Malware Analysis Report

2024-08-06 11:44

Sample ID 240611-vrrk4svdjp
Target $sxr-Uni.exe
SHA256 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
Tags
quasar slave spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48

Threat Level: Known bad

The file $sxr-Uni.exe was found to be: Known bad.

Malicious Activity Summary

quasar slave spyware trojan

Quasar payload

Quasar RAT

Quasar family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:13

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:13

Reported

2024-06-11 17:18

Platform

win10v2004-20240508-en

Max time kernel

296s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1760 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1776 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1776 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1776 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1776 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1776 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1776 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1776 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1776 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3324 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3324 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3324 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3324 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3324 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3324 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3324 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3324 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3668 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4440 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4440 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4440 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4440 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4440 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4440 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4440 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4440 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3176 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 796 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 796 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 796 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 796 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 796 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 796 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKgPWDyOj2SG.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1760 -ip 1760

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 2124

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z8Ow72fXvUIY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1708 -ip 1708

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FrMxqg2uh3SH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3668 -ip 3668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1632

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GzjO3JFEVcGf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 2140

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puxrT0W78Whk.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JJEmLl1dYeY0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4044 -ip 4044

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRbDYOFwMDMN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4952 -ip 4952

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2200

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qL1wCLMXTJ6Y.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2324 -ip 2324

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 932

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTPNPyZqHsuw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4464 -ip 4464

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 932

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOdqqgrkumM0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4288 -ip 4288

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b7W4HCLXrp7g.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3996 -ip 3996

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oLZ7UuSPVplG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 940

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2qtLwdZRF88.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5008 -ip 5008

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2228

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALRBDbFX1w8B.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1824 -ip 1824

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/1328-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

memory/1328-1-0x0000000000B10000-0x0000000000B6E000-memory.dmp

memory/1328-2-0x0000000005BF0000-0x0000000006194000-memory.dmp

memory/1328-3-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/1328-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/1328-5-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/1328-6-0x00000000063E0000-0x00000000063F2000-memory.dmp

memory/1328-7-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

memory/1328-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 1ec86aa544089409730a3777da35c70a
SHA1 b592008ecc06d47bd7170f0ad3799e114139df0f
SHA256 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
SHA512 fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715

memory/1328-15-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/1760-16-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/1760-17-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/1760-19-0x0000000006080000-0x000000000608A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iKgPWDyOj2SG.bat

MD5 b7f93ff597e87af6cb994851805aad7f
SHA1 2fde0b8ccbdb65f3f0847fc67bc976b739c9f25b
SHA256 0dfc1ced8475ae24f1279779d14751e13a0d04f3009fc4021b4418b03e7f402c
SHA512 ae93b3bbf4eb5d2f091d3a652a76d899ea4947999fabb33ce10049fe6183c798a8d1c11f0d22e6717142f909a9891db4d0974313355a27774b9856c5c77ac470

memory/1760-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 dca05ff9581feec28c6840c81a0da44a
SHA1 0c83850e346430270e4993fd146a16d5b3b7b92c
SHA256 03ac9cd06d0cdc9bd223ece7f730211118163965a6fa5bf45aa6c2701774f3e3
SHA512 789c1c52a024de48002b38f63c1900dcc91581bcb6b85b99c2e98c4efba1f700f0f0e70a2b7af79aeb09f9218ce27c45327957ea937b5cf1d370cb9aa0da346b

C:\Users\Admin\AppData\Local\Temp\z8Ow72fXvUIY.bat

MD5 cfacdd2f48c7cb7644be47876f237ba4
SHA1 5cb82161a14a100ab12c84425ec7368bbb0a7d65
SHA256 80bc2bd7a211504c896d58297b754d8219732dd06cbc160680b04f4d95fc5fc6
SHA512 0215bdbcb384e49dba718184d51c77631ca87497271c270789b4189fd87f2cf278e133f7d30364f77f1e78be0e1a544f782db1f68012e8a59d58d79294583db0

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 075c118059b5f856e4f994df14cd7b1d
SHA1 e0c6d7c3400c271b18ba19fb6308502d494a1136
SHA256 c5f8036717ecc9768dff59000dd742edf3b217e86657264366f29a48e652e4f4
SHA512 2ab06821108e10683013d7d336622c7272ba0d7526dad9c564f905b546ab82e93810303a6b58e180b0648f88a0cc61ee4ed6501d7e18d6984e10c268fb2b98fe

