fbb |
memory/2532-26-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2044-29-0x0000000001050000-0x00000000010BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5mxgQoIo3Fmp.bat
| MD5 | 96f66fd1962f14a7a9a7e96b27350424 |
| SHA1 | 3032f892e23da188f307ce9c45a691c8428944b9 |
| SHA256 | 60e1f38c1f2d05aac360fa11305afcd51f9da20000b47589a4526cdb359fa5d3 |
| SHA512 | d6e45b8a9aae7621f00801214f1de4381d42533164508dbbcd0ebb7b6bd864a21c54ce5678169d5ec9fee4d4bcb901c19a28b5893c63fd381df7b660161b42b4 |
memory/2160-41-0x0000000001050000-0x00000000010BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CSyqmV4c8OW2.bat
| MD5 | 75d36ae74ba5b6dd83c43c3dbc458c0e |
| SHA1 | ec68c38e5d191be56ec84e6aed2dcde73ced7dbd |
| SHA256 | dace719784c5a04d25d469139860e766e89c0642ec29d232fad316ebfa09b7d0 |
| SHA512 | 685978ab0dbeced334a16c57536c045ca94a8b381b74a6b10016d62097c84e48ff6b8f44669d30998f028e1d6f9863ed62bf8d39dff4ee71147d69cc73ac0d92 |
C:\Users\Admin\AppData\Local\Temp\mtotvgM5D2RX.bat
| MD5 | c21bc67654e0fc33e8b48ca87e1a3f9d |
| SHA1 | 3658903873e34f66759a580864abf8277e2689f6 |
| SHA256 | 11ee2a7dc4309bb457a8c0528717ed7f49a37447cd26155648b7bb123a6013c8 |
| SHA512 | f7b4471e1e4836ae7b3bfdf3654f14f4a48ac8f638b5415bbabe71791bdffebdfa3e864f653abedf8b7f8bf95558a68e5a0e79eb469063b2202307344aa09853 |
memory/2692-64-0x00000000003C0000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ci79qxL5ADQk.bat
| MD5 | e369989587ed36c38774b9bfa06b2ed3 |
| SHA1 | ab979d4a0680bcbe2006fa07f73a8cfb8cb198c8 |
| SHA256 | 3218e81c77544742098cc2cea013a4f522599165306b21d96163dab450aacd4e |
| SHA512 | 32f7b5b026043cad8224ce36d6b95dedc0c212bfe397ec11fe45ac18aa9b1a3081cb0a89219475a93f22b5092676dce7a066a8a2ca53c4855b4ad507f8d313f7 |
memory/1008-76-0x0000000000070000-0x00000000000DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AKIQzIPfvj1f.bat
| MD5 | 50bb7cfbd38988d8cbcea48a0764d1ca |
| SHA1 | 4b354d2ca3babd86fbec39f0ecd3abcb424d6052 |
| SHA256 | e4de3015903eec1a7ce09359d32b4401e79d259e4dff359b37788f40716390d3 |
| SHA512 | 6848e45bac948266315a7b8c7f8742a0a3c05b9970ffa021e9ea8601e806af335dcc376af832af8ac2fe34cea4bfff5b580cf26e7d6dfe5185508979df305663 |
memory/1800-88-0x0000000000CB0000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uJ8B701R2yzN.bat
| MD5 | faae5ddbf1d1aa56bdbf8aec42be9969 |
| SHA1 | 8fa36fc36319a45e7b847739295a153ee2392a44 |
| SHA256 | 1b08f51c758c4f12b58f4789c41c22f84a622d7260b58b596d5541b3f32e4416 |
| SHA512 | 0bded1b0e2af0a151c58e702b80a415a9235355725fe7b987d5a2f947926f7bace2f775ab94aedb3c6043050fe5a339ad24fc07ca4c9f6f2b3880204f85bb0fb |
memory/2508-100-0x0000000000CB0000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\51y4FSyZdvQU.bat
| MD5 | c928175b68f6998e28a2ede8a0112de9 |
| SHA1 | 11b1514d03abeb4007e9526ab535ec5450b93ef2 |
| SHA256 | e4712745fd3a27d3a3aae163febe632b8f890f0add58ece8c3b96baef0c79992 |
| SHA512 | 3c81b63e80a447fb09621fd8040bcdcbe90fc88228374b1cbf860c6d7cceb88c89e0cdd4defed5aa5c5c90362105a88986a2e4cf70d5107f745b3ddf32673b9d |
memory/1308-112-0x0000000000090000-0x00000000000FC000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:52
Platform
win7-20240419-en
Max time kernel
596s
Max time network
600s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FjZvDPccJqyt.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\T0I90FWa1dyU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5vH1vbP8oGmu.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xxkFdoLXw68Q.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EFHCDOPpAipv.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5HkQuaMFJZBR.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\omQLG6MxiqFF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\suYByOBvg8Ry.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/3000-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/3000-1-0x0000000000350000-0x00000000003BC000-memory.dmp
memory/3000-2-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/3000-3-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/3000-4-0x0000000073F90000-0x000000007467E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2524-13-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/2524-12-0x0000000000D00000-0x0000000000D6C000-memory.dmp
memory/2524-14-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/3000-15-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/2524-16-0x0000000073F90000-0x000000007467E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FjZvDPccJqyt.bat
| MD5 | 3515152da4e3efb8745894323d2dd19e |
| SHA1 | a312fde3f4f1d243ac39c3759c116790312e8475 |
| SHA256 | d1a488033a0e7c9c08cbc22492778e07dfaa32a0854823e6a5485b3fe2d93891 |
| SHA512 | bc90a5678af1e3709651edaa02068b154a251f8738b6858a432e85cdadab1eb12377f8db2442090e7b24905d2fbcc4f90745875bf1b2595399dea0f26085dbc5 |
memory/2524-26-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/536-29-0x0000000000DB0000-0x0000000000E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T0I90FWa1dyU.bat
| MD5 | 88f7e8d900741f7c2fba03c67cd00f98 |
| SHA1 | 748c0f78c49a20df7bfd65c7626a617a91641fde |
| SHA256 | edc7fc24522546c26fdd1213e87270d7e5630551b049454c5d1e626a8e9086a7 |
| SHA512 | 4c571fadfe0560527e69886cf40cce578d72f6747441e6b8583a9c5654380b6adc8d30c12110ce6135b3edfd8ac01eb6fdf2e5791a86b65483c3fec05af9ba86 |
memory/1116-41-0x00000000013A0000-0x000000000140C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5vH1vbP8oGmu.bat
| MD5 | 319543fa211ac48b58e38efb3272093d |
| SHA1 | a17e094e3fb3b0b4394adfc80e3d725fbf76c58b |
| SHA256 | 5ea6d208b95244d096c3038a3f9f727282ad05046bf9e62aca4c2bce01219c15 |
| SHA512 | 88370cac984f44c16fd0ab328d0f384e268873a5a4a11243ff571667c5f333599633f138a6dfb1901405eced964536e2f8f364c414b8e9d986810722a2c32938 |
memory/1852-53-0x00000000013A0000-0x000000000140C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xxkFdoLXw68Q.bat
| MD5 | aefd8d6519cc69289df9605c974acaaa |
| SHA1 | 5e23541acb0dbc6f4bd09b4f4897773e4331f21f |
| SHA256 | 99f4b6bb92490e643e87f75d66e0759e91c237874138bf4f7e56f348eb54ebfb |
| SHA512 | 1fdd5e32bac1709ee3f12de2ac22ad195fd4774197e4a01b2544eca280a6b2c23d7c387bb96eb518aefe6adcaa2e9b62746b7783552bedfe79f79a4e4d8355a7 |
memory/2632-65-0x0000000000080000-0x00000000000EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EFHCDOPpAipv.bat
| MD5 | 69bb06e6e16aea48e775ede97b9991d9 |
| SHA1 | 630adbc4747c83c731319c8884c911bdb910f42c |
| SHA256 | a8ca41ee05ee4581c9bc2446e08644e7b1e556a0507ba1a49a9d4ea074bd35c5 |
| SHA512 | 2b16acc35a7eb4663ee9b9c57190225ccb8045be05cdcc9de34f1828dde5d961da079188e5001da862c971fa14bde71f86137c0d61c7cdacc318b1e321895d53 |
memory/1004-77-0x0000000001210000-0x000000000127C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5HkQuaMFJZBR.bat
| MD5 | c5855466767ab5ac601551b8af8a784a |
| SHA1 | b40ce20d71cc098010800dec66cc87e0b1a7fc7b |
| SHA256 | 7d53424621b6b13171b12cd0ca0e664117b841730e6fe9621a0d85b6f01039b6 |
| SHA512 | 6a0a79161815e8f5b37e78c8dcd3eb06ee57dac667e305046585fea1c95cfbcad83c044093eb663b7e05603bcad45dfe1c2ccc517b1ea24d2cc59fe0854e81bd |
memory/2732-89-0x0000000001210000-0x000000000127C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\omQLG6MxiqFF.bat
| MD5 | bb90f310bd5e166561fd253fef018d54 |
| SHA1 | d48146484b0cb08fbf50bd3f41e9517d4a1ab6f1 |
| SHA256 | a9c630b4a2addb4794f483807f819a4c6714c5fd353068e1ea03608efa0e3979 |
| SHA512 | 5217f76326a19c9ca67d33e9e1eb45e6fb901f285bd607ee022df4fbe90d1f7bbd1f386377a8f47af0bc16d2da85c827980336766724a2d2a5029c98c2eea8a9 |
memory/2116-101-0x0000000000380000-0x00000000003EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\suYByOBvg8Ry.bat
| MD5 | b210a75baa28a646da6278356b0d3eef |
| SHA1 | 38665432f946c5733800913c6310cc1d93f92477 |
| SHA256 | 45ca13d63109af6a146f790a223165e0fa998c354e336ada03034893c6bc365f |
| SHA512 | a382a866e3fc4776042e6baaad1197713a5ab3e399a3ff33b4be12874e30e67331ca9c0db0cf65bca116fb4551e34aeae27488b3564b710be7b8f2505db3c631 |
memory/872-113-0x00000000012C0000-0x000000000132C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:52
Platform
win7-20240221-en
Max time kernel
465s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2872-0-0x00000000745BE000-0x00000000745BF000-memory.dmp
memory/2872-1-0x0000000000BD0000-0x0000000000C3C000-memory.dmp
memory/2872-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2704-10-0x0000000000E20000-0x0000000000E8C000-memory.dmp
memory/2704-11-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2704-12-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2872-14-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2704-15-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2704-16-0x00000000745B0000-0x0000000074C9E000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:55
Platform
win10v2004-20240508-en
Max time kernel
591s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 828 -ip 828
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1628
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wlFkxTHl5aaC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3720 -ip 3720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3048 -ip 3048
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rz9JXx2C6iRO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5IwrdsUpAbkY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2124 -ip 2124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIqx3feHdw1p.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2296 -ip 2296
