quasar | 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48

Analysis

max time kernel
296s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$sxr-Uni.exe
Size

349KB
MD5

1ec86aa544089409730a3777da35c70a
SHA1

b592008ecc06d47bd7170f0ad3799e114139df0f
SHA256

5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
SHA512

fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715
SSDEEP

6144:ErL3HRsM+OFZHBcFU4EljaWbrqXMxxz5A8XklSoj:6VP+MXuCJayqXMr5mlSoj

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.0.0

Botnet

Slave

runderscore00-63294.portmap.host:63294

Mutex

QSR_MUTEX_zImH6b2ccpa3QdeboZ

Attributes

encryption_key
Ep14qTjvhc0fuqxF9hv4
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1328-1-0x0000000000B10000-0x0000000000B6E000-memory.dmp	family_quasar
behavioral2/files/0x0008000000022f51-12.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
1760	$sxr-powershell.exe
1708	$sxr-powershell.exe
3668	$sxr-powershell.exe
3176	$sxr-powershell.exe
4016	$sxr-powershell.exe
4044	$sxr-powershell.exe
4952	$sxr-powershell.exe
2324	$sxr-powershell.exe
4464	$sxr-powershell.exe
4288	$sxr-powershell.exe
3996	$sxr-powershell.exe
5012	$sxr-powershell.exe
5008	$sxr-powershell.exe
1824	$sxr-powershell.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
30	ip-api.com
34	ip-api.com
9	api.ipify.org
14	ip-api.com
18	ip-api.com
20	ip-api.com
22	ip-api.com
28	ip-api.com
2	ip-api.com
16	ip-api.com
24	ip-api.com
26	ip-api.com
32	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
3808	1760	WerFault.exe	89
1936	1708	WerFault.exe	100
4652	3668	WerFault.exe	112
3772	3176	WerFault.exe	123
2772	4016	WerFault.exe	132
4640	4044	WerFault.exe	141
4888	4952	WerFault.exe	150
1500	2324	WerFault.exe	159
1180	4464	WerFault.exe	168
4884	4288	WerFault.exe	177
2708	3996	WerFault.exe	186
4528	5012	WerFault.exe	195
1532	5008	WerFault.exe	206
4384	1824	WerFault.exe	215