C:\Users\Admin\AppData\Local\Temp\FrMxqg2uh3SH.bat

MD5 c8352559e8354a7bf1072eeba68665dd
SHA1 65f5593a8c19d7048a6fc35194ab92fea7771d2e
SHA256 450109d2d2ba286cf92e8378cd75582d622ba849f415c2c311a0b3da3e34b5f3
SHA512 9e5710a158f803cd92e84dcf02b8c1fdfdbd3006a96214b3e364cfce289e2c00c5bfae962998ebc74c5cdad27b3c197c35261adcccda3837ed593a64a42c29b5

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 533b1cac4fb24c73b551961a633a306a
SHA1 1d80984c90304618fb5d8c3d7df586dfba503a6a
SHA256 ab4e4b563850fff4705a2b96ad5f3261ca6b1c5800e73c5be7cfa86729b3e6dd
SHA512 a2103bba25eeac18af5d25f8b8f2b22c23d4dcd03522d36272239afeeb5bd6c93996f82290ebbf42a4e483fe74f98eb800894ca214835fc6f401c8c8a17ee754

C:\Users\Admin\AppData\Local\Temp\GzjO3JFEVcGf.bat

MD5 5fdb483e61f1187d4981eb57842b50c4
SHA1 bdb0d6b61ee0fdfa0d73a0455fad32ee92e59c50
SHA256 12872401aeebeaf4d827e93fe051d1197dcda2bf323ceccec746cec096f8a17c
SHA512 4e9c8166ef4cc2b9f23ebe28f8133bbff28e637742d7715318929872c208e4699e1c1f152a45e0cb1fb1fb5760debc37a5f7926758078b0aa4cdb244a81abe15

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 631dc9da6e27d62aed35ab21485b975b
SHA1 0d995a222b8d8027d3731cff644471e7a0aa9ea7
SHA256 a9d54fdbccd167e6945301be0d509226b35d118e653dbd9c22c7fead9508548c
SHA512 b65e08bd342020e64294ebeebab3c7f3f562fff504709abff22373f3445f57effb68502040fe65d7de64c1c3ad52358d263ae7fd63b042c6c5b1616eded004cd

C:\Users\Admin\AppData\Local\Temp\puxrT0W78Whk.bat

MD5 e372e7120b7c2a8db301102dc4169004
SHA1 2fe0017d99e91db29f73c1a3900d7a37fb7d0698
SHA256 5689026a4d0d94ff1eeec47d60d98fbd6c6e66c92ae5bf603d6b63a435bef1f4
SHA512 b39dfd82ded24001622a7b1083be2bbb1a9a37d5cda3fc67e5fb9303c2a38bf9a1c5856f3e187f1631b24aad88a90a2dfe0a49ef5dc17aee80d30156a2fc9227

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 e080a3a3c8f4e6aa71e929cb633abf5b
SHA1 e4f62e253210859f4559a8a60d626593a94b0b41
SHA256 b0addb81caa2bdf8a7a13a7b3ecb28659b7ffcc1ba79b93d285d26b8651ab502
SHA512 cfeb75ea3f7ed2fd21c6f42fab2511e98b619c5dd874cf9285abd3127cac58de0c91563354415602870bcf613794faa4be43efd5c443625abf196ef96925e7a2

C:\Users\Admin\AppData\Local\Temp\JJEmLl1dYeY0.bat

MD5 0309ce612f4d8325cec881106e90544d
SHA1 31a74ae709ca573718de2f196044b633706b5373
SHA256 0e455f2678335a73531de11a5ce8e26288d7ec734b23833f457b7ecba0eae0c8
SHA512 118d79eb4ef4bde18268e05a5e5cebae4b7182fe0fde42a547350b2fb26224ff096b636d6cff58dbe7bdd9cb53dbd98a132f538681e6148204f4664114132b53

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 4b3b6cc557f0ab4138672749d9316a3e
SHA1 25e9511f256db947eb3b25b4913a224b4c4d9d12
SHA256 6ab9d59d783095087b1629c7bad89302057ef0cce72cd8a7f4a476d60efa52ea
SHA512 c296a58dec0b626e8c03a845c7ffe4b6b108864ed7d8464ca9029af9cc3aaf7f81d7773a654acdeb597194e3e223912df3494d401254424686071a67104aa9cd