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jtR6vbvtivYU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4808 -ip 4808
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YTEVzn3BI7OG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1sVQsYYhiFEW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F6YT4GfZMFt6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3452 -ip 3452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOK2AB7CR8CF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3024 -ip 3024
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1676
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SZdFTHVy9nzJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2980 -ip 2980
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sx6QYHr9378f.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3740 -ip 3740
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHo5k6qaXYdS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\My5qc71kTyzJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3128 -ip 3128
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1080
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K9O3vDQVBdmM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4568 -ip 4568
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GlowZtsRnR0w.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1372 -ip 1372
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMn0VFmaubo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVbGRCXgDn2s.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5004 -ip 5004
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWULrzh8f8JA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4052 -ip 4052
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0c8w6vsPtIi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2560 -ip 2560
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1084
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1O4J16G4JDS4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1380 -ip 1380
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aJJmSoXxw7t9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuuvJkpZ26Qo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8PqSBaDdHf7H.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1604 -ip 1604
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C67D3cOnD6T9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ADgvTVRnVrac.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/5052-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/5052-1-0x0000000000E50000-0x0000000000EBC000-memory.dmp
memory/5052-2-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/5052-3-0x0000000005980000-0x0000000005A12000-memory.dmp
memory/5052-4-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/5052-5-0x00000000058F0000-0x0000000005956000-memory.dmp
memory/5052-6-0x0000000006600000-0x0000000006612000-memory.dmp
memory/5052-7-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/5052-8-0x0000000074E60000-0x0000000075610000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/828-15-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/5052-16-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/828-17-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/828-19-0x0000000005FA0000-0x0000000005FAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat
| MD5 | 2868a1f99561a4cbded5d8850eaa40cb |
| SHA1 | 88616dfb2baf9d926b7e6c34f09401ce8899500d |
| SHA256 | f310b2e536f52aa0af2dc05bf81d76ce93ecd3342066e8207b59c24918804d09 |
| SHA512 | aef4f815096ac7eb8d6e2ad89cd135150500c822d175dede64837f24170e28eaa0e5caba410c6e11eec046fa528aa4e727201625cb4bc59a8e1d6d56198cf42b |
memory/828-24-0x0000000074E60000-0x0000000075610000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | a01179a2820b6278a06f1de7590f1d85 |
| SHA1 | 3a33d0c938b80e3eedc506d1e932e7cd6e2842ef |
| SHA256 | cb551b4fee1984cb48072738bf4b190825e78a7d434024bdb21694ca60ab463c |
| SHA512 | b529dc894cb3435e884783ee475a2485d925087835e58e431cc97a6c518258e51b6fe191e3db5a8ce96db6d031ec87c43b7bdb270479fbcbf1195b375b18c045 |
C:\Users\Admin\AppData\Local\Temp\wlFkxTHl5aaC.bat
| MD5 | 165184a4c58f91a21fff3e8b381f745c |
| SHA1 | 79f4fdfaec45a22f1c0cce3d22223617de799dfe |
| SHA256 | 6ff792002e6bb404fdc901eab7b6ccf1355d0898d44d1fc295ffc6d3ac728d89 |
| SHA512 | 874790ebf8dd8633bcaa0abe2b95ca0c702ebecddcb93822eb1182c8c518a5ad1ad2da32c55f6e3fe42d723a01cb4247626af471ad1cc13efbe3afafc5c5d91e |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | b01131ac51afe26c395c6bb30bf73e92 |
| SHA1 | 67e757f980110e94c70729e079b5d0fd22f3bc26 |
| SHA256 | bf245353b7d969f3b842339efeeecfe350d75ea728a2b2b08ef62c8dcd5c4d4d |
| SHA512 | 1a70bd7c576c518db45b9f0b8dbbb274d162e7093cfee838c44700f75ecf7ff6988123f96304eb50c129514725484ddf91feedbbf68fe46c251487b404150dfc |
C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat
| MD5 | db4f4cdcab8db7f3832c85618ce732f3 |
| SHA1 | 52a6852aa4b7a77e0f38b84224f6ce5ad058d08f |
| SHA256 | cf38bb7cdb980c731bc6b7b8ff242dd1c6880f5b786beee58b53ed85c62a0594 |
| SHA512 | d9494e72d6ef819ad76ef8797221698d173948efb78dee3be6900aa4e2e96fdc8484c2fafd92bd758420394eb98ac0c5f615424a5f05b8d0d89155697ff250f5 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\rz9JXx2C6iRO.bat
| MD5 | 4e2c908e2a5cd440927d5e6f40e65d92 |
| SHA1 | 2ad2aa7f9b2033f2e584de09e63214cb460fd0c8 |
| SHA256 | de6c78bdb79c89cdaada405b61a883ba495efc269355497e454e019cae5e24b8 |
| SHA512 | 0575e80184a1cb04fc00a4f7be76d1bddf6460e9165b61d16a19ea4a5226c8b15bbe84159aa42355ca63fdab57344c8b344f0be677c9a013cfb91db12b353f59 |
C:\Users\Admin\AppData\Local\Temp\5IwrdsUpAbkY.bat
| MD5 | d38acd23d07ba06c477ff31e1ce4100b |
| SHA1 | 9f01876e9ed1c7757a7e3a4d4c50df28a9ba4a13 |
| SHA256 | ddecf2c5f3320a6858a4ec8d033ff3bd72082e6bae0ab00f70de77552ddfcb8c |
| SHA512 | 4d12a5dc64ee9684449c7162620f778eb6e5b3f97e43bd767a3888698ba0402dac63278081fc9aed12ba8a88af2e81fe32e5290b331099cf36f7594067572b35 |
C:\Users\Admin\AppData\Local\Temp\rIqx3feHdw1p.bat
| MD5 | 4a6c30233e50e8ac06fbb1388dcdf069 |
| SHA1 | 79ca066804481935806470ffa153cf20de90c080 |
| SHA256 | eef672900f7c84ff7fd0740a5477f3f05e71dbaa33a0402f6a4cf770015cc3d8 |
| SHA512 | c4467f0bac7ab68485a603b195b50fb513934c3d4decdf1072fb90aaab32832f53fca6ad7c9539c1cd613a66f97ae00cadb8ff709929ec4a32cefdd994372132 |
C:\Users\Admin\AppData\Local\Temp\jtR6vbvtivYU.bat
| MD5 | be56ddbd73fd250b5f807eede1b4beee |
| SHA1 | aed8043092ac1369318f10adc6f2712e9e3533fe |
| SHA256 | a810e2c96ec69d264c49bd17dbb450e442858603425002301268cabcdb97c1db |
| SHA512 | cbe2c45c8e785d5d11a91f1b69b5e8b935a5b604beab5670506155ec0ba3595d0e716590b2b7b6e6f0a490c056b709daa97022d6080ebd9d3b26cc2c03cc5599 |
C:\Users\Admin\AppData\Local\Temp\YTEVzn3BI7OG.bat
| MD5 | 3e2c46e1b29f9509970b45efa059156a |
| SHA1 | fdd13630fffcb45adf13f0d64dd09d4e29f3f8ef |
| SHA256 | af0928f68d970bd2b9b6f25d8cad86869e0db560b8bb4e96507ea8628be0f77b |
| SHA512 | 287b6b302055800944491e230f8a27ff358d1fdc4536fe8ca6c832f61632c6c679085c347423a038e9a2efae5ffe3ae253ae0c1980e5a1faabf941ba48b13b09 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e873340c3cbaed53de19ac0d4c5ffa4f |
| SHA1 | 910a993eedcce0a97642288f08159ecb0cddf0e5 |
| SHA256 | ff5d23738c84172f4cfd6e474ff2978e31951c7ad591423257fc2dd7cc69cf3f |
| SHA512 | 05f3c370ae7a62f597fc63c7c29ef0944418e8819d052c4160a56c391dcea94704bd4ca9c77644c85d9d0644add59d234cd3b8972a086131ba608ad374e94e52 |
C:\Users\Admin\AppData\Local\Temp\1sVQsYYhiFEW.bat
| MD5 | cd3ac153ae7b2d89bcfbe59350358556 |
| SHA1 | a1257aabe6578b85e927f36da3e3be0b87ca6685 |
| SHA256 | 401f6866aae0f8132eed32ba84113fd5e49e9e30159e19311a686777618c9984 |
| SHA512 | 03ac77c7c4db7b4ea1b01f238cf1701f591e070090277588fc193295a9637098c6db59842ca700666d7548591c5f8925995f71fc10c7b1957c3079feaa6839c1 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 9e6dfea857adc1bc5132e7cc2fc2e75f |
| SHA1 | f91b825e33c29f842508bd697d6e291081a3fc76 |
| SHA256 | 501578aabe5cbc9f8adf9cda3ba62a2f370d2324addf19a97235bc712c068a13 |
| SHA512 | 6c9a927a71512bf7c8acece1539f998e392e26505faddb5c47df2c214d0b3e6fb505f850ba4236064ff8c85ff2411f928907aef6b0ecb7089ee69645a9543c2b |
C:\Users\Admin\AppData\Local\Temp\F6YT4GfZMFt6.bat
| MD5 | 21b212a2c0bcaeb5c9379bc8f423e866 |
| SHA1 | 245f0db2551b816f261d4fbcc5bd599879f3adb0 |
| SHA256 | 18e7ef1dab9b2094907ad759b9b1c2c2ac3194cd16f9ea660eb99f6357ff5b9d |
| SHA512 | f2066be52353da9e7fff0ebbfe1e0001ec67f742f635772ae41563158d714563e7fa3ad39452cff6fb5f5080cb2f153eadf926ea4f190599ba026e60da36ba47 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 39680199eae4ee56f26024389a9bfb4c |
| SHA1 | 53af4b704c6cf08a6c4bfb9f5f4f0b2cc5d84566 |
| SHA256 | e102d648ad0defa81fe82ce3ccd09748c7a7f1d2f769aa0276ac5852654626c1 |
| SHA512 | 16936a708d28fb7afdc5f9a718ceeb4c6901de31dc2ac6d7f7cef8f014b3e96f62b1b9939e009cb526747e7614c421663cdfc0a2b86c9883ca57350efb7c18fb |
C:\Users\Admin\AppData\Local\Temp\TOK2AB7CR8CF.bat
| MD5 | 48430121d754e04cd45f3ea028b2d4e2 |
| SHA1 | cf37509baa045349638b6e2f58ae294789997789 |
| SHA256 | 6aea0062933c812b9f539a3c4273045c565c6bcb5141ca646111d24a655fb7cf |
| SHA512 | c417c799e7194a068ea8c9ff39ff38bb90a424e820b3338617389224049920692213fd4509d1217a602e27b8711374a32e3977d807a276b6e1d3fa7cb8d63e48 |
C:\Users\Admin\AppData\Local\Temp\SZdFTHVy9nzJ.bat
| MD5 | 871598c3321b98d01df716abcbc3f54e |