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2188	schtasks.exe
1392	schtasks.exe
2012	schtasks.exe
3800	schtasks.exe
4160	schtasks.exe
1380	schtasks.exe
2732	schtasks.exe
4100	schtasks.exe
4532	schtasks.exe
4032	schtasks.exe
224	schtasks.exe
5052	schtasks.exe
2832	schtasks.exe
2672	schtasks.exe
4436	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2044	PING.EXE
2152	PING.EXE
1748	PING.EXE
4932	PING.EXE
940	PING.EXE
3816	PING.EXE
4328	PING.EXE
3516	PING.EXE
2340	PING.EXE
1976	PING.EXE
5004	PING.EXE
552	PING.EXE
3548	PING.EXE
1560	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	$sxr-Uni.exe
Token: SeDebugPrivilege	1760	$sxr-powershell.exe
Token: SeDebugPrivilege	1708	$sxr-powershell.exe
Token: SeDebugPrivilege	3668	$sxr-powershell.exe
Token: SeDebugPrivilege	3176	$sxr-powershell.exe
Token: SeDebugPrivilege	4016	$sxr-powershell.exe
Token: SeDebugPrivilege	4044	$sxr-powershell.exe
Token: SeDebugPrivilege	4952	$sxr-powershell.exe
Token: SeDebugPrivilege	2324	$sxr-powershell.exe
Token: SeDebugPrivilege	4464	$sxr-powershell.exe
Token: SeDebugPrivilege	4288	$sxr-powershell.exe
Token: SeDebugPrivilege	3996	$sxr-powershell.exe
Token: SeDebugPrivilege	5012	$sxr-powershell.exe
Token: SeDebugPrivilege	5008	$sxr-powershell.exe
Token: SeDebugPrivilege	1824	$sxr-powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1760	$sxr-powershell.exe
1708	$sxr-powershell.exe
3668	$sxr-powershell.exe
3176	$sxr-powershell.exe
4016	$sxr-powershell.exe
4044	$sxr-powershell.exe
4952	$sxr-powershell.exe
2324	$sxr-powershell.exe
4464	$sxr-powershell.exe
4288	$sxr-powershell.exe
3996	$sxr-powershell.exe
5012	$sxr-powershell.exe
5008	$sxr-powershell.exe
1824	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2188	1328	$sxr-Uni.exe	87
PID 1328 wrote to memory of 2188	1328	$sxr-Uni.exe	87
PID 1328 wrote to memory of 2188	1328	$sxr-Uni.exe	87
PID 1328 wrote to memory of 1760	1328	$sxr-Uni.exe	89
PID 1328 wrote to memory of 1760	1328	$sxr-Uni.exe	89
PID 1328 wrote to memory of 1760	1328	$sxr-Uni.exe	89
PID 1760 wrote to memory of 4100	1760	$sxr-powershell.exe	90
PID 1760 wrote to memory of 4100	1760	$sxr-powershell.exe	90
PID 1760 wrote to memory of 4100	1760	$sxr-powershell.exe	90
PID 1760 wrote to memory of 1776	1760	$sxr-powershell.exe	92
PID 1760 wrote to memory of 1776	1760	$sxr-powershell.exe	92
PID 1760 wrote to memory of 1776	1760	$sxr-powershell.exe	92
PID 1776 wrote to memory of 812	1776	cmd.exe	95
PID 1776 wrote to memory of 812	1776	cmd.exe	95
PID 1776 wrote to memory of 812	1776	cmd.exe	95
PID 1776 wrote to memory of 1748	1776	cmd.exe	97
PID 1776 wrote to memory of 1748	1776	cmd.exe	97
PID 1776 wrote to memory of 1748	1776	cmd.exe	97
PID 1776 wrote to memory of 1708	1776	cmd.exe	100
PID 1776 wrote to memory of 1708	1776	cmd.exe	100
PID 1776 wrote to memory of 1708	1776	cmd.exe	100
PID 1708 wrote to memory of 3800	1708	$sxr-powershell.exe	101
PID 1708 wrote to memory of 3800	1708	$sxr-powershell.exe	101
PID 1708 wrote to memory of 3800	1708	$sxr-powershell.exe	101
PID 1708 wrote to memory of 3324	1708	$sxr-powershell.exe	103
PID 1708 wrote to memory of 3324	1708	$sxr-powershell.exe	103
PID 1708 wrote to memory of 3324	1708	$sxr-powershell.exe	103
PID 3324 wrote to memory of 4228	3324	cmd.exe	106
PID 3324 wrote to memory of 4228	3324	cmd.exe	106
PID 3324 wrote to memory of 4228	3324	cmd.exe	106
PID 3324 wrote to memory of 1976	3324	cmd.exe	108
PID 3324 wrote to memory of 1976	3324	cmd.exe	108
PID 3324 wrote to memory of 1976	3324	cmd.exe	108
PID 3324 wrote to memory of 3668	3324	cmd.exe	112
PID 3324 wrote to memory of 3668	3324	cmd.exe	112
PID 3324 wrote to memory of 3668	3324	cmd.exe	112
PID 3668 wrote to memory of 1392	3668	$sxr-powershell.exe	113
PID 3668 wrote to memory of 1392	3668	$sxr-powershell.exe	113
PID 3668 wrote to memory of 1392	3668	$sxr-powershell.exe	113
PID 3668 wrote to memory of 4440	3668	$sxr-powershell.exe	116
PID 3668 wrote to memory of 4440	3668	$sxr-powershell.exe	116
PID 3668 wrote to memory of 4440	3668	$sxr-powershell.exe	116
PID 4440 wrote to memory of 2104	4440	cmd.exe	119
PID 4440 wrote to memory of 2104	4440	cmd.exe	119
PID 4440 wrote to memory of 2104	4440	cmd.exe	119
PID 4440 wrote to memory of 5004	4440	cmd.exe	121
PID 4440 wrote to memory of 5004	4440	cmd.exe	121
PID 4440 wrote to memory of 5004	4440	cmd.exe	121
PID 4440 wrote to memory of 3176	4440	cmd.exe	123
PID 4440 wrote to memory of 3176	4440	cmd.exe	123
PID 4440 wrote to memory of 3176	4440	cmd.exe	123
PID 3176 wrote to memory of 4532	3176	$sxr-powershell.exe	124
PID 3176 wrote to memory of 4532	3176	$sxr-powershell.exe	124
PID 3176 wrote to memory of 4532	3176	$sxr-powershell.exe	124
PID 3176 wrote to memory of 796	3176	$sxr-powershell.exe	126
PID 3176 wrote to memory of 796	3176	$sxr-powershell.exe	126
PID 3176 wrote to memory of 796	3176	$sxr-powershell.exe	126
PID 796 wrote to memory of 1500	796	cmd.exe	130
PID 796 wrote to memory of 1500	796	cmd.exe	130
PID 796 wrote to memory of 1500	796	cmd.exe	130
PID 796 wrote to memory of 552	796	cmd.exe	131
PID 796 wrote to memory of 552	796	cmd.exe	131
PID 796 wrote to memory of 552	796	cmd.exe	131
PID 796 wrote to memory of 4016	796	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe
"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2188
- C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
  "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKgPWDyOj2SG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1748
  - - C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z8Ow72fXvUIY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4228
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1976
      - C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FrMxqg2uh3SH.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GzjO3JFEVcGf.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puxrT0W78Whk.bat" "
        11⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        13⤵
        Creates scheduled task(s)
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JJEmLl1dYeY0.bat" "
        13⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        15⤵
        Creates scheduled task(s)
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRbDYOFwMDMN.bat" "
        15⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qL1wCLMXTJ6Y.bat" "
        17⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        19⤵
        Creates scheduled task(s)
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTPNPyZqHsuw.bat" "
        19⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        21⤵
        Creates scheduled task(s)
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOdqqgrkumM0.bat" "
        21⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:3816
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        23⤵
        Creates scheduled task(s)
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b7W4HCLXrp7g.bat" "
        23⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        
        PID:924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:4328
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        25⤵
        Creates scheduled task(s)
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oLZ7UuSPVplG.bat" "
        25⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        27⤵
        Creates scheduled task(s)
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2qtLwdZRF88.bat" "
        27⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        29⤵
        Creates scheduled task(s)
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALRBDbFX1w8B.bat" "
        29⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1092
        29⤵
        Program crash
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2228
        27⤵
        Program crash
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 940
        25⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1092
        23⤵
        Program crash
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1096
        21⤵
        Program crash
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 932
        19⤵
        Program crash
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 932
        17⤵
        Program crash
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2200
        15⤵
        Program crash
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092
        13⤵
        Program crash
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2224
        11⤵
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 2140
        9⤵
        Program crash
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1632
        7⤵
        Program crash
        