C:\Users\Admin\AppData\Local\Temp\KRbDYOFwMDMN.bat

MD5 b1cbf0e842aea59685d5d7e1699c3154
SHA1 0f8a38c5c516b39d64373a0d0c839d15ef2ad187
SHA256 93fc7d436017a9900c5ca3dd140a1ee90ab183d2a4f4c716e7d67b33f0c22b9b
SHA512 e0dc3e41f7c7a07ccda98aff8ee69c9b792b8bdbb44b5c79a832a42048b2260627b93815274bfa55872a995d4d02333938b7bed228fcd7dd3a1308817bc0b96f

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 e1188c9ad3bff0b9142d8c4538332c6e
SHA1 31fc634d1830783a2e38ae81e0dddcc9d49b7653
SHA256 5eb51cf4c84d87b7884babd06495924a6fc4f5eb4e15da848ee2c449d02dec63
SHA512 fedcb446f8ca8bbc000778dab56b786dd40e676afcd05a515cfe476f5bb0cd926a9695976ca1e1275fe9a91d187bb70a6c147b0d392c87fd51d25d69470aee23

C:\Users\Admin\AppData\Local\Temp\qL1wCLMXTJ6Y.bat

MD5 c504ea0fdd18fbd3c915ba47bff64a8a
SHA1 cd3424db2a7cd4664625fa7b300b828e486001cc
SHA256 d1b4ea33b344ad3b2294efa43599366e827d45436c0b48520acacbd054cbd21e
SHA512 cdd3dace92b7110a9d392bc5360c70f19c5e3b5a95163ee2a2a2f828a3eff015b2afc951db4930abe9db47591c7b877239f26867389ab82af14aee2670b7c190

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 7a51d829c5547a776a89ca71fd868c4c
SHA1 44bf718881ae44006e755af7d6f43570659f85ac
SHA256 b1b301450193480824fd1ffb468ad4dc6b0190b1f941198260d5a8ab8e713e8b
SHA512 cda06b4cb9957768d2a6c520d6841cd3a26a860739445c045d9da7424ef35889e3fefc7194c8d620dd8fc708934dc9538b070274fb400a6f8f7ec58809c4155a

C:\Users\Admin\AppData\Local\Temp\rTPNPyZqHsuw.bat

MD5 ab68f9660e97d462d1cfa8b677437d7c
SHA1 0a09575f791b9f8f8203c7b2054a702b4b22f07b
SHA256 aa141510df65aab8c4b62fc5f35d73dfbdb824d6bcd820c332de0fbc324395f1
SHA512 d971ff5e915db65ba0a6db79db29e0baffba514890d86172a69c231f191af3ddbcff3c74ccc1b9af267b37a07b630b7219c1f64e24ab5898ae2b63d6143dff99

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 33043f375224f96fb87c229cefc198a2
SHA1 e5056194a8f82a3cf25693208ef334fdd78a048f
SHA256 43aab969fbbe796db4391affe3c5b1047c609fcd36450107b993b3e78efebec8
SHA512 0cb95c30f25109c7f6b458e855ae91480b3cbfaf35924b33eb8cf3bba7c23e998f26c5e9a650b73aeba579256a29be25e40a33b563b587f71b52ca3176860047

C:\Users\Admin\AppData\Local\Temp\QOdqqgrkumM0.bat

MD5 fc6c22ed86e41a76d5aad3621b868203
SHA1 7928ec064ee8d72c6e507a8ecc0bf4e0f589647d
SHA256 4e8d5f89a70e83bb3841431d9679250cc136d97c03f46de50e456a67fc5a1941
SHA512 4480ec9e49039d9ee25f0d436d7662275c99bdeb7d291deb35c2f6eea5cfc7be2d0bd3e5ce66ab8dd46a8b00dbdb84f0991b8f1554dea64d3f37ba3997b0d3ec