| SHA1 | bf3320b062d306b8fe635af7e8dcb1db91ca0ab8 |
| SHA256 | 3f73a1fd86c9fa45c0a3e6ad3178cd568dbd7f7669958fc56baced34e2044e1a |
| SHA512 | 3622df6f270ea43341b59ecef3c10c73b91d7ce3f801cee8acf2a4b3c9407cc87faaa552653342814ad3e1e425fba29f895ee3c07d236c6e44a6dbb32db8671e |
C:\Users\Admin\AppData\Local\Temp\sx6QYHr9378f.bat
| MD5 | a97a52735e97acc7da7dff5948764856 |
| SHA1 | 7594268a4910a5f779809e1457742f99db11f1d8 |
| SHA256 | 7100f90b7fbc9e4029d78c1ade2de7a4afb3856ce330d9949f4300124ce3496f |
| SHA512 | 07fcb541ebf2ec5acdb47dbf30c6f3473cb462cb48c4be10f6be29217f9e9ae4f78a77c4b63e9b89195c2d616cee20b0a29351c430927e8565a356d0240209cf |
C:\Users\Admin\AppData\Local\Temp\HHo5k6qaXYdS.bat
| MD5 | 82463983294e8df8808b4d3d7d7eb963 |
| SHA1 | 395829e6681e862d4823c40dcb98407bcede3584 |
| SHA256 | 01d15e5036487fd236ded2e2dc3d10286aa5434a0c65b869de790b3c3f743adf |
| SHA512 | 34daf8d9ccfb56aec162d2c6adeb6ec79015149ac095b2a7487c27e1a3a9e8242ced97ad2a5fe08d62ae7cb3197fb40eaea6e47ca6091b5041b748394ce3f445 |
C:\Users\Admin\AppData\Local\Temp\My5qc71kTyzJ.bat
| MD5 | e780261c3ed59a56d9771590d2454963 |
| SHA1 | 2f5df7c3f82281b21a905ed561896ac01c70b163 |
| SHA256 | 98dddbf249c76a33ee07c3d9a2dbbfa3a7256dc3c152af588e55eba427c2c98d |
| SHA512 | 3b4465f21d5dda8fa255642a70c490d7b5e3e99b7f2c6ce93bae4f2177a49b33d33ddfd01c4d72cf1c4d818aaf1e59c05e5f49e5cbf5e06ddbc19bdc5b7403bb |
C:\Users\Admin\AppData\Local\Temp\K9O3vDQVBdmM.bat
| MD5 | 4a11680d220179bae116f723a35a05f0 |
| SHA1 | 511b1e9b20dc5542c8eb6334bac1ced1c5ec1a1b |
| SHA256 | 7b614dcd06d2e913bf810cd408db5688800b720b0e95902591994f2604d7ed41 |
| SHA512 | 1e563f71f76f454cb87ae6d9eb9f1c96f22e71f7c753ca2095d4cd8c74397fdf534d6d1836d889741d41eee043a9b7e1f72d544147921c73ebea49761d93815d |
C:\Users\Admin\AppData\Local\Temp\GlowZtsRnR0w.bat
| MD5 | c082ab6d2021441e19f93b7ee419c935 |
| SHA1 | edba896ed5b0db9425e8a9a53faba19231ccea08 |
| SHA256 | 784e6dbbb64ca5ba3f2813238c215d517ef485aa81880188d4db55feb881c76f |
| SHA512 | 2aff2e5465f683bf5ea5f9f895a077aa24b38691fc1b65fe9bc277e6a6fa506fe4e32241f897e547e7fe32c298001f9dc5a78ab53818f564ef489a4c1243c526 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d44b009b707d8e56f153e9443f07d469 |
| SHA1 | c9206e993828d29e830f50bd7cb4cb187fda3d06 |
| SHA256 | b8e507f70faabb521d4297b8863c27a9cc264a4f656aeb2d38bd050913924626 |
| SHA512 | 048ef17d6ff7cc3638c4d41c88136989b11f5428824e206b84dccb551fd37d7c2e80a0931d51c8f1afa118af2b3809c5903a0c621e83c5911dbd98beb2bbc6ee |
C:\Users\Admin\AppData\Local\Temp\daMn0VFmaubo.bat
| MD5 | 7cd3ee4b8e6b0968b333f38cc40dbc92 |
| SHA1 | 39de935a75413df97ddd21556d48d222440dbf6f |
| SHA256 | a77332b25f24a2d607e8d12761fed87c523ec825c9b597f42ae4a1dcf559804e |
| SHA512 | 1d011288d361635d337d26d6c8b8939a818e66ecbf6a03efab4e0dd640b9c6b7821472a7546326686c3ff91815f7e97425cd5e79c383af100bf4909975cec227 |
C:\Users\Admin\AppData\Local\Temp\CVbGRCXgDn2s.bat
| MD5 | a992fdbff9c95a22b65a01a4faa63095 |
| SHA1 | 9141393a5a9c4d51a8554f3e528152754e18e162 |
| SHA256 | 64e71f0ac2d61f80e97a6fbec77d3d977a7df639f8435f386642cf28e20634ba |
| SHA512 | d02cad29b0a6620d9d5b38e8991c469b27844912eb19745346aa53ece921f800352dd82da23f7f841eb23570a1101858704077f62be681567e1d9b652b0d44ba |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 1cb11caa8733d5a99e1c8ecc7aa4e852 |
| SHA1 | 8b2d39910355affd183e5e7937e6697c4fbb70b8 |
| SHA256 | f78f75db99749f8eaa0618f70598fa920741549a8e4ef38f0d3b9c381ab3186d |
| SHA512 | 5153f868714710916ccda02ffd1bf2b9f427a73d55004ea1b30ae171538b8129c4c732bc2a278b19bed8c15faf201f9b2ecd3b5ee386a4699fa9f313a1038b17 |
C:\Users\Admin\AppData\Local\Temp\yWULrzh8f8JA.bat
| MD5 | f55ba399ed5daaea63cb27c815b1d701 |
| SHA1 | 6b0336b266f0abfd7edae1f8c610b21feb873be7 |
| SHA256 | f585f41e661441ef4423d9be240d2950651c53fb170a4b44943d182e7e67a8e8 |
| SHA512 | b0f94253554b7058437e625f6b77b0bc4adf2b2463bb1cebf0649413a74abdf8563521a0bd4956aaf8ae59d7fe955f489b59f3dcfd4d0a39b038d149909a6c1c |
C:\Users\Admin\AppData\Local\Temp\a0c8w6vsPtIi.bat
| MD5 | 79f159a6e8199a033d49065c15c460c2 |
| SHA1 | 6a37680a3db974120a8bbe43a318419f156715f6 |
| SHA256 | 4cc0e36e751ce8b87dd76460563caa1163893411ef97cf7c1fce3a57b8e499f3 |
| SHA512 | 0a075160fd7d163a5024040913358f843d2e6d4aadc3348474355c168da9ab996c1441b3b6b6aff59f1a33f37e70e6aa95e16c870416327ecaea14c902363a2d |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:46
Platform
win10v2004-20240508-en
Max time kernel
598s
Max time network
602s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4340,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5008 -ip 5008
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2112
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bXLVNIksQNtq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N66KPSLHuMew.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1692 -ip 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1076
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t1HDn76HS31L.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 848 -ip 848
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1632
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3b2rHIkKAvLO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2876 -ip 2876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdjgUq4683JZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3408 -ip 3408
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhZX15P0VTYW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zo8ERyT0oEf0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1120 -ip 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n6vnWtvds8zA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1OiMcoNHw1IJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiQ1ocNhQSn6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4124 -ip 4124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PtjE7hlT97Z9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4088 -ip 4088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 2220
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XbojlT6waLdv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1372 -ip 1372
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiNRCMAxt6kO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3620 -ip 3620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oW8YqDOzAleN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3444 -ip 3444
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ov7v8qcEfyW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3752 -ip 3752
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1704
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buSmfvVHZDBe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 828 -ip 828
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o8Vqrec9DDpE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3484 -ip 3484
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1660
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mJo3Aj1vwscI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1700 -ip 1700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4644,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67ZAoaFxDXWG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4432 -ip 4432
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4mycqqjuXw7Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OajjUixwob1W.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 916 -ip 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIoD8UIPGq5I.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv2qauueNR0l.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1648 -ip 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVpFe61xxdpW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3020 -ip 3020
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjsIrp8pbdU6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3408 -ip 3408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h0q8A0Q89i6M.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4784 -ip 4784
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/1296-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/1296-1-0x0000000000040000-0x00000000000AC000-memory.dmp
memory/1296-2-0x0000000004F40000-0x00000000054E4000-memory.dmp
memory/1296-3-0x0000000004A80000-0x0000000004B12000-memory.dmp
memory/1296-4-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/1296-5-0x0000000004B20000-0x0000000004B86000-memory.dmp
memory/1296-6-0x00000000058D0000-0x00000000058E2000-memory.dmp
memory/1296-7-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/1296-8-0x00000000749D0000-0x0000000075180000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1296-15-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/5008-16-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/5008-17-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/5008-19-0x0000000006030000-0x000000000603A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat
| MD5 | c7f9e8567737d45fb578ad3a45c2b51e |
| SHA1 | 5dd683c13bd551171a288efd2b1323c4094857af |
| SHA256 | 0108b6f51350aba320b2928bea91b0bc0f3581f2786913877fc2ba238b415ce4 |
| SHA512 | 4ce3c13d4f9c791860c88b148bfe388f871f1a20966150fba5aba966377d51666a1131e6f5ea2737e90505c136067147befcaec62c5d37fcb5a93a72907c5ff3 |
memory/5008-24-0x00000000749D0000-0x0000000075180000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 68ca7ed6c4fc7efa5177fc91da431a05 |