        PID:4652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 2172
        5⤵
        Program crash
        
        PID:1936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 2124
    3⤵
    - Program crash
    PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1760 -ip 1760
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1708 -ip 1708
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3668 -ip 3668
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3176 -ip 3176
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4016 -ip 4016
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4044 -ip 4044
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4952 -ip 4952
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2324 -ip 2324
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4464 -ip 4464
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4288 -ip 4288
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3996 -ip 3996
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5012 -ip 5012
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5008 -ip 5008
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1824 -ip 1824
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALRBDbFX1w8B.bat

Filesize
223B

MD5
b34fd498f5d8eff45c68760666a63b77

SHA1
dd277ace2c5fa5db1c54256fc780e4723ec553cc

SHA256
5cd6ab748ec535bf45336686dfeefa98e768f40698a6bc0833f908681777cbdb

SHA512
c0c51c701f6435dc2a95ee7c85a1f80e9cb9fce0de4a06baea291fe71dc13f9d5d21a4e6489b6a93b327e1e012bb4cc10f666a952388bd290e60265a3a0125e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FrMxqg2uh3SH.bat

Filesize
223B

MD5
c8352559e8354a7bf1072eeba68665dd

SHA1
65f5593a8c19d7048a6fc35194ab92fea7771d2e

SHA256
450109d2d2ba286cf92e8378cd75582d622ba849f415c2c311a0b3da3e34b5f3

SHA512
9e5710a158f803cd92e84dcf02b8c1fdfdbd3006a96214b3e364cfce289e2c00c5bfae962998ebc74c5cdad27b3c197c35261adcccda3837ed593a64a42c29b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzjO3JFEVcGf.bat

Filesize
223B

MD5
5fdb483e61f1187d4981eb57842b50c4

SHA1
bdb0d6b61ee0fdfa0d73a0455fad32ee92e59c50

SHA256
12872401aeebeaf4d827e93fe051d1197dcda2bf323ceccec746cec096f8a17c

SHA512
4e9c8166ef4cc2b9f23ebe28f8133bbff28e637742d7715318929872c208e4699e1c1f152a45e0cb1fb1fb5760debc37a5f7926758078b0aa4cdb244a81abe15