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 f6bde53fe1586f64097414c51a46a3c8
SHA1 fdb744c8054d71c3545a547bdf3374fbb4a1146c
SHA256 346b7236f4f1dd1016e60d44d8b7c451c0866876ef92aec52eb8418558f56848
SHA512 10d56f1a77f9ffa4ba61e27715f4376c5964dda9e0397a498cf1e45a04c90e797677a02b410a5033d1d4582b7376b61109092e098b03e546ad3bd744962e8476

C:\Users\Admin\AppData\Local\Temp\b7W4HCLXrp7g.bat

MD5 d834374033729b1c8a8f6427433f0121
SHA1 e7a2ebfab58b28949d145540899899cd8636efaf
SHA256 0a0b7d7bc5dfe135cdee7221061019916472c1eedfe208aa85afa403214fe61d
SHA512 0211e5c954e39aa75ee087814195000f39468e5e8dd33459b4484a694ccc43d960e4bef9ecf636cb98d25b06155f2a204c9bbffc10064327aab3e152ee7c4f38

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 11ad563027075389e695e819f7063b12
SHA1 5a92a4aa705fa9cdb05afd2eed3953903a2d9bc2
SHA256 353ea527a189e5aa1dc78349b984d4ae6105d45d5149d4e2cd98f0776f06e102
SHA512 6c540f20eb7bb586f1a838323aa756fa64127d8c49b47e7977f933aaf9dde4744b0ea9f2f3ee163b5a1f29ae9bef323e54c44134d09c3d7166f21b1d4295a886

C:\Users\Admin\AppData\Local\Temp\oLZ7UuSPVplG.bat

MD5 9ecaef9f4fd2340e68b3ec47865c7305
SHA1 3d46c59d710dbaf183639c7e8fddffa249677c58
SHA256 eb6f60d41284e203bb0f063eec5157271fd0e736d56c58c39b1eace68adf4bdc
SHA512 7eed327958ec0b37afa3f678810b18fe8af7f85ebe58150b349752dff2cb3170aa74ed61c930bda73f7fe610acc945a447b517c2a3818538de61e14306b70bf8

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 5d6d2012844d0b4fbf0788cea3c58be1
SHA1 7cf362355522c1898e2adbaa4c3c03d51cb2c7eb
SHA256 cad2af09bad740a380278fca5f5af5a841b361d06b3a0655ac3754cacc98a1d9
SHA512 92144286878e5dc84556af6c2eeaaa7e3f5f8afd2c9ca7dd41508772600243196c8738aae428ca605712100004561a0b90c4ac56993a996827e8d57daf94eb31

C:\Users\Admin\AppData\Local\Temp\s2qtLwdZRF88.bat

MD5 94b2fdf1802f6e53c7c7ea3cd18ef087
SHA1 9be4c3cbb3a534cef00b3a36714ccbb8f33f92ce
SHA256 85d14513bf0869a6fc0bfc553b7e1eab09277a95a626b5c4da3baa1398eb0d2e
SHA512 d6561f4ad9ca6ddb79ce22faa2cf43cb118304837a0ce18d1abf7a35792c6b406359823be02cafbe74bb3bac7e988f23fbdda1284011a8b5cc012a01f1693f72

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 cac5ef81f2115e2f54acbda0b1c11f4e
SHA1 fe57978906f50fec19d1ba6d6d634e234eabbabf
SHA256 791f4f7d77e7061f495ae3270888ab5a098e1f78ad46d99f020bfb122ca5fbd6
SHA512 3630fbd03bd404c5d0e8276c93bdd44e508725996cb8d44e5880ee8606433bbf8f553ada867af4c779affd778d6f0298f9ebfeb47618a27bd856f8a33bbe461c

C:\Users\Admin\AppData\Local\Temp\ALRBDbFX1w8B.bat

MD5 b34fd498f5d8eff45c68760666a63b77
SHA1 dd277ace2c5fa5db1c54256fc780e4723ec553cc
SHA256 5cd6ab748ec535bf45336686dfeefa98e768f40698a6bc0833f908681777cbdb
SHA512 c0c51c701f6435dc2a95ee7c85a1f80e9cb9fce0de4a06baea291fe71dc13f9d5d21a4e6489b6a93b327e1e012bb4cc10f666a952388bd290e60265a3a0125e2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 17:13