| SHA1 | 9ef319032db2771b2e8c859115160e16fd0c46ce |
| SHA256 | e436504fb436237061d6f6c7b1f1d47d6085f9e1c712ebbd461d204814b6a26b |
| SHA512 | f7862d477f7880f1e078c43ed96801a8b24c58d1ba87b43ad0e4fd747a47d257399be0fb2f710b03c990d1d1779ce5af294b10c7c28758140ed9467c3bc519f9 |
C:\Users\Admin\AppData\Local\Temp\bXLVNIksQNtq.bat
| MD5 | 39df20382fa7ddf3f59925a42e65270c |
| SHA1 | 6b264e76426e7a313b7801ad9f9f1b42183240fd |
| SHA256 | 6df23e97f3e6589c7d474aff7e9f06773f1df2a1e78c1d6d905da2404baba6ad |
| SHA512 | bbcb2c9f0711debc841b51ff2a3aac71d95db44ad1ec370eef1d8eff87e7936991a68d580895134bbe3a489c9405a6eae080941ec861829e5b9865b1c88b511d |
C:\Users\Admin\AppData\Local\Temp\N66KPSLHuMew.bat
| MD5 | a6e1ab0455014b558ab8a6e733f91d7d |
| SHA1 | a14b458824656f8dfebd779c486c979c960ee9ea |
| SHA256 | 8ec6332d0f881667d64d3b0c869a0019d5958698f5083120027492f7e04613bd |
| SHA512 | 00b09e502dffd4ce3a7cafd9dde1fc89bce8d879d1bd6b9a3d031a4c8685d7f3f0e70cfbffd97b2fe9b9ee3e6c2d30a262dcfcffded9df65f31a44a9634e64c9 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 9adf3c102259ab6b26b31de845589f90 |
| SHA1 | a9d2072d36b72ee3a93e59738760d20024560c7c |
| SHA256 | 57ae9ff936d956a4302b301bd2e1b581df14d498f871a59b32a687e2fcd515a5 |
| SHA512 | 396de918c83f72d5917c464425d374607e77c12a0a206d4833b1a60c3c2562c2d81b32fc66f1e5947a3bc673a678f3bbd5ef4c777373a1a1409de70a92b4ad00 |
C:\Users\Admin\AppData\Local\Temp\t1HDn76HS31L.bat
| MD5 | f0ee850342a008627f295ed6c80edfd5 |
| SHA1 | dad474b0d78500ac53bb4f716c5b911e9ef3ecb6 |
| SHA256 | 6f4fba788a437e07d2dd69dcc749c25614e2b1aba4a502a1ba319944d7b05406 |
| SHA512 | 94e96cac4e77edb2af2808abf400466cf154335a33e37cb748648ba1c7224f78b988b4ec99802beabefe03cd8265ffacb3b3d149524a41d9addaee25dc7a67e1 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | eb9e97bb2537d22391bced17bb036876 |
| SHA1 | 4fd315c8d0088483af55d9a936b7f286edc8bb7a |
| SHA256 | 4b155148166659069f7b6e6a148337cb9a014857d6c3666b32d2752f8e64037d |
| SHA512 | 0885491270c6c1a5e0898c45a25996f93d0059d2722b27c64bae56b2e0391bab78dfde4c1768096c6cabda595685ae81a20e892daf83505004098ca1e50f1a23 |
C:\Users\Admin\AppData\Local\Temp\3b2rHIkKAvLO.bat
| MD5 | 8f1049a700dc0a2b02000c75defb4d9d |
| SHA1 | 362b75b63b9fc4e475122847cf344aea8f51cdff |
| SHA256 | 05c164312f7a0a962c13d846b3c48255630a8faef2a1e12e53c88980b1204a8c |
| SHA512 | baa41455b320d871d421c77ef4c7e5630c81a8e0ee8230a86332be017c53eb43f2a7577c2856080ce490811222f735384d2570004b728a5f7d47af71ad883035 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | b36c3484596ba522014362164ecb56ae |
| SHA1 | c5dc90b7cc655497daa7d3eeee7b2362cb16c9e5 |
| SHA256 | 01ad6cb23689af9678fa742b8da660787e901fb2119b8a029553b3bc782b5773 |
| SHA512 | f8457c62ac20068d585cc26a03bcccceb2fe21baa7bd634db5fafbff507475edbb0a9ac0b148146a0e9fd5ea6c2766f48bfd3bc0eae2b2f35d24cf0ee846fa8a |
C:\Users\Admin\AppData\Local\Temp\sdjgUq4683JZ.bat
| MD5 | 0b05ab08695ec578bb55132d29dd7741 |
| SHA1 | e33e32e8ccff0d7e5a1f5c6ebb58bd0dc4f11630 |
| SHA256 | 19737821ce681990c69719854d727bf542a5166ef20a22b9d7accd8e30f85fee |
| SHA512 | aa2f46b988e0c87466d8661d9658abe7abde9be2898e471262bca8c67cc4a34f148e19167cc6b810b8efaa68d5ce109b0fc9635270163a52251ba6ff7e1a865a |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\bhZX15P0VTYW.bat
| MD5 | 4f69ef72a2bfb177e3f8cb90655d7d01 |
| SHA1 | 4bc76849b8e5ccb80b65c6f719f4680208032cc6 |
| SHA256 | 62b7aaf2d2eafc6e026b5c125c75d8ec446270aedefbcd7d5d51d1d78043f69d |
| SHA512 | 2298f8745a8d2dbf8bc81559646ce622d9e2048a1ec2dd6b058a18cf387cf59162edaa986285bb006a357ced7801a824d2488b0ccc3101a8afa207ac918ac821 |
C:\Users\Admin\AppData\Local\Temp\Zo8ERyT0oEf0.bat
| MD5 | dfb1c63d3e3c8daba6f9cf16575f7389 |
| SHA1 | 53fd3796e1f46c44d57f2af1db41cc3daf2098ea |
| SHA256 | 7bada2d493abefe67e682028a692ad7d917bdda5d645d4d0f44b90073bc0a974 |
| SHA512 | 5bc3df53cefec6b5172d0d53c48835bf94a01badb6b798c65af9fca50d29e673549c45d4f29df176f57ed3ae4ee80645990fbbfbd1dc37b469721a80f3816423 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 59623252d23455ed41b0d9dde6ff4b66 |
| SHA1 | 1867df5ebc06799129b73808dc4e1bcbb5c098b8 |
| SHA256 | 54aeca978ca20484d7bc0dd0b4b44130ad9fe7f2e15a391900be747ccdf90382 |
| SHA512 | c1e7f154f7126398e9068120e23ef102688ec9d11eae52a5b86e7fbb31b279506b330883c67150fd229f4cae8e9b4f13865ec41723b4e58bd0a5885d9127dfb5 |
C:\Users\Admin\AppData\Local\Temp\n6vnWtvds8zA.bat
| MD5 | 3d44e79363db3f17c32aea5983941804 |
| SHA1 | 72cbc4dc8687570cb6c45da96706b550452c40ec |
| SHA256 | e2623e8e37445c26f94db71309274e7e992ec873f4355f1a4ed10b80884c409c |
| SHA512 | baaf611ce646ca8d8509fc32071b6ecd5fd82cc20ffd677bea531dd7268739f0bdfd3025eb17c8ca43fe82b3560a5b05bc36e9cfdcee4cacf3ae90f39f6a5196 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 774c523127f45c4ed3e5791e81408be9 |
| SHA1 | d319ea097e82e78290dfd615b6303aa9581e72bd |
| SHA256 | 48edae334bebd2c6ccab03599f9c30b324f813be086b8a83069b27da1a421664 |
| SHA512 | 95a8d97a671b09f1f232de3c6ab201e8774a07f7a0288c34411b1a8f62b16b872afe591528cb711d80d512910c9332a20bdefdeb27921354ac5f24e3517e9be3 |
C:\Users\Admin\AppData\Local\Temp\1OiMcoNHw1IJ.bat
| MD5 | 13dc764af096a8ceb47f81b4c502b9d7 |
| SHA1 | e61db6cf40dcbd75fc8eb882a268b37be0c58cdd |
| SHA256 | 4ae6be149a27a8cb8210f7ceb0b502c806bebeff20763711b960835ac4face24 |
| SHA512 | 84a844dc69baef62159ccc32ade73f99daf012b9f09c1edc4962c04f3a3b8a46fa29447a7469d5a43cc1d754fc58757acb059379305189cb9cc945a9f8e36015 |
C:\Users\Admin\AppData\Local\Temp\QiQ1ocNhQSn6.bat
| MD5 | 582c9ee87e9632250d20fc9a50d41bc4 |
| SHA1 | 8d57d49b678bf4d85000ee715387fe0766bc11cc |
| SHA256 | b68cd70853da5acadb6cc9a6a43ff723fe8c3f8bab60b167e986c21efa368b56 |
| SHA512 | d4d24ddfad965b550c306fe4a33bda3f0d37f6db0355392dceb52dc89925901f309d3718b3b4c707820dcc2c5964815287e4c62fe0aee4ff74a688ec65b5f89a |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 68a0c69fc23df5d08088301559d8561b |
| SHA1 | 417c80189146b868be3e5ccddf60023bfeae8565 |
| SHA256 | 642cf3b7f10ea8d26b80b4b4d2878f230483e9799bb69543c997c451ca623d0f |
| SHA512 | b72a1617fff85c081b44462ef675df7c782a83440897e61bf78be581a9244116d3f8898a47a56be166afffb0fdd089bd3bceb4b041f2f9d0fe7bcd5543ee1f0f |
C:\Users\Admin\AppData\Local\Temp\PtjE7hlT97Z9.bat
| MD5 | 15c12e665ee7e5054edaa9247c847889 |
| SHA1 | c3cac93007e1f32e073933fcef47b87eb9db3f31 |
| SHA256 | 61e46350a0ea47990ef0f5d4b8084302636c67081345cade0ca999ee05905370 |
| SHA512 | e68a232df7d9c514160894fdd78a57b17874631243333aa9e9bbbde6e832faa840573f21037ece6d2ae6add332d2298b5318c61cc23f4a4090bd16d823cc8033 |
C:\Users\Admin\AppData\Local\Temp\XbojlT6waLdv.bat
| MD5 | 0990711ff6fa0602d1a811a9a9dab0da |
| SHA1 | 21206befeb5f415632de02904a7e8eab0e4c2709 |
| SHA256 | 44e4116491d36eee37e0f52029287830325cfab04b2a8dfcf8eb22725f07869d |
| SHA512 | dfa473d504043a8b964c2129648d16e3a9e6c165fad6b3565257de198f7d13d0f17f43c327bd67081c71d22462a2a4bf667324feb9afbb0925e93337aa448400 |
C:\Users\Admin\AppData\Local\Temp\UiNRCMAxt6kO.bat
| MD5 | 8d17a5065c7013bebe33e4455eaaed0f |
| SHA1 | 8e0cc82c51c778dc20deba3cc6f4f1e8649e5504 |
| SHA256 | d822c4aa3399f33b7aa40e45745decc1faf01f84aff2e4e964d71eed32680467 |
| SHA512 | a38f01269db1b79066c710643ea2b29dc77ba7a007f760cf9539aab85a190cb43e83925e13dde532515378e2725bf887b6f48be3f2fd9e7739c104529e931cb8 |
C:\Users\Admin\AppData\Local\Temp\oW8YqDOzAleN.bat
| MD5 | 7b66bd365ee43d8c8919e9aa8b808cd8 |
| SHA1 | ab72fd105201a342399d384f50cad700012ef57c |
| SHA256 | 7e4a7461c79365db2e77d14dc173fd4eb4a1ce8219a84555174e048e551a479c |
| SHA512 | 2f21480ea4c93e0c9f3e39646216ce44406370695fc1374db8f2c27e5e154fa82a4c4f181326bb8cff9fc56bfdb17d787fc654c3f3705d4be0087bdf6371f65c |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | dc5e5face1bf03bf031d33067ee8e755 |
| SHA1 | 978ba1cdee2b738073f77d11c7bd2d106998e166 |
| SHA256 | 5300992fdfe6dd9d376e68a761e4ce78ef08e6fe8ca59da6e8f5e4c0d9eeaf30 |
| SHA512 | 179101c9f6542d8a97a6921ddd076bee85c976c263b35caa4c53ac5d01003e2c16c46c3d5ab73c0ed073d235b167d03a3375726a4ca3c46efb072f551a10869e |
C:\Users\Admin\AppData\Local\Temp\2ov7v8qcEfyW.bat
| MD5 | 4bb5f46fc748da654f01c91b8575ce81 |
| SHA1 | 9caf4a8c6916614d114aca3d4c902d8cec7aadfe |
| SHA256 | 995b75b8a7d9344cd6d58fe41b5e6a89c743cecdc55b261f6ea2925498c8a69f |
| SHA512 | e502a55dba8b4d6067f7fba6b02b0a1dabab9969508f55c624a9b3cd7cdd9be14c6d89e66b1df7617ab22c46da1595a5fabb81bac7c777fa148d432e40502fc1 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | a8bbd324661fac394fc9cf6e44e3560a |
| SHA1 | ece4b1c6dc4f1faa4b3d8d40c5006e5479d9b38c |
| SHA256 | 8208380170dce20065772a98efea511967bbe8d2955533984f54ce6174f68340 |
| SHA512 | 6bea51baf6d02fe49138300de9db220253216b03650895d3c48a137b2ea20882dc0c6694784e0b173f914b55fec3bb2013805670c5a63c0ad8aa29e2143f7538 |
C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat
| MD5 | 49d52241d744c132167d1324fa08a3e6 |
| SHA1 | 86b63572710a1372ff3d36eeff2418b3024c2160 |
| SHA256 | 8492020ff9bdc195955a56015e14cd05ccfa726b54044d8a62c088229f9009e2 |
| SHA512 | ec72ff4d5bb70440bcf7f9401815437176c82c4dbbae7fb8ab61c8925b3f605708c67236c0718fcb5dc94985c6e6232ab177b016afaffb863f6d10117d755686 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 69d4a406a5778a70975b4d9888a3799d |
| SHA1 | 12e92a99c7f970b9731c7a312d237248dcb0ff79 |
| SHA256 | 629bfdda09a023a4ff9b34017fc8846f9341ccf63982136fb9d6ab72f8da4be3 |