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJEmLl1dYeY0.bat

Filesize
223B

MD5
0309ce612f4d8325cec881106e90544d

SHA1
31a74ae709ca573718de2f196044b633706b5373

SHA256
0e455f2678335a73531de11a5ce8e26288d7ec734b23833f457b7ecba0eae0c8

SHA512
118d79eb4ef4bde18268e05a5e5cebae4b7182fe0fde42a547350b2fb26224ff096b636d6cff58dbe7bdd9cb53dbd98a132f538681e6148204f4664114132b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRbDYOFwMDMN.bat

Filesize
223B

MD5
b1cbf0e842aea59685d5d7e1699c3154

SHA1
0f8a38c5c516b39d64373a0d0c839d15ef2ad187

SHA256
93fc7d436017a9900c5ca3dd140a1ee90ab183d2a4f4c716e7d67b33f0c22b9b

SHA512
e0dc3e41f7c7a07ccda98aff8ee69c9b792b8bdbb44b5c79a832a42048b2260627b93815274bfa55872a995d4d02333938b7bed228fcd7dd3a1308817bc0b96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOdqqgrkumM0.bat

Filesize
223B

MD5
fc6c22ed86e41a76d5aad3621b868203

SHA1
7928ec064ee8d72c6e507a8ecc0bf4e0f589647d

SHA256
4e8d5f89a70e83bb3841431d9679250cc136d97c03f46de50e456a67fc5a1941

SHA512
4480ec9e49039d9ee25f0d436d7662275c99bdeb7d291deb35c2f6eea5cfc7be2d0bd3e5ce66ab8dd46a8b00dbdb84f0991b8f1554dea64d3f37ba3997b0d3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7W4HCLXrp7g.bat

Filesize
223B

MD5
d834374033729b1c8a8f6427433f0121

SHA1
e7a2ebfab58b28949d145540899899cd8636efaf

SHA256
0a0b7d7bc5dfe135cdee7221061019916472c1eedfe208aa85afa403214fe61d

SHA512
0211e5c954e39aa75ee087814195000f39468e5e8dd33459b4484a694ccc43d960e4bef9ecf636cb98d25b06155f2a204c9bbffc10064327aab3e152ee7c4f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKgPWDyOj2SG.bat

Filesize
223B

MD5
b7f93ff597e87af6cb994851805aad7f

SHA1
2fde0b8ccbdb65f3f0847fc67bc976b739c9f25b

SHA256
0dfc1ced8475ae24f1279779d14751e13a0d04f3009fc4021b4418b03e7f402c

SHA512
ae93b3bbf4eb5d2f091d3a652a76d899ea4947999fabb33ce10049fe6183c798a8d1c11f0d22e6717142f909a9891db4d0974313355a27774b9856c5c77ac470

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLZ7UuSPVplG.bat

Filesize
223B

MD5
9ecaef9f4fd2340e68b3ec47865c7305

SHA1
3d46c59d710dbaf183639c7e8fddffa249677c58

SHA256
eb6f60d41284e203bb0f063eec5157271fd0e736d56c58c39b1eace68adf4bdc

SHA512
7eed327958ec0b37afa3f678810b18fe8af7f85ebe58150b349752dff2cb3170aa74ed61c930bda73f7fe610acc945a447b517c2a3818538de61e14306b70bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\puxrT0W78Whk.bat

Filesize
223B

MD5
e372e7120b7c2a8db301102dc4169004

SHA1
2fe0017d99e91db29f73c1a3900d7a37fb7d0698

SHA256
5689026a4d0d94ff1eeec47d60d98fbd6c6e66c92ae5bf603d6b63a435bef1f4

SHA512
b39dfd82ded24001622a7b1083be2bbb1a9a37d5cda3fc67e5fb9303c2a38bf9a1c5856f3e187f1631b24aad88a90a2dfe0a49ef5dc17aee80d30156a2fc9227

Download Submit
C:\Users\Admin\AppData\Local\Temp\qL1wCLMXTJ6Y.bat

Filesize
223B

MD5
c504ea0fdd18fbd3c915ba47bff64a8a

SHA1
cd3424db2a7cd4664625fa7b300b828e486001cc

SHA256
d1b4ea33b344ad3b2294efa43599366e827d45436c0b48520acacbd054cbd21e

SHA512
cdd3dace92b7110a9d392bc5360c70f19c5e3b5a95163ee2a2a2f828a3eff015b2afc951db4930abe9db47591c7b877239f26867389ab82af14aee2670b7c190