Reported

2024-06-11 17:18

Platform

win11-20240508-en

Max time kernel

297s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4404 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 2416 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 416 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 416 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 416 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 416 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 416 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 416 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 416 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 416 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 748 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1364 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1364 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1364 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1364 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1364 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1364 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1364 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1364 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4704 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4704 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4704 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4704 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3144 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3144 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3144 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3144 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3144 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4460 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4460 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4460 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4460 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2604 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8NFiZavkYQP.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2180

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nw8NMRox1DKN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 748 -ip 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1104

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ABQZ9vpfDyy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 4704

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1108

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgvgEkTCRaMK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4460 -ip 4460

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2292

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEa3zEZMcUvK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 788 -ip 788

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 1108

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\139uQqxiPxWC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2256

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbpHCK3sar4C.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2688 -ip 2688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1108

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyHSHKO3VBEY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 1736

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pJorHtYnUQPE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1744

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3bbPMo0RZJjO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2388 -ip 2388

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2284

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NPLX0fETqydM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1744

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3uH3sWcW6XKp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 972 -ip 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1108

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7WNIUZ5EjHV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 952

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/4404-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/4404-1-0x0000000000500000-0x000000000055E000-memory.dmp

memory/4404-2-0x0000000005690000-0x0000000005C36000-memory.dmp

memory/4404-3-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/4404-4-0x0000000074E80000-0x0000000075631000-memory.dmp

memory/4404-5-0x0000000005040000-0x00000000050A6000-memory.dmp

memory/4404-6-0x0000000005D40000-0x0000000005D52000-memory.dmp

memory/4404-7-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/4404-8-0x0000000074E80000-0x0000000075631000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 1ec86aa544089409730a3777da35c70a
SHA1 b592008ecc06d47bd7170f0ad3799e114139df0f
SHA256 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
SHA512 fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715

memory/4404-15-0x0000000074E80000-0x0000000075631000-memory.dmp

memory/2416-16-0x0000000074E80000-0x0000000075631000-memory.dmp

memory/2416-17-0x0000000074E80000-0x0000000075631000-memory.dmp

memory/2416-19-0x0000000006790000-0x000000000679A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T8NFiZavkYQP.bat

MD5 b5cbeb6b1cbfc8dd8e0c9dde19cb0e72
SHA1 efeb4d4589bd9b37ff68bcbc2c86ae54af6b94ec
SHA256 ef1e4e30cdaf5dd7b439d2a16444b633985a606b9e41897983ea5b17250d9090
SHA512 2993a2051916af9c671476970234cab3841dc0d04196800baec264ce7e0e211f8723f1699b55e97db1871422f11a78fe18fc438d4fe44ab03772502e5f45a703

memory/2416-24-0x0000000074E80000-0x0000000075631000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 4f2e1b66a0a7c8159f60e1e31abcee7e
SHA1 571e5b15f8a2f0dcb2fb0102156a341264dbd2c5
SHA256 76dd18852ed2077771a76fdf569d729994dbc655dfa86c89b81aae73dfe53a25
SHA512 dc11c41a7c8228ac570fb44906c65b91147922823a63b17a8502044b21df3da4571761b5f1d04dcf8349c04be752ac6649080c4db2a0a7028d6f8084920d712c

C:\Users\Admin\AppData\Local\Temp\nw8NMRox1DKN.bat

MD5 fd5e613603d0f2059ba809fd9922a45a
SHA1 ba6af74772793d691a0b7a082a0986a8b5ae509e
SHA256 b489b5970563685daef9628bbcfe2d617de6e626467c4979f8a51d4a1e9f1a63
SHA512 6f89a353d641a9c52bad657cb670175427bafa4dcbed6c43f3049dba58e4533ec824bdc1389a8c11af91f7022f5890780e8a38eb3a8bf1bec002ec80e74da027

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 1ba08fb7c4dcf1b1941640512a907420
SHA1 139269253144ab57bebff2b57e654289dcc0e986
SHA256 52ccde86d5b6158a625411d026bfa605214e524b6be4160c207f5f8f5f1097cc
SHA512 8064f303d89689369eeb12e03a5d350d6fdf693afba956c19b892d15d213305810dbcd9dddc3f6d08f2b7e4c17222421ea70772a99c8eda5e5c9f9460728601a

C:\Users\Admin\AppData\Local\Temp\0ABQZ9vpfDyy.bat

MD5 d1df08dc98263e5dfbd946ecf493eaf6
SHA1 605a71bfd3c65e5bf1168032bbf87e348c1d3fc7
SHA256 9547e54aac0360f8bab18193b0e32ea809dfd7ddc294019f6d460c603c37d1de
SHA512 7e729600d0d777b1362800f8796f808cd941dfb6d0917aad639cece051a8ab753133d924c8ad4d16def735372f9474a18d8568dbbde97efd670f26ec11f71cee

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 ddb8bca5b1d5261cea3f11db84c33b31
SHA1 a5dead7831446eb21e5720e8e99650019a874f0a
SHA256 5cd9784239d19d75bf63325b2398445a0f3d861eda39827c823d55e5e8c2dac0
SHA512 034ba50f957b7f60223a092115fdf94af6f5178e205be10c1a7a179393560207533918bba24cdcef4c707191536cbb6b56293171da3d63168c3b81f7295edc43

C:\Users\Admin\AppData\Local\Temp\kgvgEkTCRaMK.bat

MD5 e62f463270a4405de5c421aa2417b6d8
SHA1 65dd6d5cc22a595f9863ca1e9e943b7451bc7c74
SHA256 b68c4a1cade9a142460b400b8db9bdb912d0afa1fec35a7da09c6ef8eb504d4b
SHA512 8763be494f0f6ec1443f0ffd01cee9dc6ca4fdbdbd4291fde2b8fc70895a445ae3248ffc2083496deb518f7dc23762859ae3a6ffa486b87a40365bebb70c98a4

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 607ff384f08a1297cc0cd50753b35c6b
SHA1 6a76629a291246c17d2bc61dc2eb4c5241bc6e61
SHA256 910372a2030eb95866c42b07ff5965505b64797eff992198457be4dad2f3d188
SHA512 62d9ba3aba9ae876ade39cb25878e082d095d26c92490f60f064a9313720e9ad3715ddfd2b48c27c7754edd3eadbbb49a8cf5491977e084b24aa3054085d0a54

C:\Users\Admin\AppData\Local\Temp\eEa3zEZMcUvK.bat

MD5 2be6846ccdc090a6680df050b9818bad
SHA1 2e611c1165ba9d99d794529a1b1e3dffa16472d8
SHA256 8ffd3f383e2a96e398445825d41c38b72afa77de808607519d0963abe765d2a4
SHA512 70a8f2f06cad13164aa997f137f005df0eba0c777730c5f310441fb701a4a44c5620dc5b62bbc76ecb81bedde2e8cf738080722b8cb235d361ad82ca42ce2d3c

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 df62268d02940d65753c341d4981226c
SHA1 c907a4910857737d104a10ffa592f2ff33b9ece3
SHA256 e7bd0c4df2bb703f5be8516c5fba58827a0d1cfb34c233c21d36dc3607c3ff45
SHA512 afbb01ed8245f3f05b300d4da9532732c7997f86ad4f3dbe3417bbcf5c6721677b49759623a15f59cc61ad1d2c6c4c30a68056d38c586af8ffdbb87bfde5c6b1

C:\Users\Admin\AppData\Local\Temp\139uQqxiPxWC.bat

MD5 4d38e3231002a7f07cba82bc6c7fde9b
SHA1 ad8f97fb954ad6289b31f994caf5a013d27b6d36
SHA256 cf3899801cb5650ece892d444d95a5f31a6223eec4d0e895a786e21444eecf48
SHA512 f0f0c9a0d6c004d2a7658b92db31903381bff2576f03299b6b5196d670581ea269224c90b02c8ee1d558b6e82817fef5f07646453f53b1d2ab7750623defd003

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 05a97319d1c8f9970295705578155de2
SHA1 9b466c42cec5787929f69d87d79678b239fab9ce
SHA256 a6ba67c11e4ede634fe4867563db83f502a14b21e890e6c435fd5257c65fa2a3
SHA512 4fdfb38b764d11e50e6209c6b32b066b32a47ec7987ebeee0ad85a0a04c935d5a5072b25a36c4f3046b5adf713cfbcedd3becec796816ab26981148bd8cc53b2