| SHA512 | d9021f85bc5f64720fff38ca2e31498e8e6c406caa2e8abd63ceeca7fe3bff9b04f18c903013c2cf9cc9179102161a703d55bde6a4119bb3bb094d10c4f5a6ed |
C:\Users\Admin\AppData\Local\Temp\buSmfvVHZDBe.bat
| MD5 | f301443353893d193b6da8ab47748d94 |
| SHA1 | ef17c7771b5f49b054ac4ee40c447e29717ad4ff |
| SHA256 | bcd261491e661b206de9a17e6b0876eca29e553738a947d8f26157a3f7cdecde |
| SHA512 | e4eb12592d14586af58a31fd77effa60a77c0cbc482695d1f84ed4daaa305d1cca950fdade38485b2c359fe6bc7e0bbb7428aee01bca6338d55bb4032bea9d68 |
C:\Users\Admin\AppData\Local\Temp\o8Vqrec9DDpE.bat
| MD5 | ecb2902ba265b8300029113b19403229 |
| SHA1 | a8a47e525d03742361f2007d3824d6719bec8a17 |
| SHA256 | eeece4839709118acb06b5e638eec9c8d1da26e7838cb8b9589abb1c8f5ce549 |
| SHA512 | 60220916a986176d516f7f8eaacdfe1b3610c04464bf4bbab50aed98fcefb3d92f2a11366f5006d46872cf1a3ab6aebd92eae70dfafbb2f844cd6181a81f0449 |
C:\Users\Admin\AppData\Local\Temp\mJo3Aj1vwscI.bat
| MD5 | b927f1f76ab1f1c363cbae1dca7dede9 |
| SHA1 | 57eef137d31b7c9e25f14479cac6c8adbe06f955 |
| SHA256 | 439aabdd40251ef203cdef2dd342f990add9cd43202900d01bfdad5f6236e007 |
| SHA512 | c909565b9c8eaae22897c2f5c1a51cc2f259aacecedcc3ac0a72c5ceef2511495da7c73ce30d6445eeda7f8510fb622c9903d1ab76dd926c62f3508e75a6fd27 |
C:\Users\Admin\AppData\Local\Temp\67ZAoaFxDXWG.bat
| MD5 | cb88fcf6929e524c645ed95e660fd5f9 |
| SHA1 | d4e158c7d359611643f0acbc9636f86452cb2e9c |
| SHA256 | d0efd755a089c85dd1799a03d569a4561486cca2a70dd3e3bb97d3ca8a736f42 |
| SHA512 | b9b407f52606e24a128f340e8b455ea26cc7d4021efddad0f716326e2d5b9e4b460cc376a75a85f830c45ad86638d634cae65b419b65831075656719e988c047 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:48
Platform
win10v2004-20240426-en
Max time kernel
464s
Max time network
593s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4488-0-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/4488-1-0x0000000000A80000-0x0000000000AEC000-memory.dmp
memory/4488-2-0x0000000005B30000-0x00000000060D4000-memory.dmp
memory/4488-3-0x0000000005620000-0x00000000056B2000-memory.dmp
memory/4488-4-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/4488-5-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/4488-6-0x0000000006220000-0x0000000006232000-memory.dmp
memory/4488-7-0x0000000006760000-0x000000000679C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3408-13-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3408-14-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/4488-16-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3408-18-0x00000000070E0000-0x00000000070EA000-memory.dmp
memory/3408-19-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3408-20-0x00000000746D0000-0x0000000074E80000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:49
Platform
win7-20240419-en
Max time kernel
596s
Max time network
600s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUB7QI5be8YJ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKJ68JFu78EQ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bpz2UpFcXPIE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LXpvdGCk8MkL.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lM9BYXCj5XiY.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BBSQToCj1ihl.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zC6uOGypelLO.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\P1QAJXypaxKb.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2264-0-0x000000007414E000-0x000000007414F000-memory.dmp
memory/2264-1-0x0000000000E80000-0x0000000000EEC000-memory.dmp
memory/2264-2-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2264-3-0x000000007414E000-0x000000007414F000-memory.dmp
memory/2264-4-0x0000000074140000-0x000000007482E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2516-13-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2516-14-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2516-12-0x0000000001090000-0x00000000010FC000-memory.dmp
memory/2264-15-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2516-16-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zUB7QI5be8YJ.bat
| MD5 | 8b7917683467a7174e955f387f1f4a35 |
| SHA1 | 568d6a36b0ce64a7eda4662960e0ef1ddfbd01a3 |
| SHA256 | 983eddba535e000a87565d48ba526a5683d59ef0644df306e886762117322bb9 |
| SHA512 | 48be55d8c78494e2dc377ad02c135a01c5d97c95ff676337d2fcaf06c6472016b9a0a512cd8c562208dcb823dcf2e42e7822f005e761ba79b4c88b35720971f1 |
memory/2516-25-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1880-29-0x0000000001090000-0x00000000010FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SKJ68JFu78EQ.bat
| MD5 | 4ca66fa51686a61b27302e1366161451 |
| SHA1 | 169d1dc3a0211151715acb68fe9f8ca227ad22ea |
| SHA256 | 8166e37e5a1a499e523f416dbf89adb93613794ac0e077537d3c38a2fab40252 |
| SHA512 | 4383042025f22e20036548ad813cffdc6615085e1dbb672fe731d2c5b633555b9421a8c644a5ca3662289a5281d414feb3f969684592ac754e533aa29d9c82ea |
memory/564-41-0x0000000001090000-0x00000000010FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bpz2UpFcXPIE.bat
| MD5 | 9866638cfa95911f6a88b03505b562a3 |
| SHA1 | 9cc30fb85a733d6d7913cccd404f4151543e43fd |
| SHA256 | e87c49c95c603a4f02f58edaff13755564cb6603bbef7444b1fd64d36e2dbc7d |
| SHA512 | 5efb933f6de767c599f5634b9db16367cec04d1ed84b9744c90c03ee06c6067144741d06008a19859147059ea9e6150e19583fcf95d9eca052913639fd3f37a6 |
C:\Users\Admin\AppData\Local\Temp\LXpvdGCk8MkL.bat
| MD5 | aee5b8a35277c40f3657b7f0bdcb37a7 |
| SHA1 | 25058749b626e730f156651062bf287a9deaf7b1 |
| SHA256 | 940a8e865b3875c1f40a748b97c6863dc5eed7978aa7f4ad889ac556722408c5 |
| SHA512 | 0ca74ca2c1897d35a0d54869e77790e91471ff15111e227a7c678f917ad221ddd51a800364fd1ba4517a7819ec65267ec24a099280010b6aa9f6a99e1a365109 |
C:\Users\Admin\AppData\Local\Temp\lM9BYXCj5XiY.bat
| MD5 | a7bd0c2593f010815ddc546bc79a17af |
| SHA1 | 63a9cb11429dd528ac21afe3f6676fba8c8266ec |
| SHA256 | c2d85cfb57a8dafe1370a6b880468375166843eaeb392d8f367e9e5414744e32 |
| SHA512 | 04ded3651ea73fde2c477f13a9ca5dfc41753896197e8830823de587d2fa8711b1aaa67952fdd4e2d78e9725b9274551c6ef40122ac5e74dd60cd14626201325 |
C:\Users\Admin\AppData\Local\Temp\BBSQToCj1ihl.bat
| MD5 | 7cc5331921a047a169fa988da58fa95e |
| SHA1 | 2b16f982de5717c4876f2cc2fa81186596ca8fa6 |
| SHA256 | dab2bbcbb9b23064c1fb6b7818e2a0ea37be2de64555fb0ba057670f258a9715 |
| SHA512 | 03ff5331bf8f7542cb130b8028bbc454d7de28d43963bc56cb01a8b812236219c6b483e87e9ab2d999e4dd5ba4aaa8c67aeca591fe9529d5d900aab90de12b8a |
C:\Users\Admin\AppData\Local\Temp\zC6uOGypelLO.bat
| MD5 | 312acc68010cfaf6f4493716eeeb55d8 |
| SHA1 | a6fbb0b3d096ee3a142fa3f05a977ca5898c4d8d |
| SHA256 | 722f315b808d1fa78e7e4cbd0ef021aee674a34bc14162951ec42459a9f618e5 |
| SHA512 | 09e2c3b70d1bb1647420baa3e03fcbf36495198e614d058e5483f9c5a7faf1249812bb0bf52ec119db7562a9395b6862c69f08ab6822953fbcd5c193cb01c70e |
C:\Users\Admin\AppData\Local\Temp\P1QAJXypaxKb.bat
| MD5 | 8f16e4399b81ed069d00ec55a6ce45f1 |
| SHA1 | 280c40bdd5a9c14518799393149219a39e35bb90 |
| SHA256 | ebdd14f509bdea51476596fefb47d9bf1678bb3f5badde3a88a3997a91837c20 |
| SHA512 | cfe63b185b25a2e511157b022f7f24d7e58700cb19add7c006b6fccbe22ceadde7365d7a8e0f25a7436c566fed589e01ac6b3b87f1b73bd85897f7e84fed7fd6 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:52
Platform
win10v2004-20240508-en
Max time kernel
598s
Max time network
599s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grIhOBQOQuWT.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4924 -ip 4924
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 2180
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 2176
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X1PA4QJAwvdP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5RUojvzzsrBZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2000 -ip 2000
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nRZ9Myz7pOlx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1172 -ip 1172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vtau8NCjArUk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4472 -ip 4472
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EPKAnxk6wEs6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1816 -ip 1816
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kJkuRurg3KbH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4300 -ip 4300
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v2d8sRMU0MNx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WS1Q4KFSKDhw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1212 -ip 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWqHaabMgdwt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3824 -ip 3824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dtGsdZQeVl1Z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Hi3iZlqP5Bv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nLXuEp6jmVQs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o10wJ67aC76q.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 716 -ip 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIzlcHPukDi6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2764 -ip 2764
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\604GG3kNBRmr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 5064
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mV0n8u8RR0TK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2160
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e6bwzqQ3Xz0z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2656 -ip 2656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KbXTrgo6nYgS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1720 -ip 1720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ePHaVY284DaQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6YLNaDIzexI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mnp7EcNSv4K9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWjLf8sFs65p.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 684 -ip 684
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKTSJz6H9lzn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2232 -ip 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKZox26Q6IZA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4148 -ip 4148
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Wgk2sfVKl28.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5104 -ip 5104
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4560-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/4560-1-0x0000000000100000-0x000000000016C000-memory.dmp
memory/4560-2-0x00000000050C0000-0x0000000005664000-memory.dmp
memory/4560-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp
memory/4560-4-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4560-5-0x0000000004C90000-0x0000000004CF6000-memory.dmp
memory/4560-6-0x00000000050A0000-0x00000000050B2000-memory.dmp
memory/4560-7-0x000000007454E000-0x000000007454F000-memory.dmp
memory/4560-8-0x0000000074540000-0x0000000074CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4924-15-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4560-16-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4924-17-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4924-19-0x0000000005FC0000-0x0000000005FCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grIhOBQOQuWT.bat
| MD5 | 3b6a988048d441eff0a7136241907d72 |
| SHA1 | 931620b66f13dcc80f0bb82cbbc4f0aec409b7f9 |
| SHA256 | 2a3b4c183dee2350415e893907c8fc287d9b0d5ba3d8975c50e7a94a47fbd4d7 |
| SHA512 | f75faafed8e46f6c97ecab9415991b11e07651450099d19458c11d33f1e53dde1e9faaa5a3d7abad6fc58aa3b01c2822600cf105544f05fc654b1b73126466fb |
memory/4924-24-0x0000000074540000-0x0000000074CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | fa3508ff20e45e3c9abb470c194d032e |
| SHA1 | 1b70fda8427115043da0d8381adf2cb6adc4d1b6 |
| SHA256 | 16c0b7827fa0b3b3c65301066ce1f792d70eeae265218ae926dc345e56720eb6 |
| SHA512 | a604311ae187d84fcd8d36001c47def23140cd98a3999480161369deb3955301eeee7717f872c88611f2fcfc402a9cebbca2aaebd36a720153a97652fd1b0b18 |
C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat
| MD5 | 2cb9aaea3c7feca92e15ca3322a768d9 |
| SHA1 | a2b00159aaee73d9ee0f5e38c4174c9bbc42ef85 |
| SHA256 | 6a3b3e3b76c6740e2390fc832d8587627778484fee0edcc8adfbe3afe7860bf6 |
| SHA512 | 2eea8068d2bca6465ff725bcd27c55f76ba181375728d2b2d4b1eb0ce1ba8d5b2e39a547a534dbf602fba5773f027b4318fcc5bd009ff98d422fef0df4fabf72 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | e288b93240926ed4ef2667a3eb666eca |
| SHA1 | a65bae7641deaa02ae43e2530f05ac6001322cab |
| SHA256 | 849b39e55f685659f2ca43f2e952bffcecb4cf12cdf18f7793400c15fabbfe49 |
| SHA512 | 2e3785c71a1fe3e625d553e58a5241fd215da7fbaf3b50662ec430dcb146c14b5791fbc589176cc33ca1404bd6e41652768698554b0eb3556570d187ff7f5a65 |
C:\Users\Admin\AppData\Local\Temp\X1PA4QJAwvdP.bat
| MD5 | 71fa017ca1bf2bc204d48f8d7135ea61 |
| SHA1 | c0405905b1e6b66b1d52fc386787b3af5c90a098 |
| SHA256 | 8a8d376039d2592516ad51d55b56339d418f0202428396ddc65a72716dfa5a46 |
| SHA512 | dcce4b38c8a9346992ff0b54271702b491be913b409aaaecb381be8b10594c41852c3607bfa80e1c42bd2a3663c5532de98b7db954e4d202dc93b93b857b872d |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\5RUojvzzsrBZ.bat
| MD5 | 3556101dc8ce0f22640a9a52c19f3733 |
| SHA1 | cb6dfb9e3813d156600a49d88e8523f796ad2a3e |
| SHA256 | 88e2cc96d33ab04520334e491c5fe54d7aaba9ee9ac10e6c4cd7d0017e189679 |
| SHA512 | 88c67ebe2af46881d8808da650a06f31337e2c07fb9a7715ff49fdf7fa1982ea9281ba07e99396ff9b7997621d8ec387b32f030ed22fba9ec69de76dbe67cdee |
C:\Users\Admin\AppData\Local\Temp\nRZ9Myz7pOlx.bat
| MD5 | 2df69c0a98e3189b32b0057ae1accef3 |
| SHA1 | 1628f8a8c9d7350ad457ba157bc289cf3500551a |
| SHA256 | 6976d7877c272032dc627abc40bce3c880ee5629bd0ba3c9a858007e2643434e |
| SHA512 | 0a3b927e628ee3711f7a57432c669d10ca29a5c5d8d43f430728883c40c670d5b394158ef2bc9414b8c56dcca274f5c5b185d5c5eff6a4daea3f0664bb21ab0e |
C:\Users\Admin\AppData\Local\Temp\Vtau8NCjArUk.bat
| MD5 | 0ab7325184ab5ff8f89a2a4f8ba00e8a |
| SHA1 | a076dff7e32edbcb02aa3269f2afab88d2aa363b |
| SHA256 | 729c1c8614897382ad2b068e0519a31fc9ecb4224b3df720948613193f57f27f |
| SHA512 | 61c9dcff70f03e98d5637d4844d1e266b5a88c2fc687d8891fcef00b213e1cf813aecaf78371b75b5353df288cd04d282c9a0aee768ee3b138eb88fdd214ba5d |
C:\Users\Admin\AppData\Local\Temp\EPKAnxk6wEs6.bat
| MD5 | 45aaa5cccd3bbf4ff4a7dcb7680d0b37 |
| SHA1 | fcf87d2037ed77d9ac02cc5e60ecf841d2cd8843 |
| SHA256 | 845182fa3199a87cd076b9c8d213adab217f62282ce237a3aa38bd626b5964a0 |
| SHA512 | 203984bed8b516212eee5f75f6c42a5255091e8389a5a16787cdb7f5d615198c2510f8684c706e0050530409e66c1b7c7e5bf5e2ec881f47448500f94e01fa7c |
C:\Users\Admin\AppData\Local\Temp\kJkuRurg3KbH.bat
| MD5 | 37ae74878cea2009121cbaf4576db7ce |
| SHA1 | 27a68730271b959176d4f56cd3c7b4a896ac8c7b |
| SHA256 | a0e9de2d86fba15bb6d7a2966f1c7455535bd52a5c388c216ca839f53fce9f6e |
| SHA512 | 100a7c725527895b8216e45b38fc2b75df59dcbe2fc053a2e7c509eaaa026dac85e0b379b11351e33b78005d76062856de886ec8e77db5b18b6d59432ded148a |
C:\Users\Admin\AppData\Local\Temp\v2d8sRMU0MNx.bat
| MD5 | 09ab72a29ddf7d1ce85a22159e1e80ad |
| SHA1 | df4fc249cb3f7ced017552c3cd2726e029ddbebc |
| SHA256 | 9d49ae8825598aac25f54c5b903feb519e4fbeb9dc5ec9e7873d0d07b64ec890 |
| SHA512 | 25f5535c4d522a23cfd456175b57ddba7050cf5e70be2265f0cd9b2b34ebe767c4e46a67d947d8a7970325ad448164e945633674556e6859211b70c2fedbded7 |
C:\Users\Admin\AppData\Local\Temp\WS1Q4KFSKDhw.bat
| MD5 | d76fad12b4c45f9bdff87cb08f3fff15 |
| SHA1 | d290bcbfe6c8e20325f4ecba3a88a153654432a1 |
| SHA256 | f0268077c39d6cbfa934e212308e04c1dd8c50b119c13528d4abd99fd73f1a12 |
| SHA512 | 6bfab8b2798716061e764d878a43c88eed248a0f7aff9284d965237098c3da6273678ffdd8281a3d7900f8379ceee81436bb5c227487943b2c46a80243ae6559 |
C:\Users\Admin\AppData\Local\Temp\GWqHaabMgdwt.bat
| MD5 | 06ea8a66ed84df04a69515c943e9ca5d |
| SHA1 | 6753e00a285b7f33727e027b6e09b59cd3b762ab |
| SHA256 | ed079186f01fde91d118037d2e1f45e8bfe67b3e8e978079f89a6209a0543f99 |
| SHA512 | 6d80e9d607d91f171ece47e48640d5bb45221121e57610dd2bdafa1d3fad2323d03b35346259c0adb16ac289113ac0ad136ef40a35abc89d480841f70478b010 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | eedb3e4116118b53fa02c9aeda83e156 |
| SHA1 | f322ae173b3ec6d55d35baaa570634531eca773c |
| SHA256 | 75114de3bf579f06763361c4dab6a22e4dbad1f36aa029f911ae7fb5a0236f0c |
| SHA512 | ef24283abd9b95ee9ea7b1b49fc933e0559908247c40ac2834b7c6d5f862200bc10f3acbaab6a8ad90a670cfa6f09558833c750d782acd112469b0c9eea87f97 |
C:\Users\Admin\AppData\Local\Temp\dtGsdZQeVl1Z.bat
| MD5 | 4c23adf228f6f3531ade6ffe8d09568b |
| SHA1 | 224e78806a4a46b9d3cdc253bc68c595eb444865 |
| SHA256 | 4c524351622f23aac5249c45447310791c7be281a215e91928e7f8723a03380f |
| SHA512 | 4164ca46879f25a1e1f5661d0fe029e0623dc88057c4fe4d8494cbb7f5bc21ee2eb313153b081b96bb2edddb61a57207c449a7df0fedeee0a737966bc698a682 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d1979ced91f173f1e08027cc6fa34710 |
| SHA1 | 9b38496322c5e0591b58b10da8081f1e2227e065 |
| SHA256 | 878b2f3c728b696461bf3c9264e9aa5733a628e07f4949600410912a7bf4d13a |
| SHA512 | b313bf7bcc8a65c0ccca730a284ea4cf97448a6d64c1a48012bb4ed934c4d5b2b50f50ca388e7fc526851fc41064d2ca77e4310fa4894332b26b2be6fa2aabbc |
C:\Users\Admin\AppData\Local\Temp\4Hi3iZlqP5Bv.bat
| MD5 | c8194d5401f5b8ac69cf67045d1f5af5 |
| SHA1 | 215b66d14856a7a44a920952aa84d608dc57a553 |
| SHA256 | f2600cda7d5c98011437775a152ce06904804b0d6e56ca24a60effbce0cbf102 |
| SHA512 | 277bc9504b53b1afbb3060a79f8135a54eb1462579e7b531fd3cd4fb4a446459949fb21d47a0fb0e096b25c034d47681e523316c3b02526f409a40031e2419f6 |
C:\Users\Admin\AppData\Local\Temp\nLXuEp6jmVQs.bat
| MD5 | 3784332df8d9a4be5f32fcf24c1d4236 |
| SHA1 | 78e3e04d6a596669f1179861c0db4ed3570aef79 |
| SHA256 | 34f63fa91bf47c6f594cc45e99370f7aec2362785e12b691facf3b83f066d86e |
| SHA512 | b0c131648d3afb68504a535144290853a2d7b07a65a82676a9740b7ab5d563dff29a7ca9f83a055b0150e4cd522cfb8c9a5033f50dffe61d9dc6d24aa73e4932 |
C:\Users\Admin\AppData\Local\Temp\o10wJ67aC76q.bat
| MD5 | 288d92b0ce0c6104301f53c396ed521f |
| SHA1 | 9631f8edb14dac3fd01f44f737d2adac2a7711fd |
| SHA256 | 388d840f2ceff2ac516dd2c0105c159d22ffda0d6bbc728ecac5864f08a3fe05 |
| SHA512 | f3dba9b6f4ef60e59246eed847326d872aa52f62d23a8c46d096ba7eee12fbbdcf0cfe65d840a4ab1d96bb80de231b83c0206a17c18ab7b8f47b977104a3ec01 |
C:\Users\Admin\AppData\Local\Temp\yIzlcHPukDi6.bat
| MD5 | 4e32f7c05c15ae4a4bd3817568a10738 |
| SHA1 | 27bb3d74fd245b00dcabbed1ff9b8b3707f4feb0 |
| SHA256 | 67ae3da6c383b8e52c09a961315b990e8dabd05fbc7d5aaef1fd36ac10a06731 |
| SHA512 | 6f70f014077e1a13a9628d8dc9470d606848422cc3368cfbe09582f1573473bb6627e05c7ca40f989c371c35669d9acfc3c55c9c69098cb7dc93872e918b0981 |
C:\Users\Admin\AppData\Local\Temp\604GG3kNBRmr.bat
| MD5 | 2652342fa3e2a1d60d55abbaf78d1465 |
| SHA1 | c73d05ab6f82d4a25845238087e49814d9631f6c |