Download Submit
C:\Users\Admin\AppData\Local\Temp\rTPNPyZqHsuw.bat

Filesize
223B

MD5
ab68f9660e97d462d1cfa8b677437d7c

SHA1
0a09575f791b9f8f8203c7b2054a702b4b22f07b

SHA256
aa141510df65aab8c4b62fc5f35d73dfbdb824d6bcd820c332de0fbc324395f1

SHA512
d971ff5e915db65ba0a6db79db29e0baffba514890d86172a69c231f191af3ddbcff3c74ccc1b9af267b37a07b630b7219c1f64e24ab5898ae2b63d6143dff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2qtLwdZRF88.bat

Filesize
223B

MD5
94b2fdf1802f6e53c7c7ea3cd18ef087

SHA1
9be4c3cbb3a534cef00b3a36714ccbb8f33f92ce

SHA256
85d14513bf0869a6fc0bfc553b7e1eab09277a95a626b5c4da3baa1398eb0d2e

SHA512
d6561f4ad9ca6ddb79ce22faa2cf43cb118304837a0ce18d1abf7a35792c6b406359823be02cafbe74bb3bac7e988f23fbdda1284011a8b5cc012a01f1693f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8Ow72fXvUIY.bat

Filesize
223B

MD5
cfacdd2f48c7cb7644be47876f237ba4

SHA1
5cb82161a14a100ab12c84425ec7368bbb0a7d65

SHA256
80bc2bd7a211504c896d58297b754d8219732dd06cbc160680b04f4d95fc5fc6

SHA512
0215bdbcb384e49dba718184d51c77631ca87497271c270789b4189fd87f2cf278e133f7d30364f77f1e78be0e1a544f782db1f68012e8a59d58d79294583db0

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
5d6d2012844d0b4fbf0788cea3c58be1

SHA1
7cf362355522c1898e2adbaa4c3c03d51cb2c7eb

SHA256
cad2af09bad740a380278fca5f5af5a841b361d06b3a0655ac3754cacc98a1d9

SHA512
92144286878e5dc84556af6c2eeaaa7e3f5f8afd2c9ca7dd41508772600243196c8738aae428ca605712100004561a0b90c4ac56993a996827e8d57daf94eb31

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
cac5ef81f2115e2f54acbda0b1c11f4e

SHA1
fe57978906f50fec19d1ba6d6d634e234eabbabf

SHA256
791f4f7d77e7061f495ae3270888ab5a098e1f78ad46d99f020bfb122ca5fbd6

SHA512
3630fbd03bd404c5d0e8276c93bdd44e508725996cb8d44e5880ee8606433bbf8f553ada867af4c779affd778d6f0298f9ebfeb47618a27bd856f8a33bbe461c

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
dca05ff9581feec28c6840c81a0da44a

SHA1
0c83850e346430270e4993fd146a16d5b3b7b92c

SHA256
03ac9cd06d0cdc9bd223ece7f730211118163965a6fa5bf45aa6c2701774f3e3

SHA512
789c1c52a024de48002b38f63c1900dcc91581bcb6b85b99c2e98c4efba1f700f0f0e70a2b7af79aeb09f9218ce27c45327957ea937b5cf1d370cb9aa0da346b

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
075c118059b5f856e4f994df14cd7b1d

SHA1
e0c6d7c3400c271b18ba19fb6308502d494a1136

SHA256
c5f8036717ecc9768dff59000dd742edf3b217e86657264366f29a48e652e4f4

SHA512
2ab06821108e10683013d7d336622c7272ba0d7526dad9c564f905b546ab82e93810303a6b58e180b0648f88a0cc61ee4ed6501d7e18d6984e10c268fb2b98fe

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
533b1cac4fb24c73b551961a633a306a

SHA1
1d80984c90304618fb5d8c3d7df586dfba503a6a

SHA256
ab4e4b563850fff4705a2b96ad5f3261ca6b1c5800e73c5be7cfa86729b3e6dd

SHA512
a2103bba25eeac18af5d25f8b8f2b22c23d4dcd03522d36272239afeeb5bd6c93996f82290ebbf42a4e483fe74f98eb800894ca214835fc6f401c8c8a17ee754

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
631dc9da6e27d62aed35ab21485b975b