C:\Users\Admin\AppData\Local\Temp\vbpHCK3sar4C.bat

MD5 a669f4af4b467c65cb9055e8b1480d42
SHA1 6ff1a8297b35aa22c3bc61484eae9084992b7966
SHA256 23699dfe6ffecdbfd1848c1c981b9638c4c4cada7cbd3a143111e6b0b46c1254
SHA512 c32f7f54facd560812fea0496c72deafee3bf14b9a5509b9d25945c8e640b2eec9cd2be015645595fa94a4ccb67769545e94114c0d1a13abf075d5ff14f79623

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 825f23bef1e106e658774d277e0b27a2
SHA1 ccf10e1941762a2e826885acdea890702995be6c
SHA256 109aa93fcbccd5dd4e59e6043772e0c678e7669ccb245c90da7ec29dcd79d963
SHA512 4586aca926ef514ac199d8b4490c8c34cbe45f9371a2d94240dff4d5be52f51ccb5ae82bbea6bc7d2fc8bcf1eddc09a40b1bc89c533270201f73a6f92b1138f5

C:\Users\Admin\AppData\Local\Temp\MyHSHKO3VBEY.bat

MD5 16c562c7d0f72a9bdfaea420f5864b17
SHA1 3c3af4c689f306644fe6692b015db7713ce6dfd6
SHA256 be5cd69142c983f9d287f72fbac6e0ac68c4f04ed756a30d2e8f313bc6ffa78a
SHA512 3b4d76b72d3a173919aeb079f510565cdecd29d18b12f021ae3a36fa58d5170363a71babe7f0ca31b5e90855fd7fa8080c3715a09aed79d9a77d5445bcd469d4

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 83cc03c553224bce1b8c9c37de60d565
SHA1 59bbbe027452c870fc212faa42d1d6988789435a
SHA256 005e9d32e6a8e4d261b1e77a8b7448071e443fccbde573ea9d919b62158ec85b
SHA512 1256cdb71d9fdf1835adc1b923788ea3e7c455261167be7ac64f956a15946668ddeb87606f6212473e75849bd332de9e406728b3805128f5807c5ba1d44ee551

C:\Users\Admin\AppData\Local\Temp\pJorHtYnUQPE.bat

MD5 09a2e6ec65de3e4bc75e9176428791d6
SHA1 a8256212b3ce9730cb9362f34eeb727cb4cd9467
SHA256 a51b1e99491d5e9111f2142b57b22983d126481ab8408dc590349e359a96e8b2
SHA512 4adfc996fe16f6d3df4bb717bc30203cb5b50e39d9002e8fcebca95d8d9e09183d6c2b47ccc84d2507aaba1263856c4ad607d579eb187e1c03ea3685b0503a1f

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 8d99c7fb43366b608a612c0d1d0b9250
SHA1 654c851657ef1d0e64c31b8cb5be9bf496e45a46
SHA256 a89e82de2fdfd97d4119c69c17f4405c4979b90cdffd96c2b54ffe14ace623a8
SHA512 0240b4114867863103f1a3353f0cb703c420af744d0a28571bf9d372254e0ce37c569c761556d203e3ac32afb2fbb7a5c671a5bc46a55fbe7c474ba9c6e560a8

C:\Users\Admin\AppData\Local\Temp\3bbPMo0RZJjO.bat

MD5 3a3f0762bb95e24151f1e3669ebd8d8c
SHA1 3842955eec6f5f77714bd86cf66dbf2b2f6f3a38
SHA256 20c6e65f65cd21d4a0e0efc2faa8dbb78e21c9b76cf54e32d8dc55180686e793
SHA512 5095b01676ded70e051b8bfc53ca6613cefca6015f1fdb88b8b5231463b39504e0306921422b22b4f40912b29b84b1b08fa37a96dfdad970500a25622db4c48e

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 3e00d66bf753986ba4e089a7277e9937
SHA1 465b101783836c6f52faeac625ab42be7dc7d0a4
SHA256 47e08043f18c8e5a51b20080827693677c87f55cbed3a8a936335a47a62d1aac
SHA512 c6d2ad01ccb5702b8618e1459b0d03a156c15e93a5b5f6540f020538c10779ae57f2f7161b559f244829c323687127f5ab640685197105f27296c1aee6832a78

C:\Users\Admin\AppData\Local\Temp\NPLX0fETqydM.bat

MD5 395615d322f996dd916ad25a077598bb
SHA1 c4c1dfea587e389e4ea56605c5ecc60f1a8d5cda
SHA256 2ee5172653d3257d9f6cdc90dc32b2f7b3a584eecd0e24f5f294494eda4a4a1a
SHA512 749e66cb2eedc3dc7c9512e27a8e884c3c2047fe41a3dba790ef92016d072c5baed4d88b0eb07555f7eaeae453daa9e8963fb65e082d0805bffb0a851a221ca7

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 f64073b808bd356a3f3aebab2034ca1e
SHA1 df86632af2ddc210e56ce950c260b3670f9f8721
SHA256 9a302ba8eb9e50ffa4afecd412070089ab8a5cc7622e60aa13db3c2f8a240791
SHA512 734590aa5469da1b87bf82abd42556f0d6ea2d3a83c68517b4bc6669a382fef0c4925ae50b86e4fe1494cecd12dfc03b2ec997889c7cf9d203b70d169776e9c5

C:\Users\Admin\AppData\Local\Temp\3uH3sWcW6XKp.bat

MD5 dc23e15f731d8a1ad844c1dfdea97f34
SHA1 fa2b783eb34adf83642a987377035804b819cecb
SHA256 49915839577a49cf117c1c34ea2c0b53ef5f8ae311e40ae591f2f842057728d3
SHA512 0d7412db1dd42f9bc56309d3975262eb8e86c049082b08f30bc7974f60bc34c56660f87dc04937b430b5a5604732edbc4522a938a7c7750644c7999af17983c4

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-2024

MD5 39832b01ab6f1dfbb6fc85b11ece631e
SHA1 513ce760dc4d52ff0e95303871d06900d8f8f3a1
SHA256 0b3694543a2110511c29adccd04ca9f5c9453c9904dbb69038c16d4ee9215e52
SHA512 40b7f485d2489b6fd7559429460c312ef6bf83141571e947ccbfe84424e24a3251f1ef1f57bde9413434a61702d2154993d9602527f8e6563e7582560955a0ba

C:\Users\Admin\AppData\Local\Temp\C7WNIUZ5EjHV.bat

MD5 4cdee142ca975454036507258b047d90
SHA1 39f84d3112e4a8b9bb9e0a7558e7e1cc5f196108
SHA256 1b8a8eba89e373f827b40d1acbdbe04b7ec9cbded422da7d58e7fb8739b3137d
SHA512 a63ba5a001f23b545c1d541617def1a594522ab90952b71a9bb74f17babc304e4e50ad7eb5c47b6b2e800057bc8c160e7a7e3d6cebb650968676489da79efd06

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:13

Reported

2024-06-11 17:14

Platform

win10-20240404-en

Max time kernel

37s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 3328 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 3328 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Windows\SysWOW64\schtasks.exe
PID 3328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 4528 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe

"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 f.f.f.f.8.f.2.0.2.c.1.c.3.1.0.9.f.f.f.f.6.9.8.8.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-63294.portmap.host udp
DE 193.161.193.99:63294 runderscore00-63294.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp

Files

memory/3328-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/3328-1-0x0000000000530000-0x000000000058E000-memory.dmp

memory/3328-2-0x00000000052D0000-0x00000000057CE000-memory.dmp

memory/3328-3-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/3328-4-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/3328-5-0x0000000004F50000-0x0000000004FB6000-memory.dmp

memory/3328-6-0x0000000005A70000-0x0000000005A82000-memory.dmp

memory/3328-7-0x0000000005E60000-0x0000000005E9E000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 1ec86aa544089409730a3777da35c70a
SHA1 b592008ecc06d47bd7170f0ad3799e114139df0f
SHA256 5d533976a3ac74eede22a42c2776ce3a392596b98c5ef0e6bed98b6395fb0c48
SHA512 fbd7a000b74f0488039aa9213d56cf464b55629c9c649bde2835216f699f51f921d417d090e7e2e0d6e7c10a07c4b767ada82a8ac45fcfc10c950163f2df9715

memory/3328-14-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4528-15-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4528-16-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4528-18-0x0000000006450000-0x000000000645A000-memory.dmp

memory/4528-19-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/4528-20-0x00000000740B0000-0x000000007479E000-memory.dmp