| SHA256 | d3b76b5e736e96de3b4ca1f0ec5bb81f66628e520e04809bbf0e53575cd07981 |
| SHA512 | 6b6aa3051dd75d4ebdec2d3c41b1fdfdb78ab0b8fc902a56f887b4d53b38ed1e129a8b60dd22238c020ab4c07afbad2ac9874e15a77c1be935b98bc4bec896e3 |
C:\Users\Admin\AppData\Local\Temp\mV0n8u8RR0TK.bat
| MD5 | c62081160788b14cefa81e733eb34af3 |
| SHA1 | 9a30c63e1d0379a4f9c45c0ec8c1896ec1b9b26f |
| SHA256 | f919935f90fc38eaae458067aa4f06468599b2880b9fb9f0a01115d364cc6eb5 |
| SHA512 | 9bc4110f539e531ca6224453f5fd480d9982a5227c513af8ac270aab87d0ba469c477a9610467cabdde102044af76479bf62fda16b90f49b6ad51b0aa4d29831 |
C:\Users\Admin\AppData\Local\Temp\e6bwzqQ3Xz0z.bat
| MD5 | f435bf186910d43cbfa8c0f0943cc3f2 |
| SHA1 | 3920655d6eb0d6e7821f05bc5d94b14169dbd594 |
| SHA256 | 38e0f66fbb4e9f19911bde6986d467e4188ffbd00404ee99df33870ae2d014c3 |
| SHA512 | e76d3e77545ed505ef0e46865e4e43d3ab184b87d9bfd067ac01001642465107d19ae99caefb97b2d10692b2e93586e79f75be1c5f0357e3a171ac9a7e0a99e6 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | ff6fe9f9202d0767908437455c6e3abd |
| SHA1 | 6d042aa014bc5d41f6848a340a2daf9b98c76e5d |
| SHA256 | 0217934f40df6e95f6b486cd6a02deedc7d4236425af65b61af64b909606a4e0 |
| SHA512 | debd7347dec29742f363c982833618125df84e0f33e700dd5b6352623d1d2bc55d7ae5d0809e0fb8c30b404c8a0df19ed1b0c91a5baf33fd8fd27522cf5c02e4 |
C:\Users\Admin\AppData\Local\Temp\KbXTrgo6nYgS.bat
| MD5 | 6bc211a8a1566a34bf2317a084668669 |
| SHA1 | 581adf1f8f0cbcca7fa8cf267db0ef99bdb535c9 |
| SHA256 | 7b35449cde3a22a38cc24347f322f736845b66a1e5f5f5d7312c63930fe287a2 |
| SHA512 | f0665f1eb22f11bb8e1daa564d0d0affcaa170be979e1585ab94bb5d63c4fc3fc02d02bd96852ecc45f3fddc2fdec7d219e778aad43a9ac12a2625e88404b4c8 |
C:\Users\Admin\AppData\Local\Temp\ePHaVY284DaQ.bat
| MD5 | 2bd132096a9c48e1122535a7850797a8 |
| SHA1 | ba228043a410803359222d5341e084d3a5b3f198 |
| SHA256 | 0cc9559f653f73a5bfc610373233f49503397c3aa6f8f970c48b8811998d1437 |
| SHA512 | f0eabef3e123ddcdcc6ccd16ffa78b4e2ff026b7fd9162a2de2943b0036cb874860b13632b26f14084d0e38662f6c58b24ea44ef2f43b51f9b2b20c861bccfa3 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:54
Platform
win10v2004-20240426-en
Max time kernel
465s
Max time network
594s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1196-0-0x00000000744AE000-0x00000000744AF000-memory.dmp
memory/1196-1-0x0000000000730000-0x000000000079C000-memory.dmp
memory/1196-2-0x00000000057B0000-0x0000000005D54000-memory.dmp
memory/1196-3-0x0000000005200000-0x0000000005292000-memory.dmp
memory/1196-4-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/1196-5-0x00000000052A0000-0x0000000005306000-memory.dmp
memory/1196-6-0x0000000005EC0000-0x0000000005ED2000-memory.dmp
memory/1196-7-0x0000000006400000-0x000000000643C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3492-13-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3492-14-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/1196-16-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3492-18-0x0000000006E50000-0x0000000006E5A000-memory.dmp
memory/3492-19-0x00000000744A0000-0x0000000074C50000-memory.dmp
memory/3492-20-0x00000000744A0000-0x0000000074C50000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:38
Platform
win7-20240221-en
Max time kernel
465s
Max time network
592s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2324-0-0x00000000740CE000-0x00000000740CF000-memory.dmp
memory/2324-1-0x00000000003F0000-0x000000000045C000-memory.dmp
memory/2324-2-0x00000000740C0000-0x00000000747AE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2584-10-0x0000000000F60000-0x0000000000FCC000-memory.dmp
memory/2584-12-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2584-11-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2324-14-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2584-15-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2584-16-0x00000000740C0000-0x00000000747AE000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:44
Platform
win7-20231129-en
Max time kernel
466s
Max time network
595s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2212-0-0x000000007498E000-0x000000007498F000-memory.dmp
memory/2212-1-0x0000000000200000-0x000000000026C000-memory.dmp
memory/2212-2-0x0000000074980000-0x000000007506E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2160-11-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2160-10-0x0000000000A90000-0x0000000000AFC000-memory.dmp
memory/2160-12-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2212-14-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2160-15-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2160-16-0x0000000074980000-0x000000007506E000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-10 15:28
Reported
2024-06-10 15:45
Platform
win10v2004-20240508-en
Max time kernel
591s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t13DzzvAF4Ff.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2200
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcbmotgsFrhf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4316 -ip 4316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1020
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYxT7IwF29rX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4060 -ip 4060
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4m36M2Z1mMZn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3960 -ip 3960
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M5ePEiByM3aq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4960 -ip 4960
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1304 -ip 1304
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4748 -ip 4748
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vre62msT7ETw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 2472
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PozcmBAV8PBm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1384 -ip 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzIp5HZHr4xq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2204 -ip 2204
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1692
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emFCwOdzcvAu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiHP9q4DldIs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5000 -ip 5000
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdVsaXL6OXkx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3828 -ip 3828
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1736
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V4htZBOODClq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4640 -ip 4640
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1688
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTynRwtudKc6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1676 -ip 1676
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3AFZIy44Ylyy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2584 -ip 2584
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vlqiAuMgekVd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3500 -ip 3500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FZbpomZhvPPb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4292 -ip 4292
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hlilub8nAstZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3568 -ip 3568
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9MKulXQPFsPE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4628 -ip 4628
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzfuX7P7GDoQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2240 -ip 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gN75c7kIAXym.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4064 -ip 4064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RO1A3uvkdrF3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3112 -ip 3112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smTL8vGwXBOP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2648 -ip 2648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1704
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DexyfzpjFkyx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4460 -ip 4460
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r59zeds24Pzq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3604 -ip 3604
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1820-0-0x000000007477E000-0x000000007477F000-memory.dmp
memory/1820-1-0x0000000000FF0000-0x000000000105C000-memory.dmp
memory/1820-2-0x0000000005F60000-0x0000000006504000-memory.dmp
memory/1820-3-0x00000000059B0000-0x0000000005A42000-memory.dmp
memory/1820-4-0x0000000074770000-0x0000000074F20000-memory.dmp
memory/1820-5-0x0000000005910000-0x0000000005976000-memory.dmp
memory/1820-6-0x0000000006790000-0x00000000067A2000-memory.dmp
memory/1820-7-0x000000007477E000-0x000000007477F000-memory.dmp
memory/1820-8-0x0000000074770000-0x0000000074F20000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3604-14-0x0000000074770000-0x0000000074F20000-memory.dmp
memory/1820-16-0x0000000074770000-0x0000000074F20000-memory.dmp
memory/3604-17-0x0000000074770000-0x0000000074F20000-memory.dmp
memory/3604-19-0x0000000006550000-0x000000000655A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t13DzzvAF4Ff.bat
| MD5 | 29c5603a7d30cf7dd4322e5fdd5c21af |
| SHA1 | 2bb92c03243452d614118a05f9292fb7e5f02865 |
| SHA256 | bb2c135044430d9aa28d02f977b7e4ccfdbdee990c739bc793d6fe16b6dcd979 |
| SHA512 | cbfc1157d013f120d6eb6459a593b87c0bef6963f60ce209d929083bcb4cac49e340a7b9b6bb6c4a3d086e5f84aa102abe49b1ab44e029703718919ec2e110fd |
memory/3604-24-0x0000000074770000-0x0000000074F20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 321870357b60a07522d740f19e27eccd |
| SHA1 | 76d98f5287370996167811da5fcc7c66b65718f4 |
| SHA256 | 77ea09e17fd694e7a9ca34bdf6846345279061e1f542818097a9b9bcf504de6a |
| SHA512 | f46b869b7211c99cd9680bf9051766ac4142a1c45bf3f884b48a57ae770ff8cd1fce11c8b4411a1f93209dc23a0e0baf7d6cea24a6ccb110022857c2c5562a22 |
C:\Users\Admin\AppData\Local\Temp\jcbmotgsFrhf.bat
| MD5 | 0ef6e6deff68a032928ba6748adb85e9 |
| SHA1 | be822e4060644b3d9cf39d01603798b4d937dc6b |
| SHA256 | d37efaf5e3c9165b94b5e50de5e18c2f7fb3e277a08a951037c7e180412a4b71 |
| SHA512 | 2b4f6270c4643b9db1321dd72bbc4a66466b66f982f6850e0d4e2648b6af4200113370d0efcbff0388da93c399ba069af723c0d31978c6e9d538733d4730ce0c |
C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat
| MD5 | e834e4a0a112bd4616c039317fc29813 |
| SHA1 | 3e2d3cd4ece4eb132b2268c486cd219023e08178 |
| SHA256 | d9448c070fc333fa3dd8126574f1d721a6e44dbef262fc81443f7202b1a702d6 |
| SHA512 | 15eb6e7679200ace1147216337d8d4443d00ef338834bd967fc460d58ffd0053e0be563d68fee9489f1ad9fa969788f208cceb73d7491676a4abbd2f518491fa |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | c596a1eab6332042a1d9da06b1b06628 |
| SHA1 | f98b118ec4fef947f1c7b9f84a8890191a11afe1 |
| SHA256 | 461a716b8327911d9c9059c4befe4dcd544e933092e5139e7955afb140b91ebc |
| SHA512 | 137d3631bbc5ec1cdf164d4d5827f36182a8ecd026928723b344ff473cd1f49c228109cdb6581fbb884bd2e7ed2f7a240ef5e2cde20ee5d4cec841e62a78ef8c |
C:\Users\Admin\AppData\Local\Temp\oYxT7IwF29rX.bat
| MD5 | c5fc4891488e0462a6233c335b537efb |
| SHA1 | b54f22b65639211187c25df76e6ac999fc57e8aa |
| SHA256 | 3f69f79ebb97bb35b80648357675d44a6982ef7ca8056193134cfefe2058e71c |
| SHA512 | aa85efba16c0615209cd0215c02ffcbd1172019f506a602aedd6962521565a1f5b995f452acb9854620dd1d9544bb55eee6788513747c9cc7f9e726d0bc4af4f |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 5d9e080fb1138db67ed322023e1269c8 |
| SHA1 | a7bcc37301c71b2de902f17cb52d8f6e8df4d4a7 |
| SHA256 | a2741e53b851ed3744981cbf74cff1a01e499b96f2057e2f83e84cbf21bbac38 |
| SHA512 | 681fe5829bcf07771a2f415d6dd07b02043395c5a19cff112eba812e5d790797bd114f94bbdf933d397cd16067b7b9461ef4a6a5194da5b357d808b037d9b454 |
C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat
| MD5 | 6d09e018e667eefc7bd5a64b37a30580 |
| SHA1 | c21d1d3c883617c80301e2de71e83f0eaa8612a0 |
| SHA256 | e53cf16ae5aae848ff111df60ee4bd8a311825fc85a9b4f307257af5d247c4c7 |
| SHA512 | fc4fa3bc4b126bffbc336f9448f25ba7dee298023ef9bafd1d3253e92fd0f4bdcce274ce400073f171e381b5ff0d2be5182275c815f70738fde1a806da68da71 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\4m36M2Z1mMZn.bat
| MD5 | efeedd77525e6dc0f8e238fd66b07a24 |
| SHA1 | e0ec5533c6386e7a220703b16c196127892c2401 |
| SHA256 | d40eff7bd0b737a1abfaeb1923fdb2693cea990d0cc7f756076fb4e152c86c7d |
| SHA512 | cdeb40cf74393ceea073a199bedc288d94deae0ac4ef7c7a580bdf056a1904678065862c3e7420451e38a949877253af2259eef55e988d27a4b07ee825c847ed |
C:\Users\Admin\AppData\Local\Temp\M5ePEiByM3aq.bat
| MD5 | 4e4c6309618f709e031d456241fd89d2 |
| SHA1 | eee1bf97af82ad8d85d8aa1af4db7eb87bf8e510 |
| SHA256 | 91402e6e4354ebd916c155001c6513cc6cba41378686114c8be36abe7026a982 |
| SHA512 | 75870d14ebf603f17de287bda2a8addfae2ec963b18ad7ca7205eb65dc0b0a6c317d10c3399e1bfde66fe5a7e28264294d2be246070f837f7e88635626eea444 |
C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat
| MD5 | fca918401b9f049ba5b5d4539bbb417f |
| SHA1 | 2cdeb9d54acc29a51a98f4bc859673c5ec786879 |
| SHA256 | 684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad |
| SHA512 | 29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7 |
C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat
| MD5 | 8a1864eb27efc2adc9cb8385c1a5aa59 |
| SHA1 | 086d5c385874d69d61efd52f12e982014b4e554f |
| SHA256 | b85d2a8714c8e0692720a3fb888e2b9b7bae647167977489808d821c403fcc08 |
| SHA512 | ee545f5cfd56ea8efd79973631e48f933eab7d26281d25dbef6164d78c98486ef089ab355353d6a211b35f81b0c74ef9bce200f0d7ff8114b0b09811ea26cf2b |
C:\Users\Admin\AppData\Local\Temp\vre62msT7ETw.bat
| MD5 | 2c4e01469abcda3d2f8be3c975b2c1b1 |
| SHA1 | dbac3b3509e562b4482cce37a88e58696827fc1f |
| SHA256 | e45116ddad3bb62cd63281107448497f08ddbe244758d17786023a73a1eea6bb |
| SHA512 | f729237e0192c32d03e57810540e9735db2dc1cd77ec34581f7f82b57950db5e9ec26af228a49bb902e05caf7746811c28e1edd3a9976b6ecf5f0df4814fe872 |
C:\Users\Admin\AppData\Local\Temp\PozcmBAV8PBm.bat
| MD5 | e64dc0d308f49c9746a53536f216d484 |
| SHA1 | a979f38bae858aac53fced9d2668f9ca49b2f226 |
| SHA256 | 877209995443d0994fd92680a97ada36901446db9da8ce7635ea4733be9fa5a5 |
| SHA512 | c53f6d0cd860a59cec32b5128973b7ac6b78c231c8897101574b9409e460097a5fefbe412d91f3ef4693805fa13b5f516aab5caf8154c2acb4db29b56f5f8907 |
C:\Users\Admin\AppData\Local\Temp\OzIp5HZHr4xq.bat
| MD5 | 5af9c3c41e8ff492d6967f90a3429727 |
| SHA1 | 7ebf7cb9d8e57f1475fad7793eee917cbc90a7e3 |
| SHA256 | 817c34dee11e6406da886c6658cf33c5eac072027584f28407cdbcabc5b27455 |
| SHA512 | 8575c3ac705e409c6a3fc0a2156b3cdae9d55c04f09354991ff1829b9f52b85c85806ebf47de20cfe4dfe74bee261c652fef0a8915bf93f7b400c90e0169e06f |
C:\Users\Admin\AppData\Local\Temp\emFCwOdzcvAu.bat
| MD5 | dc657d0e12fa97a9bd389305984727ff |
| SHA1 | d9c29791a8a95e870480565f3f84b1dc5e166ea2 |
| SHA256 | 629b973c02c0137e70e63c98216ceab6a40a4fdb8337e3aa14dee8e67f7f06dc |
| SHA512 | 14d25ea8b5c5b0cef6125eb8647035d133f59c9dde73520103623f305219256e7bd3a176ebbafdf6f3ccd3d71ad3b9aa30e9e5828531ff47e6d7bca1a42a6ebc |
C:\Users\Admin\AppData\Local\Temp\HiHP9q4DldIs.bat
| MD5 | b9143203b7a94e70059c4650d7b961ff |
| SHA1 | 2b1828515498e4c1aa0712cc9c338f694d5ed287 |
| SHA256 | cc14604273eccba273ada750ffa27efe4e446173f11a5bb30eb1cadb54b0f9c0 |
| SHA512 | 67f4d6197e9d85b604c9886e52c6e9689ee5b4918617ba349bdc055156a6555862c33c76a293cb347919de3dc6f92f2dd41b75505111be7e63e82d2ea4d6aa86 |
C:\Users\Admin\AppData\Local\Temp\qdVsaXL6OXkx.bat
| MD5 | 0d1ab47590f02eda93302a5d49102fe1 |
| SHA1 | f022bea6f3e8ca06a62b9cef16ef3eef1e6807f8 |
| SHA256 | ae94f8017f6a2616f668baf1c46b0cc6f1f8ea13c648e78d9bfab66b480d1144 |
| SHA512 | e417afb7f802122e175f8d841f6f786bcf5f4250ece6d89a6246558ccd1b3eae1898d3cca17b1fe9f9b37f75f2b64afefe9924d2ebc10e07ad9052f636c85a69 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | 3a7047bd951b00ab9ba6b39a254caebf |
| SHA1 | eeadbb7f4396e5fa78b9225099598e218343a50c |
| SHA256 | d4cb9bb0b85f4356a2d90183c442417b32c00d7c7353ed535aec3afbfd2be9ff |
| SHA512 | 7f1ee761724c41398777b878bd8334433079a35c69b00278ff48fb934e45ae009ab6b951b4d1631b1c8a9c9ce7ab739434720e59d44d1178d8c9ac86be0c5ea4 |
C:\Users\Admin\AppData\Local\Temp\V4htZBOODClq.bat
| MD5 | 6306f88530c2bcc5355f19de5bfc8a0e |
| SHA1 | e9ceb1b3159ec84b4d47128ed6409d1e6e16f9b9 |
| SHA256 | e4182c7d1cc063320e2e610a3bc03abbb5c901fe50ee45a846eb764972e71512 |
| SHA512 | ec2ab80a3902e32b2e50b3c8013439f1b9bd10a9e7ad38eb5aa9d324d974fd2bf57c1d6ba0df43043de1d5e952c030421d3f3a2d42a2671d947cd64db37a1b20 |
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
| MD5 | c4566ab89d31392e169628fb8a987849 |
| SHA1 | b007fec9df9021233be72d64444c9b25afe34496 |
| SHA256 | b65407b4595fb697e5a38c7e79c542fa420bc720845333634f1aa08ba419e409 |
| SHA512 | 54ef09441e472cdfb7a520d52d57dfbee113786783e432eb349286181becf04fe4d30808b343a7286d7735e9910cbde98320fc03d27720d6296a5f227492a034 |
C:\Users\Admin\AppData\Local\Temp\zTynRwtudKc6.bat
| MD5 | 4a63a7b087ed3ea15718b44f8f8475e2 |
| SHA1 | 2ebda307786dce19fb19bbf9c6214a0e2ef5c753 |
| SHA256 | 9f0eca872ae9980301fd4c1d3269859085fac871fc392b3887559d3e4226f784 |
| SHA512 | 0f75e46bdc7845c9ee85a056cb9729421e7ae1099f472dc33c12ff56940a0660213f8ff7bcedf6f38c7918b2607388b34e64d28eb105b2138e0c3b1ebcba7538 |
C:\Users\Admin\AppData\Local\Temp\3AFZIy44Ylyy.bat
| MD5 | abb79388ad39f0f5a34df41e53d29583 |
| SHA1 | e76c195e2f9eafe2ca28183611537e008710ca48 |
| SHA256 | 59063634bfaed2d93de52655a83077eb197f98783097ef15b3f9d2d6353f5595 |
| SHA512 | 615b925855c3c2e912f38b97e484f96a266cae6f60d47737ea8f82694cda34b859e31170ac45188cec89cb0a0c3cdf37f0de17b1df5ed781dbb0e8855eaac555 |
C:\Users\Admin\AppData\Local\Temp\vlqiAuMgekVd.bat
| MD5 | 35bd1f23e9d160e6e6bc7d46065b2738 |
| SHA1 | 048aa85a77ed0b11b2b827d9b72b6dbe0ed605ea |
| SHA256 | 3b6952074332f0ce29d11d031172493542bc14e4fa29829447456e33af235e01 |
| SHA512 | 8fe3613990257f5ed2158042240704abdc8756635a03b3ccb02c7cea657193604c39ea4b32a7a8ff3d26f70fe938923beaab3de5d1e0362f244ac8b1fc710123 |
C:\Users\Admin\AppData\Local\Temp\FZbpomZhvPPb.bat
| MD5 | ab375664a60ed4220c5a1ee08fa23853 |
| SHA1 | 3936fe2c2d4b81099f2fed0c910f55685f11f0c0 |
| SHA256 | 2ade7163e267d4e920081cc7568dfdb9dd95e27be069021adb23d73ff1269b9a |
| SHA512 | f4fd3a42456687994772df29c7c6ec8f3e94545d99ade17862d2971bd4d6669c2104c4a8ebb29b5e90f7a9a0d229978eb844e8212c7988868f93e2263b7ca4b4 |
C:\Users\Admin\AppData\Local\Temp\Hlilub8nAstZ.bat
| MD5 | 49a929be6d01a71c95420526e383a239 |
| SHA1 | 57b15788fb714ca950d675e22de0691419c99346 |
| SHA256 | 44883eb735cb305f055a9a55aed3a3dc45d6b649f4283eefff23d7837c8ca9ea |
| SHA512 | 1b6e75a75865bc8502204c35b0860a585d1c7fa8305942cf65fe841571035f2e1fe03ab5b6520fb2ce607c254e4e97483b4e8276612db7456517579e23b7782e |