SHA1
0d995a222b8d8027d3731cff644471e7a0aa9ea7

SHA256
a9d54fdbccd167e6945301be0d509226b35d118e653dbd9c22c7fead9508548c

SHA512
b65e08bd342020e64294ebeebab3c7f3f562fff504709abff22373f3445f57effb68502040fe65d7de64c1c3ad52358d263ae7fd63b042c6c5b1616eded004cd

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
e080a3a3c8f4e6aa71e929cb633abf5b

SHA1
e4f62e253210859f4559a8a60d626593a94b0b41

SHA256
b0addb81caa2bdf8a7a13a7b3ecb28659b7ffcc1ba79b93d285d26b8651ab502

SHA512
cfeb75ea3f7ed2fd21c6f42fab2511e98b619c5dd874cf9285abd3127cac58de0c91563354415602870bcf613794faa4be43efd5c443625abf196ef96925e7a2

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
4b3b6cc557f0ab4138672749d9316a3e

SHA1
25e9511f256db947eb3b25b4913a224b4c4d9d12

SHA256
6ab9d59d783095087b1629c7bad89302057ef0cce72cd8a7f4a476d60efa52ea

SHA512
c296a58dec0b626e8c03a845c7ffe4b6b108864ed7d8464ca9029af9cc3aaf7f81d7773a654acdeb597194e3e223912df3494d401254424686071a67104aa9cd

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
e1188c9ad3bff0b9142d8c4538332c6e

SHA1
31fc634d1830783a2e38ae81e0dddcc9d49b7653

SHA256
5eb51cf4c84d87b7884babd06495924a6fc4f5eb4e15da848ee2c449d02dec63

SHA512
fedcb446f8ca8bbc000778dab56b786dd40e676afcd05a515cfe476f5bb0cd926a9695976ca1e1275fe9a91d187bb70a6c147b0d392c87fd51d25d69470aee23

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
7a51d829c5547a776a89ca71fd868c4c

SHA1
44bf718881ae44006e755af7d6f43570659f85ac

SHA256
b1b301450193480824fd1ffb468ad4dc6b0190b1f941198260d5a8ab8e713e8b

SHA512
cda06b4cb9957768d2a6c520d6841cd3a26a860739445c045d9da7424ef35889e3fefc7194c8d620dd8fc708934dc9538b070274fb400a6f8f7ec58809c4155a

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
33043f375224f96fb87c229cefc198a2

SHA1
e5056194a8f82a3cf25693208ef334fdd78a048f

SHA256
43aab969fbbe796db4391affe3c5b1047c609fcd36450107b993b3e78efebec8

SHA512
0cb95c30f25109c7f6b458e855ae91480b3cbfaf35924b33eb8cf3bba7c23e998f26c5e9a650b73aeba579256a29be25e40a33b563b587f71b52ca3176860047

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
f6bde53fe1586f64097414c51a46a3c8

SHA1
fdb744c8054d71c3545a547bdf3374fbb4a1146c

SHA256
346b7236f4f1dd1016e60d44d8b7c451c0866876ef92aec52eb8418558f56848

SHA512
10d56f1a77f9ffa4ba61e27715f4376c5964dda9e0397a498cf1e45a04c90e797677a02b410a5033d1d4582b7376b61109092e098b03e546ad3bd744962e8476

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

Filesize
224B

MD5
11ad563027075389e695e819f7063b12

SHA1
5a92a4aa705fa9cdb05afd2eed3953903a2d9bc2

SHA256
353ea527a189e5aa1dc78349b984d4ae6105d45d5149d4e2cd98f0776f06e102

SHA512
6c540f20eb7bb586f1a838323aa756fa64127d8c49b47e7977f933aaf9dde4744b0ea9f2f3ee163b5a1f29ae9bef323e54c44134d09c3d7166f21b1d4295a886

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Filesize
349KB

MD5
1ec86aa544089409730a3777da35c70a

SHA1
b592008ecc06d47bd7170f0ad3799e114139df0f

SHA256
5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48

SHA512
fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715

Download Submit
memory/1328-7-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1328-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1328-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1328-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1328-1-0x0000000000B10000-0x0000000000B6E000-memory.dmp

Filesize
376KB

Download
memory/1328-2-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/1328-3-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/1328-6-0x00000000063E0000-0x00000000063F2000-memory.dmp

Filesize
72KB

Download
memory/1328-15-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1328-5-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1760-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1760-19-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/1760-16-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1760-17-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads